The evidence that Windows Vista is far more secure than Windows XP, both in theory and in practice, is abundant. With new features and standards, Microsoft hopes to make Windows 7 even more secure, especially for enterprises.
A paper on the company’s Technet site explores several new security features in Windows 7, most of which have an enterprise angle to them. In all cases, there’s nothing completely new, but there is better design and easier implementation for IT and users of strong security capabilities.
The Windows Biometric Framework is part of a general reworking of the log-on process that began in Vista. Earlier log-on architectures were built into special programs called GINAs, which were complex and difficult for third parties to add on to with biometrics and other modifications. Vista replaced GINAs with a Credential Provider infrastructure, and WBF fits right into this model.
WBF includes a standard interface for biometric device drivers, a standard set of services provided, APIs, management services including group policies, and user interface components. Both kernel-mode and user-mode drivers are supported, with user-mode drivers helping with overall system stability. There are ways for applications to work with biometric authentication, and the actual biometric data is never exposed to them; it’s easy to change a password that has been compromised, not so easy to change your fingerprints. The initial WBF implementation will only support fingerprint devices, but it can be expanded in the future.
Numerous enhancements have been made to BitLocker drive encryption in Windows 7. Management has been made more consistent and easier to use. Setting up BitLocker drives in Vista can be cumbersome, especially when the operating system is already installed. Windows 7 improves this in several ways. The setup of Windows 7 creates a separate active system partition, and the BitLocker setup on an existing system will repartition the system in an appropriate way.
BitLocker To Go makes it easy to use BitLocker on removable media such as USB drives. A group policy allows the default for USB media to be read-only unless they are encrypted with BitLocker To Go. And data can be recovered from any BitLocker To Go device by using a special enterprise key. Some read access is available for BitLocker To Go media on Windows Vista and XP, but not write access.
UAC changes in Windows 7 have already generated some controversy. The main change is that, by default, when the program performing the elevation is a Windows program, identified as such through digital signature, no UAC prompt is performed. The idea is that you need not be prompted for purely administrative tasks and can focus on the really risky operations, like installing new software. This change also eliminates some cases with Vista where users would get two prompts for what seemed like one operation.
Some researchers noted that one of those Microsoft programs was the Control Panel program that changes UAC settings, and thus no UAC prompt was required to disable UAC altogether, and they showed a way for a program to make this change. I argued that this was actually logically consistent and that Microsoft shouldn’t change the behavior, but they decided to force a prompt in at least some of these cases.
In addition, many internal operations, like changing the screen resolution and resetting network interfaces don’t trigger UAC prompts.
Making System Lock-downs Easier
Making System Lock-downs Easier
AppLocker is a new set of services and tools to make system lock-downs easier to perform. This means that you can define which software users can run on the system, and they will be allowed to run no other software. Forms of this were possible in earlier versions of Windows through Software Restriction Policies, but these were difficult to set up correctly. An MMC snap-in allows the administrator to create rules directly or to generate rules based on folder selection. Rules can be created based on the use of code signing certificates that allow for applications to be updated within the rules as long as the updates are signed with the right certificate.
Enhancements have been made to authentication for non-domain networks. Through the Homegroup feature, Windows 7 systems automatically find each other on the local network and offer to join the Homegroup; they need the Homegroup password to do this. Users can choose what to share on the network. Authentication is performed with a new PKI-based protocol called PKU2U, or Public Key-based User to User.
Finally, Windows 7 is the first client operating system (according to Microsoft) to come with “… the necessary pieces to allow the client to verify that it is communicating securely with a DNS server and verify that the server has performed DNSSEC validation on its behalf.” Widespread concern about vulnerabilities in the DNS may lead to increasing adoption of DNSSEC by service providers, so this could result in a head start for Windows 7 users.
Microsoft adds that “Windows Server 2008 R2 will allow the DNS Server to provide origin authority and data integrity artifacts. Basically, a server will be able to attach digital signatures to DNS data in responses as well as validate data received from other DNS servers.”
As with Vista, Windows 7 will likely be more secure right out of the box than preceding versions, but these enhancements show how the real value in security comes with an educated and on-the-ball IT staff. The ones willing to administer AppLocker and BitLocker proactively can save their organizations from troubles that seem like standard operating procedure to many. It’s all another sign of how you can do your security work proactively or you can do it reactively, and proactively is better.
Security CenterEditor Larry Seltzer has worked in and written about the computer industry since 1983.