Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management
    • Networking
    • PC Hardware

    Windows 7 Security Enhancements Summed Up

    Written by

    Larry Seltzer
    Published April 23, 2009
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      The evidence that Windows Vista is far more secure than Windows XP, both in theory and in practice, is abundant. With new features and standards, Microsoft hopes to make Windows 7 even more secure, especially for enterprises.

      A paper on the company’s Technet site explores several new security features in Windows 7, most of which have an enterprise angle to them. In all cases, there’s nothing completely new, but there is better design and easier implementation for IT and users of strong security capabilities.

      The Windows Biometric Framework is part of a general reworking of the log-on process that began in Vista. Earlier log-on architectures were built into special programs called GINAs, which were complex and difficult for third parties to add on to with biometrics and other modifications. Vista replaced GINAs with a Credential Provider infrastructure, and WBF fits right into this model.

      WBF includes a standard interface for biometric device drivers, a standard set of services provided, APIs, management services including group policies, and user interface components. Both kernel-mode and user-mode drivers are supported, with user-mode drivers helping with overall system stability. There are ways for applications to work with biometric authentication, and the actual biometric data is never exposed to them; it’s easy to change a password that has been compromised, not so easy to change your fingerprints. The initial WBF implementation will only support fingerprint devices, but it can be expanded in the future.

      Numerous enhancements have been made to BitLocker drive encryption in Windows 7. Management has been made more consistent and easier to use. Setting up BitLocker drives in Vista can be cumbersome, especially when the operating system is already installed. Windows 7 improves this in several ways. The setup of Windows 7 creates a separate active system partition, and the BitLocker setup on an existing system will repartition the system in an appropriate way.

      BitLocker To Go makes it easy to use BitLocker on removable media such as USB drives. A group policy allows the default for USB media to be read-only unless they are encrypted with BitLocker To Go. And data can be recovered from any BitLocker To Go device by using a special enterprise key. Some read access is available for BitLocker To Go media on Windows Vista and XP, but not write access.

      UAC changes in Windows 7 have already generated some controversy. The main change is that, by default, when the program performing the elevation is a Windows program, identified as such through digital signature, no UAC prompt is performed. The idea is that you need not be prompted for purely administrative tasks and can focus on the really risky operations, like installing new software. This change also eliminates some cases with Vista where users would get two prompts for what seemed like one operation.

      Some researchers noted that one of those Microsoft programs was the Control Panel program that changes UAC settings, and thus no UAC prompt was required to disable UAC altogether, and they showed a way for a program to make this change. I argued that this was actually logically consistent and that Microsoft shouldn’t change the behavior, but they decided to force a prompt in at least some of these cases.

      In addition, many internal operations, like changing the screen resolution and resetting network interfaces don’t trigger UAC prompts.

      Making System Lock-downs Easier

      Making System Lock-downs Easier

      AppLocker is a new set of services and tools to make system lock-downs easier to perform. This means that you can define which software users can run on the system, and they will be allowed to run no other software. Forms of this were possible in earlier versions of Windows through Software Restriction Policies, but these were difficult to set up correctly. An MMC snap-in allows the administrator to create rules directly or to generate rules based on folder selection. Rules can be created based on the use of code signing certificates that allow for applications to be updated within the rules as long as the updates are signed with the right certificate.

      Enhancements have been made to authentication for non-domain networks. Through the Homegroup feature, Windows 7 systems automatically find each other on the local network and offer to join the Homegroup; they need the Homegroup password to do this. Users can choose what to share on the network. Authentication is performed with a new PKI-based protocol called PKU2U, or Public Key-based User to User.

      Finally, Windows 7 is the first client operating system (according to Microsoft) to come with “… the necessary pieces to allow the client to verify that it is communicating securely with a DNS server and verify that the server has performed DNSSEC validation on its behalf.” Widespread concern about vulnerabilities in the DNS may lead to increasing adoption of DNSSEC by service providers, so this could result in a head start for Windows 7 users.

      Microsoft adds that “Windows Server 2008 R2 will allow the DNS Server to provide origin authority and data integrity artifacts. Basically, a server will be able to attach digital signatures to DNS data in responses as well as validate data received from other DNS servers.”

      As with Vista, Windows 7 will likely be more secure right out of the box than preceding versions, but these enhancements show how the real value in security comes with an educated and on-the-ball IT staff. The ones willing to administer AppLocker and BitLocker proactively can save their organizations from troubles that seem like standard operating procedure to many. It’s all another sign of how you can do your security work proactively or you can do it reactively, and proactively is better.

      Security CenterEditor Larry Seltzer has worked in and written about the computer industry since 1983.

      Larry Seltzer
      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement— He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.