Windows 7 Security Enhancements Summed Up

By Larry Seltzer  |  Posted 2009-04-23 Print this article Print

OPINION: Enterprises can expect security of authentication, data protection, privilege levels and the DNS to improve for users running the next client version of Windows.

The evidence that Windows Vista is far more secure than Windows XP, both in theory and in practice, is abundant. With new features and standards, Microsoft hopes to make Windows 7 even more secure, especially for enterprises.

A paper on the company's Technet site explores several new security features in Windows 7, most of which have an enterprise angle to them. In all cases, there's nothing completely new, but there is better design and easier implementation for IT and users of strong security capabilities.

The Windows Biometric Framework is part of a general reworking of the log-on process that began in Vista. Earlier log-on architectures were built into special programs called GINAs, which were complex and difficult for third parties to add on to with biometrics and other modifications. Vista replaced GINAs with a Credential Provider infrastructure, and WBF fits right into this model.

WBF includes a standard interface for biometric device drivers, a standard set of services provided, APIs, management services including group policies, and user interface components. Both kernel-mode and user-mode drivers are supported, with user-mode drivers helping with overall system stability. There are ways for applications to work with biometric authentication, and the actual biometric data is never exposed to them; it's easy to change a password that has been compromised, not so easy to change your fingerprints. The initial WBF implementation will only support fingerprint devices, but it can be expanded in the future.

Numerous enhancements have been made to BitLocker drive encryption in Windows 7. Management has been made more consistent and easier to use. Setting up BitLocker drives in Vista can be cumbersome, especially when the operating system is already installed. Windows 7 improves this in several ways. The setup of Windows 7 creates a separate active system partition, and the BitLocker setup on an existing system will repartition the system in an appropriate way.

BitLocker To Go makes it easy to use BitLocker on removable media such as USB drives. A group policy allows the default for USB media to be read-only unless they are encrypted with BitLocker To Go. And data can be recovered from any BitLocker To Go device by using a special enterprise key. Some read access is available for BitLocker To Go media on Windows Vista and XP, but not write access.

UAC changes in Windows 7 have already generated some controversy. The main change is that, by default, when the program performing the elevation is a Windows program, identified as such through digital signature, no UAC prompt is performed. The idea is that you need not be prompted for purely administrative tasks and can focus on the really risky operations, like installing new software. This change also eliminates some cases with Vista where users would get two prompts for what seemed like one operation.

Some researchers noted that one of those Microsoft programs was the Control Panel program that changes UAC settings, and thus no UAC prompt was required to disable UAC altogether, and they showed a way for a program to make this change. I argued that this was actually logically consistent and that Microsoft shouldn't change the behavior, but they decided to force a prompt in at least some of these cases.

In addition, many internal operations, like changing the screen resolution and resetting network interfaces don't trigger UAC prompts.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel