Desktop Optimization Pack

The Microsoft Desktop Optimization Pack (MSDOP) is an add-on available to Microsoft Software Assurance (SA) customers. Strictly speaking, it is not part of Windows Vista although it is available to customers with SA coverage including Vista. MSDOP contains four different technologies, three of which are really interesting from a security perspective.

The first is Microsoft SoftGrid, which Microsoft acquired in the Softricity acquisition (http://www.softricity.com/index.asp). SoftGrid allows users to run applications on their computers without actually installing them first. The applications are provisioned to the clients when the user runs them.

That is not the most interesting aspect of SoftGrid, however-at least not from a security perspective. The really interesting part is that applications run within a virtual environment on the individual PCs. While being virtualized they can read some pieces of the registry, but not write from them, and they are essentially unaffected by other applications on the same computer! In a blog post, Kevin Sullivan shows a screenshot where he is running PowerPoint XP and PowerPoint 2003 at the same time (http://www.blogs.technet.com/kevinsul_blog/archive/2006/09/06/454467.aspx). Normally that is not possible. This could be important if you need to run applications that require loosened security to run properly. If you can virtualize either that application, or other applications, or both, using SoftGrid you may be able to keep those changes from affecting other applications.

The second technology that is interesting from a security perspective in MSDOP is some additional Group Policy administration tools. The Microsoft

Advanced Group Policy Management toolkit allows you to better implement change management and rollback for Group Policy. It also implements a better administration and delegation model that permits role-based access control for Group Policy management.

Finally, the Microsoft Diagnostics and Recovery Toolset is a Windows PE-based recovery toolset used to diagnose and repair unbootable or locked-out systems. For instance, it can be used to remove malware from a system without your having to boot it into the infected installation. You can cobble together your own kit to do malware removal using Windows PE, however. In Appendix A, we show you how to build a bootable USB flash disk with Windows PE. If your favorite anti-malware tool can run within that environment you can use that to diagnose your system.

For more information on the MSDOP, please go to http://www.microsoft.com/windowsvista/getready/optimizeddesktop.mspx. Note that at the time of this writing, the MSDOP is not yet available in final form.