Microsoft Windows 7 is on its way tomorrow, Oct. 22, and it is bringing with it a set of security features Microsoft clearly hopes will appeal to enterprises.
The Windows 7 security story has three main chapters that have received a fair amount of attention: DirectAccess, BitLocker To Go and AppLocker. With these, as well as features such as BranchCache and enhancements to UAC (user account control), officials at Microsoft have said they feel they are pushing out their most secure operating system yet.
"Windows 7 is built upon the security foundations in Windows Vista and retains all of the core technologies, such as Firewall, Windows Defender and User Account Control," Paul Cooke, director of Windows Client Enterprise Security, told eWEEK. "In addition to enhancing those security features, we listened to customer feedback and [wove] it closely into the development process of Windows 7 to deliver innovative new security features."
Some of that resulted in DirectAccess. Based on IPv6 technology, DirectAccess works alongside Windows Server 2008 R2 to enable users to securely access corporate network resources on the net without a VPN connection. The technology takes advantage of IP Security for encryption and authentication, and integrates with NAP (Network Access Protection) to check for compliance before allowing client computers to connect to internal resources.
"More people are working from places other than the office, and accessing corporate network resources securely and maintaining connectivity using remote access solutions, such as VPN, can add complexity and effort," Cooke explained. "It's also harder for IT to manage those mobile PCs. DirectAccess is a new feature that helps solve both these issues. Using DirectAccess, workers can easily navigate to intranet sites or internal file shares and access documents from remote locations, without manually establishing a VPN connection."
Enterprises looking to upgrade or switch to Windows 7 can also count AppLocker as a key security feature. AppLocker allows administrators to use Group Policy to specify what applications, installation programs and scripts users can execute. With the Audit Only Enforcement Mode setting, administrators can determine what applications are used in an organization and test rules before deploying them, Cooke said.
"AppLocker also introduces publisher rules that are based on an application's digital signature, which makes it possible to build rules that survive application updates," he said. "For example, you could create a rule to 'allow all versions greater than 9.0 of the program Acrobat Reader to run if it's signed by the software publisher Adobe.' In this way, when Adobe [Systems] updates Acrobat, you can safely deploy the application update without having to build another rule for the new version of Acrobat."
To Gartner analyst John Pescatore, the whitelisting capabilities will come in handy as users continue to deal with an ever-growing number of malicious programs.
"I think the application control and "uber-whitelist" capabilities are likely the new [Windows 7] security capabilities that will make a difference," Pescatore said. "We have no shortage of blacklists and we know total lockdown doesn't work. With the ability to make sure apps the user downloads are either known to be safe or, if not, can have some restrictive policies applied, IT can increase security while letting the user have choice in applications."
Rounding all this out is BitLocker To Go, which encrypts removable storage devices such as USB drives. With BitLocker To Go, users can restrict access to the data with a pass code, as well as set a policy that requires users to apply BitLocker protection to removable drives before being able to write to them. The feature also provides configurable read-only support for removable devices on older versions of Windows so BitLocker-protected files can be shared.
"Analysts are predicting there will be over 1 billion USB flash drives by 2010, with the average USB flash drive holding almost 4GB of data and costing less than $10," Cooke said. "The scary part is that, unlike losing a laptop, users rarely seem to report, or sometimes even notice, the loss of a USB flash drive. BitLocker To Go makes your data secure so you don't have to worry."
The improvements come as Microsoft-which still holds a large share of the OS market-has been hit with public attacks on its security reputation by Apple, as its Mac OS X is relatively malware-free compared with Windows. Still, Cooke said, Apple is actually behind Microsoft in that area.
"While it's admirable that Apple is improving their security model, it is far from innovative," he said. "The facts show that when it comes to security features, Apple is just adding features into 'Snow Leopard' now that have been part of Windows for years; for example, DEP (data execution prevention) and the on-by-default firewall shipped almost five years ago with Windows XP SP2 [Service Pack 2], and ASLR (address space load randomization) was first released over two years ago with Windows Vista. All of these features are included in Windows 7."
Apple did not respond to a request for comment in time for publication. But Pescatore said while Windows 7 is an improvement, challenges remain.
"Windows 7 is a definite security improvement over XP and it will definitely decrease the Windows desktop attack surface," Pescatore said. "But Windows still has to run on an infinite variety of hardware and still has to maintain compatibility with huge numbers of third-party apps-problems the Mac OS really has never had to deal with. So, Windows will always have unique security challenges."