Making System Lock-downs Easier

By Larry Seltzer  |  Posted 2009-04-23 Print this article Print


Making System Lock-downs Easier

AppLocker is a new set of services and tools to make system lock-downs easier to perform. This means that you can define which software users can run on the system, and they will be allowed to run no other software. Forms of this were possible in earlier versions of Windows through Software Restriction Policies, but these were difficult to set up correctly. An MMC snap-in allows the administrator to create rules directly or to generate rules based on folder selection. Rules can be created based on the use of code signing certificates that allow for applications to be updated within the rules as long as the updates are signed with the right certificate.

Enhancements have been made to authentication for non-domain networks. Through the Homegroup feature, Windows 7 systems automatically find each other on the local network and offer to join the Homegroup; they need the Homegroup password to do this. Users can choose what to share on the network. Authentication is performed with a new PKI-based protocol called PKU2U, or Public Key-based User to User.

Finally, Windows 7 is the first client operating system (according to Microsoft) to come with "... the necessary pieces to allow the client to verify that it is communicating securely with a DNS server and verify that the server has performed DNSSEC validation on its behalf." Widespread concern about vulnerabilities in the DNS may lead to increasing adoption of DNSSEC by service providers, so this could result in a head start for Windows 7 users.

Microsoft adds that "Windows Server 2008 R2 will allow the DNS Server to provide origin authority and data integrity artifacts. Basically, a server will be able to attach digital signatures to DNS data in responses as well as validate data received from other DNS servers."

As with Vista, Windows 7 will likely be more secure right out of the box than preceding versions, but these enhancements show how the real value in security comes with an educated and on-the-ball IT staff. The ones willing to administer AppLocker and BitLocker proactively can save their organizations from troubles that seem like standard operating procedure to many. It's all another sign of how you can do your security work proactively or you can do it reactively, and proactively is better.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.


Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel