Microsoft Windows 7 has a number of new security features designed to appeal to enterprises. But will they do the trick?
Microsoft Windows 7 is on its way tomorrow, Oct. 22, and it
is bringing with it a set of security features Microsoft clearly hopes
7 security story has three main chapters that have received a fair amount
of attention: DirectAccess, BitLocker To Go and AppLocker. With these, as well
as features such as BranchCache and enhancements to UAC (user account control),
officials at Microsoft have said they feel they are pushing out their most
secure operating system yet.
"Windows 7 is built upon the security foundations in
Windows Vista and retains all of the core technologies, such as Firewall, Windows
Defender and User Account Control," Paul Cooke, director of Windows Client
Enterprise Security, told eWEEK. "In addition to enhancing those security
features, we listened to customer feedback and [wove] it closely into the
development process of Windows 7 to deliver innovative new security features."
Some of that resulted in DirectAccess. Based on IPv6
technology, DirectAccess works alongside Windows Server 2008 R2 to enable users
to securely access corporate network resources on the net without a VPN
connection. The technology takes advantage of IP Security for encryption and
authentication, and integrates with NAP (Network
Access Protection) to check for compliance before allowing client computers to
connect to internal resources.
"More people are working from places other than the
office, and accessing corporate network resources securely and maintaining
connectivity using remote access solutions, such as VPN, can add complexity and
effort," Cooke explained. "It's also harder for IT to manage those
mobile PCs. DirectAccess is a new feature that helps solve both these issues.
Using DirectAccess, workers can easily navigate to intranet sites or internal
file shares and access documents from remote locations, without manually
establishing a VPN connection."
Enterprises looking to upgrade or switch to Windows 7 can
also count AppLocker as a key security feature. AppLocker allows administrators
to use Group Policy to specify what applications, installation programs and
scripts users can execute. With the Audit Only Enforcement Mode setting,
administrators can determine what applications are used in an organization and
test rules before deploying them, Cooke said.
"AppLocker also introduces publisher rules that are
based on an application's digital signature, which makes it possible to build
rules that survive application updates," he said. "For example, you
could create a rule to 'allow all versions greater than 9.0 of the program
Acrobat Reader to run if it's signed by the software publisher Adobe.' In this
way, when Adobe [Systems] updates Acrobat, you can safely deploy the
application update without having to build another rule for the new version of
To Gartner analyst John Pescatore, the whitelisting
capabilities will come in handy as users continue to deal with an ever-growing number
of malicious programs.
"I think the application
control and "uber-whitelist" capabilities are likely the new
[Windows 7] security capabilities that will make a difference," Pescatore
said. "We have no shortage of blacklists and we know total lockdown doesn't
work. With the ability to make sure apps the user downloads are either known to
be safe or, if not, can have some restrictive policies applied, IT can increase
security while letting the user have choice in applications."
Rounding all this out is BitLocker To Go, which encrypts
removable storage devices such as USB
drives. With BitLocker To Go, users can restrict access to the data with a pass
code, as well as set a policy that requires users to apply BitLocker protection
to removable drives before being able to write to them. The feature also
provides configurable read-only support for removable devices on older versions
of Windows so BitLocker-protected files can be shared.
"Analysts are predicting there will be over 1 billion USB
flash drives by 2010, with the average USB
flash drive holding almost 4GB of data and costing less than $10," Cooke
said. "The scary part is that, unlike losing a laptop, users rarely seem
to report, or sometimes even notice, the loss of a USB
flash drive. BitLocker To Go makes your data secure so you don't have to worry."
The improvements come as Microsoft-which
still holds a large share of the OS market-has
been hit with public attacks on its security reputation by Apple, as its Mac OS
X is relatively malware-free compared with Windows. Still, Cooke said, Apple is
actually behind Microsoft in that area.
"While it's admirable that Apple is improving their
security model, it is far from innovative," he said. "The facts show
that when it comes to security features, Apple is just adding features into 'Snow
Leopard' now that have been part of Windows for years; for example, DEP (data
execution prevention) and the on-by-default firewall shipped almost five years
ago with Windows XP SP2 [Service Pack 2], and ASLR (address space load
randomization) was first released over two years ago with Windows
Vista. All of these features are included in Windows 7."
Apple did not respond to a request for comment in time for
publication. But Pescatore said while Windows 7 is an improvement, challenges
"Windows 7 is a definite security improvement over XP
and it will definitely decrease the Windows desktop attack surface,"
Pescatore said. "But Windows still has to run on an infinite variety of
hardware and still has to maintain compatibility with huge numbers of
third-party apps-problems the Mac OS
really has never had to deal with. So, Windows will always have unique security