Windows

Top 10 changes to security in Windows 7

The Windows 7 buzz encompasses a host of interface enhancements, but there are plenty of new and improved security features as well. Here's a rundown of 10 key changes you should know about.

The Windows 7 buzz encompasses a host of interface enhancements, but there are plenty of new and improved security features as well. Here's a rundown of 10 key changes you should know about.


Microsoft has released a public beta of its next client operating system, Windows 7. Everybody's talking about the interface changes: the new taskbar, omission of the sidebar, a new look for Windows Explorer. Under the hood, there are more changes, including new and improved security features. Let's look at 10 security features that have been changed or added in Windows 7.

Note: This article is also available as a PDF download.

1: Action Center

In Vista, security configurations are accessed from the Security Center in Control Panel. In Windows 7, you won't see a Security Center. That's because it's been absorbed into a new Action Center. The Action Center has security configurations as well as options for other administrative tasks, like Backup, Troubleshooting And Diagnostics, and Windows Update. Figure A shows the Action Center.

Figure A: The Action Center absorbed the functions of the Security Center.

2: Changes to UAC

User Account Control (UAC) was new in Vista, designed to provide better protection from malware. It makes all user accounts run as standard users, even administrator accounts. If you need to do something that requires admin privileges, it asks for permission. And asks. And asks. This in-your-face aspect of UAC has caused numerous complaints and has led some users to turn it off completely, thus exposing themselves to threats.

In Windows 7, UAC is still there, but now you can configure how "vocal" it will be. There are four settings you configure from the UAC settings in the Action Center. You can set UAC to:

  • Always notify you when you install software or make any changes to Windows settings (as Vista does now).
  • Notify you when programs make changes but not if you make changes to Windows settings (this is now the default).
  • Notify you only when programs make changes but turn off Secure Desktop, which dims the desktop while the UAC prompt is displayed. (This is my preferred setting.)
  • Never notify you. (This is not recommended.)
You configure these settings with a slider, as shown in Figure B.

Figure B: You can set when and how UAC notifies you with the slider.

3: Better BitLocker

I didn't use BitLocker much in Vista. At first, it would encrypt only the operating system drive. That's nice for laptops, but I didn't need it for my desktop because that machine is physically secure. Then Service Pack 1 added the ability to encrypt other drives, and that was nice, but it applied only to fixed hard disks. What I really needed to encrypt were my thumb drives and flash cards and USB drives, since they're removable and portable and more likely to get lost or stolen.

Windows 7 comes through and lets you encrypt removable drives. And it's easy to do. Just open the BitLocker applet in Control Panel, pick the drive you want to encrypt, and click Turn On BitLocker. The removable drives appear in the section called BitLocker To Go (Figure C).

Figure C: You can now encrypt removable drives, like the Lexar USB flash drive, with BitLocker.

For more details about the BitLocker improvements and step by step screenshots of how to encrypt a drive with BitLocker in Windows 7, see this article.

Also note that, as with Vista, BitLocker probably won't be included in the Home editions of Windows 7.

4: DirectAccess

A brand new feature in Windows 7 is DirectAccess, which allows remote users to connect securely to their corporate networks over the Internet without using a VPN. Administrators can apply Group Policy settings and otherwise manage the mobile computers and even update them whenever the mobile machines are connected to the Internet, regardless of whether the user is logged on to the corporate network.

DirectAccess also supports multifactor authentication with smart cards and uses IPv6 over IPsec for encrypting the traffic.

5: Biometric security

Arguably the most secure method of authentication is biometrics, or the use of a fingerprint, retinal scan, DNA, or other unique physiological feature to identify the user. Windows isn't quite at the point of having built-in support for DNA sampling, but it does include built in support for fingerprint readers. Windows has supported the use a fingerprint sensor to log on, and many Vista laptops come with fingerprint sensors. But a third-party program is required to use it. With Windows 7, it's part of the OS.

The Biometric Devices applet in Control Panel (Figure D) lets you configure fingerprint readers (which are the only kind of biometric devices supported).

Figure D: Now support for fingerprint readers is built into Windows.

6: AppLocker

Software Restriction Policies are included in XP and Vista and they seemed like a great idea. Administrators can use Group Policy to keep users from running particular programs that might present a security threat. But they've never been used that much because they aren't easy to use.

Windows 7 has improved on the concept with a new feature called AppLocker. AppLocker is also included in Windows Server 2008 R2. It's easier to use and gives administrators more flexibility and control. You can use AppLocker with domain Group Policies or on the local machine with the Local Security Policy snap-in. As you can see in Figure E, AppLocker falls under the Application Control Policies node in the left pane of the snap-in.

Figure E: AppLocker does the same thing as Software Restriction Policies, but does it better.

Win7 still supports the old Software Restriction Policies, too. Also note that AppLocker may not be available in some editions of Windows 7.

7: Windows Filtering Platform (WFP)

Windows Filtering Platform (WFP) is a set of APIs introduced in Vista. In Windows 7, developers can use it to integrate some parts of the Windows Firewall into their own applications. This will allow a third-party program to turn off certain parts of the Windows Firewall selectively if need be.

