Blog
Tags:
Windows security: the sour cash cow for suppliers
Anyone who takes a quick look around the world of IT security will immediately notice a striking phenomenon: the enormous ecosystem of security products that revolves entirely around a single platform: Windows.
There are literally hundreds of companies that have built their businesses on fixing the holes that Microsoft leaves behind. Symantec, Norton, Bitdefender, CrowdStrike—they all earn good money from it.
And that goes far beyond traditional antivirus or firewall software. Think of EDR tools, SIEM packages, special encryption software, anti-phishing modules, and countless monitoring agents. Each product promises to compensate for Windows' weaknesses.
In fact, you're buying an expensive repair kit because you know the boat is leaking on all sides.
But with Windows, we're not talking about leisure transport. We're talking about crucial systems. The irony is that, as an administrator, you don't even have complete control over your own machines.
Even with administrator rights, there are functions you cannot perform. Certain files remain inaccessible, processes are deliberately shielded. It's as if Microsoft wants to protect you from yourself – or simply decides what you can and cannot do.
And all this happens without anyone being asked what we think about it.
This raises a painful question: how mature is an operating system really, if you have to add dozens of extra layers of security on top of it to make it reliable? You buy a license, but the real security is hidden behind a wall of paid add-ons. Bizarre.
Meanwhile, companies continue to invest in those extra layers, because the alternative is either unknown or often feels too risky. But perhaps that is the wrong reflex. Should you just accept this dependency? Are there options for gaining control over your own environment? And what are the real alternatives for those who no longer want to pay security costs on a platform that calls itself “mature”?
Windows security: built on a foundation built in 1977
The foundations of Windows are ancient. Whether you're running Windows 11 in the workplace or Windows Server 2025 in your data center, under the hood you're still working with technology from the 1990s. The foundation was laid with Windows NT in 1993. Since then, countless layers and features have been added on top, but the core has not actually changed.
In fact, the security model is even older. Microsoft largely adopted it from VMS, an operating system designed by Digital Equipment Corporation in 1977. At the time, this model was cutting-edge. Today, it's a museum piece.
Is that a problem? Yes. Because what's missing is the fine-grained isolation that modern systems like Linux and macOS do have. They have tools like AppArmor and SELinux: mechanisms that tightly compartmentalize processes and applications, giving them only the rights they really need. This ensures that administrators don't have to worry about applications stepping out of line, even if they are infected with malware.
Windows does not have anything like this.
Of course, you can use ACLs (Access Control Lists) to restrict user access to files. But once a process is running, control ceases. The operating system does not look at the executable or the process level: it is running, so it is allowed. This is a weak spot that has been open for decades. And hackers love it.
Take a web server as an example. Every public web server has a broad attack surface. That's why you want to limit it to minimal rights: read-only or write-only where strictly necessary. This is possible in Linux, but not in Windows. As soon as a user logs in to the server—something that is necessary for many applications—the web server automatically inherits all of that user's rights. Add a successful cross-site scripting attack to that, and the door to your sensitive data is wide open.
With modern isolation, the damage would be limited to the web server's sandbox. The user would only have access to the files that are explicitly accessible via the web server. But in Windows, that's an illusion. One process can quickly gain access to the entire house, when all you really wanted to do was open the door to the hall.
And that is precisely what makes Windows so dangerous in 2025: it runs on a foundation that is no longer designed to deal with today's threats.
Windows security in practice: all or nothing
On paper, the Windows security model seems reasonably well thought out. The operating system has various standard roles, such as Print Operator or Backup Operator. In theory, this would allow you to divide tasks into fine-grained categories and assign rights precisely where needed.
In practice, however, this is rarely the case. In most organizations, employees are either regular users or administrators. There are hardly any intermediate positions. As a result, the focus is not on “least privilege,” but on convenience. And that convenience comes at a price.
Because as soon as an administrator is compromised, it immediately opens the door to cross-contamination. An admin not only has rights to the machine on which he or she works, but also direct access to all systems for which that authority applies. And that applies from any point in the network where a login occurs.
This means access to the standard shared volumes (C$, D$, etc.), but also to critical components such as the local user database and security services of those machines. One hacked account spreads rapidly and brings down the entire domain.
The limited application of role-based security makes Windows an all-or-nothing system in practice. Either you are allowed to do almost nothing, or you are allowed to do almost everything. And at a time when attackers are operating ever more intelligently and quickly, this is not a luxury problem but a fundamental risk.
Don't assume that this won't be the case for you. At the very least, check how things are arranged for you or jump straight to the bottom of this blog, where we will help you get started without any obligation.
Security by design? Niet bij Microsoft
The recent vulnerability in Entra—discovered by a security researcher—once again highlights Microsoft's approach to security. By manipulating valid tokens, it proved possible to gain global admin privileges for every Entra customer worldwide. This is a nightmare scenario that strikes at the heart of identity and access management.
And that is precisely where the link to Windows lies. Many Windows machines now authenticate directly through Entra. If the basis is shaky there, the foundations of Windows security are also unstable.
Unfortunately, this is not an isolated incident. There are several known vulnerabilities in Windows that Microsoft stubbornly refuses to fix. The leak that led to the recent CrowdStrike debacle is just one example. Instead of solving this problem structurally, Microsoft is postponing it.
The pattern is clear: security is not seen as core to the product, but as a mandatory requirement. A cost item. Microsoft does what is necessary to pass audits or to temper public pressure, but real security by design is lacking. In the architecture of Windows – and also of other Microsoft products – you mainly see band-aids, workarounds, and separate patches.
For organizations, this means that you can never rely on the neatly maintained illusion that “Microsoft will take care of it.” You have to take care of security yourself; enforcing it at Microsoft is not possible because that ancient foundation has not been robust enough for decades. It's time for a change.
Concrete rot in your IT? Time to demolish and rebuild
Sometimes there is no saving it. If a building is riddled with concrete rot, you can keep shoring it up and filling in the cracks, but ultimately it has to be demolished. The same goes for IT built on an outdated foundation. You can keep investing in layers of security, but the core remains vulnerable.
Now I hear you thinking, “You're right, Hugo, but that's an operation that's not on the agenda for the time being, too costly, too drastic.”
Then read this:
We have solved this problem radically for various customers: step by step, we said goodbye to the Microsoft ecosystem. Linux on the servers, macOS on the workstations. Two platforms that work together seamlessly, both based on the robust Unix philosophy. The result: more control, less maintenance, and a much more secure environment.
Stop applying endless band-aid solutions. Take control of your own IT and choose the security your organization deserves. Let's take a look at your situation together. And whether and how you can make the transition. Schedule a no-obligation appointment, and I'll show you exactly what steps are needed. And what you'll save on an annual basis; because who wants to spend money on sour milk?