To be honest, it is possible to configure windows (starting from XP) with a minimal set of enabled capabilities. The system policies mechanism is quite featurefull, and you lock a system down to minimal rights. It is also possible to deploy system patches and updates locally to a domain from the server (what they call a domain controller) comfigured to do so. In fact you can pretty much control any client associated to a domain relotely with the right access token.
Imho, the main issue is more in:
- setting up the right set of policies, it's a difficult task. On a unix system, the problem is probably easier to tackle because the first (simpler) layer of security implemented through the file system (linux for instance provides a more elaborated capability mechanism, many others unix also each have their own implementations of a policy/capability mechanism).
- letting end users having too much control on their computer, because often time they wish to install all sort of products on their own (this is especially true of developpers, but usually computer literates are more security minded than the lambda user). With web apps, this problem is nowadays shifted toward the browser, so maybe this problem isn't as much of an issue as it was 10 years ago for system wide policy enforcement (but as I said it is now one at the browser level).
Imho, the main issue is more in:
- setting up the right set of policies, it's a difficult task. On a unix system, the problem is probably easier to tackle because the first (simpler) layer of security implemented through the file system (linux for instance provides a more elaborated capability mechanism, many others unix also each have their own implementations of a policy/capability mechanism).
- letting end users having too much control on their computer, because often time they wish to install all sort of products on their own (this is especially true of developpers, but usually computer literates are more security minded than the lambda user). With web apps, this problem is nowadays shifted toward the browser, so maybe this problem isn't as much of an issue as it was 10 years ago for system wide policy enforcement (but as I said it is now one at the browser level).