The Windows 7 buzz encompasses a host of interface enhancements, but there are plenty of new and improved security features as well. Here’s a rundown of 10 key changes you should know about.
Microsoft has released a public beta of its next client operating system, Windows 7. Everybody’s talking about the interface changes: the new taskbar, omission of the sidebar, a new look for Windows Explorer. Under the hood, there are more changes, including new and improved security features. Let’s look at 10 security features that have been changed or added in Windows 7.
Note: This article is also available as a PDF download.
1: Action Center
In Vista, security configurations are accessed from the Security Center in Control Panel. In Windows 7, you won’t see a Security Center. That’s because it’s been absorbed into a new Action Center. The Action Center has security configurations as well as options for other administrative tasks, like Backup, Troubleshooting And Diagnostics, and Windows Update. Figure A shows the Action Center.
Figure A: The Action Center absorbed the functions of the Security Center.
2: Changes to UAC
User Account Control (UAC) was new in Vista, designed to provide better protection from malware. It makes all user accounts run as standard users, even administrator accounts. If you need to do something that requires admin privileges, it asks for permission. And asks. And asks. This in-your-face aspect of UAC has caused numerous complaints and has led some users to turn it off completely, thus exposing themselves to threats.
In Windows 7, UAC is still there, but now you can configure how “vocal” it will be. There are four settings you configure from the UAC settings in the Action Center. You can set UAC to:
- Always notify you when you install software or make any changes to Windows settings (as Vista does now).
- Notify you when programs make changes but not if you make changes to Windows settings (this is now the default).
- Notify you only when programs make changes but turn off Secure Desktop, which dims the desktop while the UAC prompt is displayed. (This is my preferred setting.)
- Never notify you. (This is not recommended.)
You configure these settings with a slider, as shown in Figure B.
Figure B: You can set when and how UAC notifies you with the slider.
3: Better BitLocker
I didn’t use BitLocker much in Vista. At first, it would encrypt only the operating system drive. That’s nice for laptops, but I didn’t need it for my desktop because that machine is physically secure. Then Service Pack 1 added the ability to encrypt other drives, and that was nice, but it applied only to fixed hard disks. What I really needed to encrypt were my thumb drives and flash cards and USB drives, since they’re removable and portable and more likely to get lost or stolen.
Windows 7 comes through and lets you encrypt removable drives. And it’s easy to do. Just open the BitLocker applet in Control Panel, pick the drive you want to encrypt, and click Turn On BitLocker. The removable drives appear in the section called BitLocker To Go (Figure C).
Figure C: You can now encrypt removable drives, like the Lexar USB flash drive, with BitLocker.
For more details about the BitLocker improvements and step by step screenshots of how to encrypt a drive with BitLocker in Windows 7, see this article.
Also note that, as with Vista, BitLocker probably won’t be included in the Home editions of Windows 7.
A brand new feature in Windows 7 is DirectAccess, which allows remote users to connect securely to their corporate networks over the Internet without using a VPN. Administrators can apply Group Policy settings and otherwise manage the mobile computers and even update them whenever the mobile machines are connected to the Internet, regardless of whether the user is logged on to the corporate network.
DirectAccess also supports multifactor authentication with smart cards and uses IPv6 over IPsec for encrypting the traffic.
5: Biometric security
Arguably the most secure method of authentication is biometrics, or the use of a fingerprint, retinal scan, DNA, or other unique physiological feature to identify the user. Windows isn’t quite at the point of having built-in support for DNA sampling, but it does include built in support for fingerprint readers. Windows has supported the use a fingerprint sensor to log on, and many Vista laptops come with fingerprint sensors. But a third-party program is required to use it. With Windows 7, it’s part of the OS.
The Biometric Devices applet in Control Panel (Figure D) lets you configure fingerprint readers (which are the only kind of biometric devices supported).
Figure D: Now support for fingerprint readers is built into Windows.
Software Restriction Policies are included in XP and Vista and they seemed like a great idea. Administrators can use Group Policy to keep users from running particular programs that might present a security threat. But they’ve never been used that much because they aren’t easy to use.
Windows 7 has improved on the concept with a new feature called AppLocker. AppLocker is also included in Windows Server 2008 R2. It’s easier to use and gives administrators more flexibility and control. You can use AppLocker with domain Group Policies or on the local machine with the Local Security Policy snap-in. As you can see in Figure E, AppLocker falls under the Application Control Policies node in the left pane of the snap-in.
Figure E: AppLocker does the same thing as Software Restriction Policies, but does it better.
Win7 still supports the old Software Restriction Policies, too. Also note that AppLocker may not be available in some editions of Windows 7.
7: Windows Filtering Platform (WFP)
Windows Filtering Platform (WFP) is a set of APIs introduced in Vista. In Windows 7, developers can use it to integrate some parts of the Windows Firewall into their own applications. This will allow a third-party program to turn off certain parts of the Windows Firewall selectively if need be.
8: PowerShell v2
Windows 7 comes with PowerShell v2, the command-line interface by which administrators can use cmdlets (small “one liners” that allow you to perform single functions) to manage various settings, including Group Policy security settings. You can put multiple cmdlets together to create scripts. The cmdlet method generally requires fewer steps than using the graphic interface to perform the same task.
Windows 7 also includes the PowerShell Integrated Scripting Environment (ISE) (Figure F), a graphical tool for using PowerShell.
Figure F: Windows 7 includes both PowerShell v.2 and the PowerShell ISE.
Windows 7 includes support for DNSSec (Domain Name System Security), which is a group of extensions to the DNS platform that enhance security. With DNSSec, a DNS zone can take advantage of digital signature technology so that you can validate the authenticity of data that’s received.
According to the Port 53 Blog on TechNet, the DNS client doesn’t perform the DNS validation on its own but is security-aware, so it expects the server to return the results of validation. You can read more about this here.
10: Internet Explorer 8
Windows 7 comes with IE 8, which provides such security enhancements to the Web browser as:
- The SmartScreen filter– Replaces/expands upon the Phishing Filter in IE 7
- The XSS Filter — Protects against cross-scripting attacks
- Domain highlighting — Puts emphasis on the relevant part of the URL so you can more easily determine the real location of the site you’re on
- Better security for ActiveX and the ability to install controls on a per-site basis
- Data Execution Prevention (DEP) enabled by default