90 Days in and How Is Vista doing.

Three months into a life that could one day see it become the most prevalent operating system used in business, time to assess whether Microsoft has kept its related to Vista's security. The answer depends upon which promises you remember and whether you believe Microsoft should be judged on how far it's come or how far it has yet to go.

The short answer: Windows Vista is a solid improvement over its predecessors. After 90 days and with a relatively small number of deployments upon which to judge Microsoft's success, that's the consensus from security researchers, third-party vendors that rely on (and even compete with) the operating system, and corporate

That doesn't mean that Microsoft will take all criticism lying down. The company questions the testing methodologies of security researchers that scrutinize its products. Since Vista's launch, Enex Test Labs in Australia published a study finding that Windows Defender blocked only 46.6% of spyware and found 53.4% during a full computer scan. Meanwhile, anti-spyware vendor Webroot released the results of what it said was a two-week study of Windows Defender that showed the product missed 84% of a sample set of 25 spyware and malicious code samples. Toulouse wonders whether Enex and Webroot are using the same methodology to classify spyware that Microsoft uses, and he also notes that the accuracy of a spyware product depends largely on the types of spyware included in the sample tested.

Yet the true test of Vista's strength can only play out over time, once the operating system begins to pervade corporate desktops and become a legitimate target for malicious hackers. "Many of our customers say they don't plan to deploy Vista for six to 12 months," says Don Leatham, director of solutions and strategy for PatchLink, a provider of patch and vulnerability management software. "A lot of shops are SP1 shops; they'll wait for the first service pack before migrating. Hackers are in this business for money, and they get paid by getting rootkits and malware onto as many computers as possible."

Some security researchers, including Joanna Rutkowska, a security researcher for Singapore-based IT security firm Coseinc, and Mark Shavlik, president and CEO of Windows patch facilitator Shavlik Technologies, have seen Microsoft back off some of its claims about how much Vista would improve IT security. "This was the security release that was going to change the world," says Shavlik, who worked for Microsoft as a developer on Windows NT in the late 1980s and early '90s. Shavlik's not so sure Vista will change the world. "It's better," he acknowledges.

For now Vista's greatest enemy will be companies that fail to implement it properly. For UAC to be effective, administrators must make sure they don't give out authorization codes that allow users to download software indiscriminately. For BitLocker to encrypt data, users have to make sure it's running and their companies have to invest in PCs that contain a Trusted Platform Module chip, a microcontroller that can store secured information such as encryption keys. While the jury is out on whether Vista is a world beater, now's a good time for those intrepid early adopters to adopt some good security habits.