If you are to believe the U.S. government, Microsoft Corporation controls a monopoly share of the computer operating system market and possibly many other related software markets as well (web browsers, office productivity software, and so on). And despite continued jeers from its adversaries in the media and the marketplace, Microsoft manages to hold on to this “monopoly” year after year, flying in the face of a lengthening history of flash-in-the-pan information technology startups ground under by the merciless onslaught of change and the growing fickleness of the digital consumer. Love ‘em, hate ‘em, or both, Microsoft continues to produce some of the most broadly popular software on the planet today. And yet, in parallel with this continued popularity, most media outlets and many security authorities still continue to portray Microsoft’s software as fatally flawed from a security perspective. If Bill Gates’ products are so insecure, why do they seem to remain so popular?

The answer is really quite simple. Microsoft’s products are designed for maximum easeof-use, which drives their rampant popularity. What many fail to grasp is that security is a zero-sum game: the easier it is to use something, the more time and effort must go into securing it. Think of security as a continuum between the polar extremes of 100 percent security on one side and 100 percent usability on the other, where 100 percent security equals 0 percent usability, and 100 percent usability equates to 0 percent security. Over time, Microsoft has learned to strike a healthier balance on this continuum. Some things they have simply shut off in default configurations (IIS in Windows Server 2003 comes to mind). Others they have redesigned from the ground up with security as a priority (IIS’ re-architecture into kernel-mode listener and user-mode worker threads is also exemplary here). More recently, Microsoft has wrapped “prophylactic” technology and UI around existing functionality to raise the bar for exploit developers (we’re thinking of ASLR, DEP, MIC, and UAC in Vista). And, of course, there has been a lot of work on the fundamentals—patching code-level vulnerabilities on a regular basis (“Patch Tuesday” is now hardened into the lexicon of the Windows system administrator), improving visibility and control (the Windows Security Center is now firmly ensconced in the System Tray/Notification Area of every modern Windows installation), adding new security functionality (Windows Defender anti-spyware), and making steady refinements (witness the Windows Firewall’s progression from mostly standalone IP filter to integrated, policy-driven, bidirectional, app/user-aware market competitor).