Windows 7 is just over six months old. It has been quickly adopted by PC users at home and in businesses. However, some IT admins are struggling with the platform's new security features. We take a look at the key features and what you need to know.
In addition to changes to User Account Control, BitLocker, and other features inherited from Windows Vista, Windows 7 introduces a slew of security capabilities that businesses will want to take advantage of.
Windows 7 improves on Vista with a friendlier UAC mechanism, the ability to encrypt removable media and hard drive volumes, broader support for strong cryptographic ciphers, hassle-free secure remote access, and sophisticated protection against Trojan malware in the form of AppLocker, to name just a few.
In this guide, I'll run through these and other significant security enhancements in Windows 7, and provide my recommendations for configuring and using them.
I'll pay especially close attention to the new AppLocker application-control feature, which may be a Windows shop's most practical and affordable way to combat socially engineered Trojan malware.
New and improved
Windows 7 has literally hundreds of security changes and additions, far too many to cover in one fell swoop.
While this guide focuses on the ones that most organisations will be interested in, keep in mind that plenty of others may deserve your attention.
A few the biggies not discussed here are built-in support for smart cards and biometrics, the ability to force the use of Kerberos in a feature called Restrict NTLM, and support for the new DNSSec standards, which are becoming essential to prevent DNS exploitation attacks.
Also noteworthy is a new feature called Extended Protection for Authentication, which prevents many sophisticated man-in-the-middle attacks that can strike at some of our most trusted security protocols (such as SSL and TLS).
User Account Control
A Windows Vista feature that users loved to hate, User Account Control has been significantly improved to be both less intrusive and smarter at distinguishing between legitimate and potentially malicious activities in Windows 7.
However, depending on whether you are logged on as administrator or a standard user, some installs of Windows 7 may have a default UAC security setting that's one level lower than some experts (including yours truly) recommend.
Standard users have UAC security default to the most secure setting, while administrator accounts reside a notch below the highest setting, which is potentially riskier.
Note too that, although UAC provides a much-needed mechanism to prevent the misuse of administrator privileges, it can be bypassed. If you need high security, users should not log on with an elevated user account until they need it.
Your domain environment should already be at the highest and most secure level (‘Always notify'). If it isn't, make it so.
That way, users will be prompted to input their passwords to perform high-risk administrative actions. No matter what else, UAC should be enabled.
NEXT PAGE: BitLocker drive encryption and Easily encrypted page file
- Put key Windows 7 security improvements to good use
- BitLocker drive encryption and Easily encrypted page file
- Better cryptography and safer browsing with IE8
- Multiple active firewall policies
- Virtual service accounts and AppLocker application control
- Configuring AppLocker
- Rules for exceptions