New Windows, SOS

Retired life is a zero sum game for now. For the first five years, I’ve chosen to live completely out of pocket by delaying the start of Social Security payments until age 70. To keep my retirement finances on track, I use ESPlanner to estimate my annual discretionary spending, See Finance to track expenses, and TurboTax to do my income taxes.

ESPlanner is a Windows program and I keep a Windows Free Household. Well, something had to give and I let the Windows camel into the tent but keep it in a corral using Parallels Desktop. This article describes my initial experiences with Parallels Desktop and Windows 8. Windows 8 is not your father’s Windows but it is awfully familiar in all the bad old ways.

Parallels Desktop

Parallels Desktop is a low administration version of the Parallels virtualization product designed for use by mere end users like me. Although I’ve been in the industry for over 30 years, I consider myself an end user when it comes to virtual machines and products so Parallels Desktop is my kind of product.

Terminology

Guest      An operating system running in a Parallels Desktop virtual machine

Host        The operating system running directly on the hardware, in this case, OS X.

Hypervisor            The part of Parallels Desktop that mediates between the guest operating system and the underlying hardware.

Virtual Machine     A simulated computer provided by Parallels Desktop using the Intel virtual machine facilities.

Installation

Parallels Desktop installs from a down loaded disk image. The retail box gets you a license key that you enter once installation is complete. The installation process is the one Mac OS X users know well. Just run the installer, let it verify that the host environment satisfies the preconditions, and then do the install. The product installs as a normal application bundle into /Applications. No surprises here.

Gest Installation

Parallel’s guest installation is straight forward. Parallels Desktop walks you through creating a virtual disk, starting the virtual machine, and loading and starting the Windows 8.1 installer. From there, it is the Windows installation experience  you know and love. Walk through the installation wizard answering its questions, let her rip, let the VM restart, and let Windows get itself caught up to date. As you remember, Windows will do an update download and a mandatory restart. That mandatory restart can be put off a couple of times but sooner or later, Windows 8 will insist on restarting. Might as well save yourself pain and get it over with.

Windows 8.1

When you are shopping for Windows, do pay extra for the standard Home Edition new system version. This version is somewhat more permissive in that it will allow you to make installations on a small number of virgin disks on the local subnet without requiring an earlier product to be present.

The System Builder edition lets you make one installation. Subsequent installations require contacting Microsoft to have them deauthorize the earlier versions. System Builder considers an installation to be subsequent if any part of the hardware has changed including the disk. Based on my reading, if you mess up a virtual machine, it’s likely you will need to call Microsoft and ask mother, may I to create a new instance of Windows. 

So, if you are an infrequent Microsoft customer, go to Best Buy or some such and confirm that you’re buying the correct version. And for their help, give them some love. You’ll probably not find the home/family version at Amazon or NewEgg. (I couldn’t but then again, Microsoft product jargon is mind numbing).

Remember the classic Steve Jobs jab, “Home Edition, 29.95. Business Edition, 29.95, Galactic Edition, 29.95”

Windows first impressions

Windows 8 is better than its predecessors in many ways.

  • The stack is execute disabled — this closes many buffer overflow attacks.
  • The heap is execute disabled — this closes many buffer overflow attacks.
  • Things work correctly for users that are not the administrator.

But Windows 8 hides many things. The UI has been reorganized around touch screens and touch gestures. Some touch gestures have mouse equivalents but they are not thought out in the same way as in OS X. And Windows is unclear about which gestures are mouse and touch screen and which are touch screen only. And it fails to explain the mousing technique for most mouse gestures. You just have to futz around until something useful happens.

Summoning the charms

One particularly frustrating thing in Parallels Desktop is summoning the Charrs. The charms are UI dingbats that let you search, see the list of programs like Launch Pad, and do some other common actions. Moving the mouse to the upper right corner is supposed to make them appear. Unfortunately, OS X gets first dibs on mouse events and the charms don’t appear.

The administrator user

The installer gives administrator rights to the first user created. As with earlier versions of Windows, the user holds these rights continually but unlike XP, the various system administration operations will ask for confirmation. On first launch of a downloaded image, Windows will ask if you really want to run this random thing from childporn.xxx. So it is a bit harder for things to be installed behind your back. But I don’t trust Redmond to get it right.

Just a user user

So the first thing I did after all the initial updating and restarting was over was to create a second user dave with regular user rights for every day use. This gives me another layer of insulation from acts of malware. Before performing administrative actions, Windows will tell me that I’ve initiated an administrative action and will ask for the administrator password. Not as elegant as sudo but an improvement over XP. So you give the admin password and you will be asked for additional confirmations for each admin action. So it is harder to be had than in the past.

Should something sneak by, running as dave prevents a process from touching the system files. Important system files are writable only by the administrative user so a process holding user id dave can’t alter them or install executables in Program Files, etc. Just a bit safer.

Active X

I guess Active X is still around and but less able to commit mayhem. Any Active X widget will be running as user dave with dave’s object access rights. Any Active X thing asking for administrator rights will be outed and I can kill it with extreme prejudice.

As a rule, I do everything I can in OS X where Apple and BSD sandboxing are in effect. The BSD Jails are pretty effective at keeping things out of mischief and I have OS X set up only to run signed executables built by developers who have purchased signing keys from Apple. This stops a lot of malware but $100 is chump change for a pro black hat. But, get caught and Apple kills your keys.

I don’t know if Microsoft is doing the same with signing of images, but the new versions are much more robust than the prior Microsoft art. The attack surface is still pretty large so Parallels Desktop provides another layer of containment. But Parallels can be exploited. Again, keep the attack surface small. I’m pretty much keeping this Windows instance stock.

Parallels Tools

Parallels Tools allow the guest to create native windows and to see a chroot subset of the file system. Once a guest process is launched, you can pretty much ignore the guest and interact with the user process in a regular Aqua window. And keep the data in the shared file system branch where the files are visible to Time Machine for backup.

Unfortunately, there is no Parallels Tool to summon the charms.