The answer is really quite simple. Microsoft’s products are designed for maximum ease-of-use, which drives their rampant popularity. What many fail to grasp is that security is a zero-sum game: the easier it is to use something, the more time and effort must go into securing it. Think of security as a continuum between the polar extremes of 100 percent security on one side and 100 percent usability on the other, where 100 percent security equals 0 percent usability, and 100 percent usability equates to 0 percent security. Over time, Microsoft has learned to strike a healthier balance on this continuum.
Some things they have simply shut off in default configurations (IIS in Windows Server 2003 comes to mind). Others they have redesigned from the ground up with security as a priority (IIS’ re-architecture into kernel-mode listener and user-mode worker threads is also exemplary here). More recently, Microsoft has wrapped “prophylactic” technology and UI around existing functionality to raise the bar for exploit developers (we’re thinking of ASLR, DEP, MIC, and UAC in Vista). And, of course, there has been a lot of work on the fundamentals—patching code-level vulnerabilities on a regular basis (“Patch Tuesday” is now hardened into the lexicon of the Windows system administrator),
improving visibility and control (the Windows Security Center is now firmly ensconced in the System Tray/Notification Area of every modern Windows installation), adding new security functionality (Windows Defender anti-spyware), and making steady refinements (witness the Windows Firewall’s progression from mostly standalone IP filter to integrated, policy-driven, bidirectional, app/user-aware market competitor).
Has it worked? Yes, Windows Vista is harder to compromise out of the box than Windows NT 4, certainly. Is it perfect? Of course not—practical security never is (remember that continuum). And, like a rubber balloon filled with water, the more Microsoft has squeezed certain types of vulnerabilities, the more others have bulged out to threaten unassuming users. including device driver vulnerabilities that leave systems open to compromise by simply brushing within range of a wireless network and insidious stealth technology deposited by “drive-by” web browsing, just to name two.
As Microsoft Chairman Bill Gates said in his “Trustworthy Computing” memo of January 2002 (http://www.microsoft.com/mscorp/execmail/2002/07-18twc.mspx), “[security]… really is a journey rather than a destination.” Microsoft has made progress along the road. But the journey is far from over.