- Core System Security
As it did with Windows Vista, Microsoft developed Windows 7 according to the Security Development Lifecycle (SDL). It built the new OS from the ground up to be a secure computing environment and retained the key security features that helped protect Vista, such as Kernel Patch Protection, Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Mandatory Integrity Levels. These features provide a strong foundation to guard against malicious software and other attacks. A few key elements are worth noting.
- Windows Filtering Platform
Windows 7 introduces something called the Windows Filtering Platform (WFP). The idea is that third parties can take advantage of aspects of the Microsoft Windows Firewall in their own products. Microsoft says “third-party products also can selectively turn parts of the Windows Firewall on or off, enabling you to choose which software firewall you want to use and have it coexist with Windows Firewall.”
- Enhanced UAC
User Account Control. Introduced with Windows Vista, the feature is meant to help enforce least-privileged access and to improve the total cost of ownership by allowing organizations to deploy the operating system without granting administrator access to users. Though Microsoft’s primary intent with UAC was to force software developers to use better coding practices and not expect access to sensitive areas of the operating system, most people have perceived UAC as a security feature.
When users think of UAC, they typically associate it with the access-consent prompts it issues. Though Microsoft has made significant progress since Vista’s introduction in reducing the types and number of events that trigger the UAC prompt (or that prevent standard users from executing tasks entirely), UAC has still been the subject of a great deal of negative feedback for Vista.
With Windows 7, Microsoft has again reduced the number of applications and operating system tasks that trigger the prompt. It has also incorporated a more flexible interface for UAC. Under User Accounts in the Control Panel, you can select Change User Account Control Settings to adjust the feature with a slider.
- Encrypting Drives With BitLocker
When BitLocker made its debut with Windows Vista, it was capable only of encrypting the primary operating system volume. Windows Vista SP2 (Service Pack 2) extended the functionality to encrypt other volumes, such as additional drives or partitions on the primary hard drive, but it still did not enable users to encrypt data on portable or removable disks. Windows 7 brings BitLocker to Go for protecting data on portable drives while still providing a means for sharing the data with partners, customers, or other parties.
- Biometrics, System Restore and AppLocker
Biometrics enhancements include easier reader configurations, allowing users to manage the fingerprint data stored on the computer and control how they log on to Windows 7. And System Restore includes a list of programs that will be removed or added, providing users with more useful information before they choose which restore point to use. Restore points are also available in backups, providing a larger list to choose from, over a longer period of time.
- Integrated Fingerprint Scanner Support
Many Windows users configure the operating system to log them in without a user name and password–but that’s the computer equivalent of leaving the front door of your house wide open with a neon sign flashing “Enter Here.” I highly recommend that you assign all user accounts in Windows 7 a relatively strong password or passphrase (that means your dog’s name or your favorite basketball team don’t count).
Even passwords aren’t all they’re cracked up to be. Passwords are secure only until they’re cracked, and cracking a password is more a matter of when than if, assuming an attacker is sufficiently dedicated.
- Protecting Data
Thousands of computers, particularly laptops, are lost or stolen each year. If you don’t have appropriate safeguards and security controls in place, unauthorized users who come into possession of your computer can access any sensitive data it contains. The risk of sensitive information being lost or stolen is even greater with the proliferation of tiny USB flash drives and other portable media capable of holding more and more data.
Windows 7 retains Vista’s data-protection technologies, such as EFS (Encrypting File System) and support for AD RMS (Active Directory Rights Management Services). In addition to minor updates to those technologies, Windows 7 significantly improves on Vista’s BitLocker drive encryption technology, and it adds BitLocker to Go for encrypting data on removable media.
- Protecting Mobile Data With BitLocker to Go
Windows Vista was able to protect the drives and volumes that are part of the computer, but it could not encrypt data on removable drives. Windows 7 addresses that glaring lack of functionality with BitLocker to Go.
Using BitLocker to Go, you can protect data on USB thumb drives and other removable media. If you need to share sensitive information with other people, you can give them the encrypted data on the USB thumb drive and choose a password that you can share with them to unlock the contents. For additional protection, you can require a smartcard to unlock the data, and deliver the encrypted drive and the smartcard separately.
Related posts:
