Microsoft has confirmed it is overhauling its anti-piracy technology in Windows Vista to plug a potential software licence hole.
The technology will impose more stringent penalties on those who fail to validate their copies of Vista - forcing companies to tighten up the processes they have for installing Windows on PCs and tracking the use of their software licence keys. That prospect - and the possibility that valid users could be deemed illegitimate - doesn't sit well with some IT managers, however.
IT manager at Time Warner's office in Greensboro, Frank Yawn, said he expects the new Software Protection Platform technology that Microsoft is building into Windows Vista to "add another layer of complexity" to his work. "I personally feel the security of our keys is pretty adequate," Yawn said. "If I can't trust my employees with the key and a Windows CD, then maybe I need to re-evaluate my employees."
Currently, companies that buy large amounts of software from Microsoft under volume licences are issued a single key for each application or operating system, no matter how many machines the products will be installed on. Many store their licence keys as unencrypted strings in plain-text files, making the keys vulnerable to theft.
Stolen keys often end up on the internet, where they can be reused millions of times by software pirates and unwitting users. In July, Microsoft said that of the 300 million copies of Windows XP that had been scanned by its WGA (Windows Genuine Advantage) tool at that point, 48 million had failed the piracy test because they were installed with stolen volume-license keys.
Starting with Windows Vista and Windows Server Longhorn, which is expected to be released next year, companies will have to choose one of two options under the SPP program. The first, primarily for smaller customers, is to be validated via the internet by receiving a Multiple Activation Key from a Microsoft server during installation.
The second option, geared toward larger companies, is to install a Microsoft-developed Key Management Service on an internal server to validate PCs during the installation process and every 180 days thereafter. The KMS application will also encrypt the licence keys and hide them on the server, according to Microsoft.
Cori Hartje, director of Microsoft's Genuine Software Initiative, said companies that lose their Windows Vista volume keys or have them stolen and used by pirates won't be penalised, although they may be required to reinstall and change their keys.
The potential consequences are more dire for Vista users who ignore SPP's validation requests or fail its test.
XP users who don't pass the WGA test are blocked from downloading software add-ons such as the Windows Defender security tools. In contrast, users who decline or fail to validate their copies of Windows Vista via SPP will be blocked from using some of the operating system's features, Hartje said. That includes Aero, Vista's graphical user interface, and ReadyBoost, an application that uses flash memory to increase system performance.
After 30 days, the operating system will go into what Kay described as an "ugly mode" that provides reduced functionality, similar to Windows Safe Mode. Users then will be given one final hour of web access as a last chance to validate the software or buy a legitimate licence.
SPP will not be included in Office 2007, which is expected to ship by year's end. However, Microsoft said that the technology will eventually be built into more of its products.