8: PowerShell v2

Windows 7 comes with PowerShell v2, the command-line interface by which administrators can use cmdlets (small "one liners" that allow you to perform single functions) to manage various settings, including Group Policy security settings. You can put multiple cmdlets together to create scripts. The cmdlet method generally requires fewer steps than using the graphic interface to perform the same task.

Windows 7 also includes the PowerShell Integrated Scripting Environment (ISE) (Figure F), a graphical tool for using PowerShell.

Figure F: Windows 7 includes both PowerShell v.2 and the PowerShell ISE.

9: DNSSec

Windows 7 includes support for DNSSec (Domain Name System Security), which is a group of extensions to the DNS platform that enhance security. With DNSSec, a DNS zone can take advantage of digital signature technology so that you can validate the authenticity of data that's received.

According to the Port 53 Blog on TechNet, the DNS client doesn't perform the DNS validation on its own but is security-aware, so it expects the server to return the results of validation. You can read more about this here.

10: Internet Explorer 8

Windows 7 comes with IE 8, which provides such security enhancements to the Web browser as:

  • The SmartScreen filter-- Replaces/expands upon the Phishing Filter in IE 7
  • The XSS Filter -- Protects against cross-scripting attacks
  • Domain highlighting -- Puts emphasis on the relevant part of the URL so you can more easily determine the real location of the site you're on
  • Better security for ActiveX and the ability to install controls on a per-site basis
  • Data Execution Prevention (DEP) enabled by default

About

Kris Littlejohn grew up in a household of tech writers and has been playing with, building/disassembling, and writing about computers and other gadgets from an early age, including a number of articles for TechRepublic.

24 comments
walldorff
walldorff

Biometric security... "With Windows 7, it?s part of the OS." More bloat, more third party software suppliers down the drain. M$: thief among the thiefs.

ktunison
ktunison

These are all things that have been spear-headed to some degree in Vista. With the exception of DNSsec and DirectAccess, these are just enhancements on already-existing technology. They are all most welcome improvements, but whether enterprises will be able to justify the cost remains to be seen.

letter_2_roy
letter_2_roy

Dear Sir, This article is of utmost important for me . thanks & regards, swapan.

jamescherrill
jamescherrill

How many of these are available in which SKUs? For Vista we were told about great thing slike system backup/restore and bitlocker, only to find that they weren't in the home versions.

Tony Hopkinson
Tony Hopkinson

Aside from integrating some stuff we did with 3rd party software, within the OS. Every change is accessibility directed..... WFP, great idea See Britney naked now includes a program to see you naked in return, and gets past your firewall without further social engineeering. Now there's an advance in security....

seanferd
seanferd

Thanks for pointing out some of the more substantive features in Win 7. Can't promise I'd use, like, or buy in to all of them, but now I've got some better info. Action Center sounds like the local TV news. MMC still around?

The Scummy One
The Scummy One

How Exactly is WFP security?? If it allows programs to turn off parts of the firewall, that sounds to me more like a problem waiting, not a security feature

BALTHOR
BALTHOR

I suppose when these Deans meet in the Bahatmas over a holiday they could end virus.

dirtylaundry
dirtylaundry

it would cost more in the long run to not implement improved and added security

seanferd
seanferd

Or maybe it is just that it hasn't been leaked yet. The public beta is the Ultimate version. For up-to-the-minute speculation, best follow Mary Jo Foley on ZDNet. Lots of other bloggers on Win 7 as well.

chris
chris

oh sorry, wrong neighborhood :-P

deb
deb

The title of the article is "10 CHANGES," not "10 improvements." :) This is definitely a change that affects security.

seanferd
seanferd

and you would get them from a trusted source. You wouldn't let them install and run with the convenient firewall privileges unless you knew what they were doing.

bruceslog
bruceslog

One thing I haven't seen anyone mention yet is Microsoft's mediocre update to the windows clipboard. They call it Snipping Tool. It allows for various types of capture and saving the clipboard contents to a file. A little thing, ten years over-due, and very handy, once one gets used to it actually being there !

The Scummy One
The Scummy One

the execs get larger bonuses??? If they save right now, it looks better on paper. If something happens later it gets justified as "it would have happened sooner or later anyway" mentality so cut costs on security and just deal with breaches after the fires start...

The Scummy One
The Scummy One

lets lessen the security and tell everyone its 'better' :^0 LOL

seanferd
seanferd

Pretty much why I appreciated the list. I've read much longer blogs detailing changes in Win 7, without getting as much info in the process.

Tony Hopkinson
Tony Hopkinson

Let's just click on OK, and see Britney naked....

w2ktechman
w2ktechman

and soon, an infection coming right to you, and everyone else :^0 geez, I hope it's not that bad! One would think that MS would have figured out how bad it may potentially be ?:| -- on second thought!

seanferd
seanferd

Britney needs access to port 107. Knock knock.