Windows expert Greg Shultz reviews the most significant differences in Windows 7 that will affect the role of security administrators, including changes to UAC, the new AppLocker, and BitLocker To Go.
As you know, ever since Windows XP SP2, Microsoft has been very serious about operating security. And while Windows Vista may have been a flop in the performance and compatibility areas, it wasn't ever criticized for its lack of security. In fact, one of Vista's main detractions was its over emphasis on the security of locking down the system via the heavy hand of User Account Control (UAC).
Well, with Windows 7, Microsoft has toned down UAC a bit (while not letting up on security) and added a whole slew of security features that will benefit both the end user and the security administrator. Let's take a closer look.
A new security feature being introduced with Windows 7 is AppLocker, which provides a security professional with the ability to control the installation and use of applications in the enterprise. Keep in mind that AppLocker is available only in the Ultimate and Enterprise editions of Windows 7 and is designed to work closely with Windows Server 2008 R2.
AppLocker works by allowing you to create rules that are based on file attributes derived from a file's digital signature. These rules can be used to control how users access and use any type of executable file. Of course, to be a flexible tool, you can also create exceptions to AppLocker rules. You can then assign rules to an entire security group or be more precise and assign a rule to an individual user. To learn more about and see AppLocker in action, check out this demo on the Microsoft TechNet site.
BitLocker & BitLocker To Go
Introduced in Windows Vista and now available in Windows 7, BitLocker is a security feature that is designed to prevent data theft via unauthorized access of a desktop or from a lost/stolen laptop. As you may know, BitLocker takes the Encrypting File System (EFS) feature to the next level in that BitLocker uses a hardware-level encryption on the hard disk, thus protecting not only the actual data files, but the system files too, as well as the bits and the pieces of data lingering in such places as the temporary files, swap files, and even hibernation files.
With Windows 7, BitLocker has been extended in that it can now be used to protect removable storage (USB flash drives) with the new BitLocker To Go feature. This means that if you lose a USB flash drive, which is all too easy, your data is safe.
Keep in mind that BitLocker and BitLocker To Go are available only in the Ultimate and Enterprise editions of Windows 7. To learn more about BitLocker and BitLocker To Go, check out this demo on the Microsoft TechNet site.
User Account Control
As you know, the advent of User Account Control wasn't very well received in Vista; however, it's still an important security tool that is designed to prevent the inadvertent running of malicious software by displaying an "are you sure" type of prompt along with requiring an elevation of privileges before a potentially dangerous action can be initiated. In Windows 7, UAC has been improved and toned down a bit.
For example, certain types of tasks that were previously UAC protected can now be performed by a standard user without administrator approval, thus making UAC less of a hassle for end users and ultimately less of a burden on administrators. And speaking of administrators, an already security conscious administrator can now adjust the level of or even disable UAC protection in the Control Panel. Furthermore, there are now new local security policies that can be used to alter the way that UAC interacts with local administrators and standard users.
ActiveX Installer Service
As you know, ActiveX controls are self-registering COM objects that are used by Internet Explorer, Office, and Windows Media Player, just to name a few, in order to provide a more interactive user experience. Because ActiveX controls are often distributed in .cab files, users with standard accounts do not have permission to install them. However, in Windows 7, the new ActiveX Installer Service is enabled by default and is designed to enable administrators to more easily deploy ActiveX controls by using Group Policy to configure the Trusted sites zone to identify Web sites that can install ActiveX controls without intervention. This reduces unnecessary support calls as well as the additional time-consuming operations of repackaging and distributing the needed ActiveX controls.
Working in conjunction with Windows Server 2008 R2, Windows 7's new DirectAccess feature makes it easier for end users to connect to the corporate network without VPN. Using DirectAccess, which automatically establishes a secure bi-directional connection from mobile systems to a corporate network, mobile workers can securely connect to the enterprise network anywhere they have Internet Access without the need for a VPN connection. With DirectAccess IT professionals are relieved of the extra overhead required to provide and maintain VPN configurations.
Multiple Active Firewall Policies
As you may know, the Windows Firewall policies in Vista are based on the type of network connection established (Public, Home, and Work/Domain) and can only work on one connection type at a time. Unfortunately, this sort of limitation can cause all sorts of problems if additional connections are made that require different firewall policies, such as when a mobile user accesses a public network and then launches a VPN connection to a corporate network.
In order to accommodate these types of scenarios, Windows 7's new firewall feature allows multiple firewall policies to be enabled at the same time, so that no matter what type of connection is being used, the appropriate firewall policy will be in effect, thus ensuring that mobile/remote users are protected and have access to the appropriate networks. On the other end of the equation, the new Multiple Active Firewall Policies feature means that security professionals only need to maintain one set of rules for both mobile/remote system and physically connected systems.
And there's more...
While I've touched on the new security features in Windows 7, there are many more improvements in existing security features. For example, the Encrypting File System (EFS) architecture has been adapted to incorporate Elliptic Curve Cryptography (ECC), which makes it compliant with Suite B encryption requirements defined by the National Security Agency.
In step with the new ECC support, Kerberos Authentication has also been enhanced with stronger cryptography for smart card logons. The NTLM authentication protocol is now set to 128-bit encryption for the minimum session security policy by default, but can be dropped back if necessary. You can learn more about these and other enhancements made to existing security features in Windows 7 in the "What's New in Client Security" document on the Microsoft TechNet site.