Windows 7 Security
In response to complaints that Windows was not secure, Microsoft focused heavily on security when they built Windows Vista. BitLocker drive encryption, parental controls, built-in anti-malware (Windows Defender), improvements to the Windows firewall, Data Prevention Execution (DEP), protected mode IE, service hardening , new digital rights management features, an update to the Crypto API, Network Access Protection (NAP) client, and improvements to the Encrypting File System (EFS), software restriction policies and numerous other security enhancements were introduced in Vista. Service Pack 1 added more security-related improvements, including multifactor authentication for BitLocker, a redesigned Random Number Generator (RNG), signing of Remote Desktop Protocol (RDP) files, and more.
However, the security feature that users noticed (and hated) most was User Account Control (UAC), by which all user accounts, including administrative accounts, run in standard user mode by default and request elevation if higher privileges are needed. The “in your face” nature of UAC , along with the Secure Desktop feature that prevents malware from accessing the desktop during the prompt for administrative rights, but also annoyingly dims the display, was one of the chief complaints about Vista.
The challenge for the Windows 7 team was to make the OS as secure (or more secure) than Vista, while keeping the security more transparent to users.
Action Centre
The Security Center, accessed through Control Panel and intended to provide a centralized location for managing security-related settings, was introduced in Windows XP SP2 and carried over into Vista. With Windows 7, there is even more centralization. The Security Center is gone and a new Action Center takes its place. Here you will find alerts not only related to security but also regarding Windows Update, Diagnostics, NAP, Backup and Restore and troubleshooting issues.
UAC
In Vista, you could disable UAC through Group Policy, but that was not a good solution as it left you vulnerable to attack. Alternatively, you could set UAC to elevate without prompting, which is a better idea. However, the Home versions of Vista do not include the Group Policy editor, so you had to edit the registry to accomplish this. Microsoft has made it easier for users to control UAC’s behavior in Windows 7.
In the Action Center’s left pane, there is an option labeled User Account Control Settings. UAC’s prompt behavior is adjusted via a slider bar that gives you a choice of four positions:
-
Always Notify: You will get the UAC prompt when you install software or make system changes
-
Notify Only When Programs Try to Make Changes: You will get the prompt if I program requests elevated privileges, but not when you make changes to Windows settings (this is the default)
-
Notify Only When Programs Try to Make Changes (Do Not Dim the Desktop): same as the default except that Secure Desktop is disabled during the prompt
-
Never Notify: You would not get the prompt when you make changes to Windows settings nor when you install software (not recommended)
BitLocker
BitLocker, included in Vista Enterprise and Ultimate editions, allows you to encrypt entire volumes using AES, either utilizing the Trusted Platform Module (TPM) chip that comes in some computers, or using a USB key. This prevents booting into the operating system or accessing the data on the encrypted volume without authorization (for example, by installing a different instance of the OS and booting into that). It is especially useful for portable systems that may be lost or stolen.
In Vista, BitLocker originally could only be used to encrypt the volume on which the operating system was installed. Service Pack 1 added the ability to encrypt multiple fixed disks, but you could not use it to encrypt removable disks. In Windows 7, BitLocker has been enhanced to support encryption of portable hard disks and flash memory devices. This is being called “BitLocker to Go.” This is a feature that many companies have been wanting, since storage of sensitive data on USB keys has become popular.
AppLocker
Windows 7 gets another “locker”: AppLocker, which is a new feature of Group Policy. It lets admins control the versions of applications that users can install and use. This makes it possible to prevent users from installing and running older versions of applications that may have security holes.
Earlier versions of Windows used Software Restriction Policies control which programs users could run. AppLocker improves on that with easier configurability via three types of rules: Path, File Hash and Publisher. Publisher Rules replace the Certificate Rules in SRP, and give you more flexibility and options. They are also harder to circumvent.
Biometrics
In Vista, if you wanted to use fingerprint logon, you had to use software provided by the fingerprint sensor vendor. A new security feature in Windows 7 is the Biometric Framework, which provides native support for fingerprint devices and makes it easier for developers to put biometric security into their applications. You will find a new Control Panel applet called Biometric Devices that’s used for managing fingerprints.
Summary
With Windows 7, Microsoft has continued their efforts to provide a more secure operating system while listening to user input about how security should work behind the scenes instead of getting in your face. At the same time, they have improved some of the security features from previous operating systems from the perspective of the user experience, the admin experience and the level of security achieved. For most business users and network administrators, the security enhancements in Windows 7 are likely to make it well worth the upgrade.
Posts
0 comments: