OPINION: Enterprises can expect security of authentication, data protection, privilege levels and the DNS to improve for users running the next client version of Windows.
The evidence that Windows Vista is far more secure than Windows XP, both in
theory and in practice, is abundant. With new features and standards, Microsoft
hopes to make Windows 7 even more secure, especially for enterprises.
A paper on the company's Technet site explores several
new security features in Windows 7
, most of which have an enterprise angle
to them. In all cases, there's nothing completely new, but there is better
design and easier implementation for IT and users of strong security
is part of a general reworking of the log-on process
that began in Vista. Earlier log-on architectures were
built into special programs called GINAs, which were complex and difficult for third
parties to add on to with biometrics and other modifications. Vista
replaced GINAs with a Credential Provider infrastructure, and WBF fits right
into this model.
WBF includes a standard interface for biometric device drivers, a standard
set of services provided, APIs, management services including group policies,
and user interface components. Both kernel-mode and user-mode drivers are
supported, with user-mode drivers helping with overall system stability. There
are ways for applications to work with biometric authentication, and the actual
biometric data is never exposed to them; it's easy to change a password that
has been compromised, not so easy to change your fingerprints. The initial WBF
implementation will only support fingerprint devices, but it can be expanded in
Numerous enhancements have been made to BitLocker
in Windows 7. Management has been made more consistent and
easier to use. Setting up BitLocker drives in Vista can
be cumbersome, especially when the operating system is already installed.
Windows 7 improves this in several ways. The setup of Windows 7 creates a separate
active system partition, and the BitLocker setup on an existing system will
repartition the system in an appropriate way.
BitLocker To Go makes it easy to use BitLocker on removable media such as USB
drives. A group policy allows the default for USB
media to be read-only unless they are encrypted with BitLocker To Go. And data
can be recovered from any BitLocker To Go device by using a special enterprise
key. Some read access is available for BitLocker To Go media on Windows Vista
and XP, but not write access.
UAC changes in Windows 7 have already generated some controversy. The main
change is that, by default, when the program performing the elevation is a
Windows program, identified as such through digital signature, no UAC prompt is
performed. The idea is that you need not be prompted for purely administrative
tasks and can focus on the really risky operations, like installing new
software. This change also eliminates some cases with Vista
where users would get two prompts for what seemed like one operation.
Some researchers noted that one of those Microsoft programs was the Control
Panel program that changes UAC settings, and thus no UAC prompt was required to
disable UAC altogether, and they showed a way for a program to make this
argued that this was actually logically consistent
and that Microsoft
shouldn't change the behavior, but they decided to force a prompt in at least
some of these cases.
In addition, many internal operations, like changing the screen resolution
and resetting network interfaces don't trigger UAC prompts.