Windows 7 Security Enhancements Summed Up

OPINION: Enterprises can expect security of authentication, data protection, privilege levels and the DNS to improve for users running the next client version of Windows.

The evidence that Windows Vista is far more secure than Windows XP, both in theory and in practice, is abundant. With new features and standards, Microsoft hopes to make Windows 7 even more secure, especially for enterprises.

A paper on the company's Technet site explores several new security features in Windows 7, most of which have an enterprise angle to them. In all cases, there's nothing completely new, but there is better design and easier implementation for IT and users of strong security capabilities.

The Windows Biometric Framework is part of a general reworking of the log-on process that began in Vista. Earlier log-on architectures were built into special programs called GINAs, which were complex and difficult for third parties to add on to with biometrics and other modifications. Vista replaced GINAs with a Credential Provider infrastructure, and WBF fits right into this model.

WBF includes a standard interface for biometric device drivers, a standard set of services provided, APIs, management services including group policies, and user interface components. Both kernel-mode and user-mode drivers are supported, with user-mode drivers helping with overall system stability. There are ways for applications to work with biometric authentication, and the actual biometric data is never exposed to them; it's easy to change a password that has been compromised, not so easy to change your fingerprints. The initial WBF implementation will only support fingerprint devices, but it can be expanded in the future.

Numerous enhancements have been made to BitLocker drive encryption in Windows 7. Management has been made more consistent and easier to use. Setting up BitLocker drives in Vista can be cumbersome, especially when the operating system is already installed. Windows 7 improves this in several ways. The setup of Windows 7 creates a separate active system partition, and the BitLocker setup on an existing system will repartition the system in an appropriate way.

BitLocker To Go makes it easy to use BitLocker on removable media such as USB drives. A group policy allows the default for USB media to be read-only unless they are encrypted with BitLocker To Go. And data can be recovered from any BitLocker To Go device by using a special enterprise key. Some read access is available for BitLocker To Go media on Windows Vista and XP, but not write access.

UAC changes in Windows 7 have already generated some controversy. The main change is that, by default, when the program performing the elevation is a Windows program, identified as such through digital signature, no UAC prompt is performed. The idea is that you need not be prompted for purely administrative tasks and can focus on the really risky operations, like installing new software. This change also eliminates some cases with Vista where users would get two prompts for what seemed like one operation.

Some researchers noted that one of those Microsoft programs was the Control Panel program that changes UAC settings, and thus no UAC prompt was required to disable UAC altogether, and they showed a way for a program to make this change. I argued that this was actually logically consistent and that Microsoft shouldn't change the behavior, but they decided to force a prompt in at least some of these cases.

In addition, many internal operations, like changing the screen resolution and resetting network interfaces don't trigger UAC prompts.