Making System Lock-downs Easier
Making System Lock-downs Easier AppLocker is a new set of services and tools to make system lock-downs easier to perform. This means that you can define which software users can run on the system, and they will be allowed to run no other software. Forms of this were possible in earlier versions of Windows through Software Restriction Policies, but these were difficult to set up correctly. An MMC snap-in allows the administrator to create rules directly or to generate rules based on folder selection. Rules can be created based on the use of code signing certificates that allow for applications to be updated within the rules as long as the updates are signed with the right certificate.Finally, Windows 7 is the first client operating system (according to Microsoft) to come with "... the necessary pieces to allow the client to verify that it is communicating securely with a DNS server and verify that the server has performed DNSSEC validation on its behalf." Widespread concern about vulnerabilities in the DNS may lead to increasing adoption of DNSSEC by service providers, so this could result in a head start for Windows 7 users. Microsoft adds that "Windows Server 2008 R2 will allow the DNS Server to provide origin authority and data integrity artifacts. Basically, a server will be able to attach digital signatures to DNS data in responses as well as validate data received from other DNS servers." As with Vista, Windows 7 will likely be more secure right out of the box than preceding versions, but these enhancements show how the real value in security comes with an educated and on-the-ball IT staff. The ones willing to administer AppLocker and BitLocker proactively can save their organizations from troubles that seem like standard operating procedure to many. It's all another sign of how you can do your security work proactively or you can do it reactively, and proactively is better. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Enhancements have been made to authentication for non-domain networks. Through the Homegroup feature, Windows 7 systems automatically find each other on the local network and offer to join the Homegroup; they need the Homegroup password to do this. Users can choose what to share on the network. Authentication is performed with a new PKI-based protocol called PKU2U, or Public Key-based User to User.