Put key Windows 7 security improvements to good use
Windows 7 is just over six months old. It has been quickly adopted by PC users at home and in businesses. However, some IT admins are struggling with the platform's new security features. We take a look at the key features and what you need to know.
Windows 7 includes all the latest industry-accepted ciphers, such as AES (Advanced Encryption Standard), ECC (Elliptical Curve Cryptography), and the SHA-2 hash family.
In fact, Windows 7 implements all of the ciphers in Suite B, a group of cryptographic algorithms approved by the National Security Agency and National Institute of Standards and Technology for use in general-purpose encryption software.
While Microsoft added support for Suite B cryptographic algorithms (AES, ECDSA, ECDH, SHA2) to Windows Vista, Windows 7 allows Suite B ciphers to be used with Transport Layer Security (referred to as TLS v.1.2) and Encrypting File System (EFS).
Suite B ciphers should be used whenever possible.
However, it's important to note that Suite B ciphers are not usually compatible with versions of Windows prior to Windows Vista.
By default, all current technologies in Windows will use industry standard ciphers. No more legacy, proprietary ciphers are used.
Those legacy ciphers that still exist are included only for backward-compatibility purposes.
Microsoft has shared the new ciphers in detail with the crypto world for analysis and evaluation. Key and hash sizes are increased by default.
EFS (Encrypting File System) has been improved in many ways beyond using more modern ciphers. For one, you can use a smart card to protect your EFS keys.
This not only makes EFS keys more secure, but allows them to be portable between computers.
Administrators will be happy to know that they can prevent users from creating self-signed EFS keys.
Previously, users could easily turn on EFS, which generated a self-signed EFS digital certificate if a compatible PKI server could not be found.
Too often, these users encrypted files but did not back up their self-signed digital certificates, which frequently led to unrecoverable data loss.
With Windows 7, administrators can still allow self-signed EFS keys, while mandating ciphers and minimum key lengths.
Windows 7 will prod users to back up their EFS digital certificates to some other removable media or network drive share - and keep prodding them until they do it.
A Microsoft web page details the EFS changes.
Safer browsing with IE 8
Users don't need Windows 7 to run IE8, and if they're running an older version of IE on an older operating system, they should upgrade to IE 8 as soon as possible.
Even better, from a security standpoint, is running IE 8 on Windows 7.
Not only is IE8 more secure by default than previous versions of the browser, but IE 8 is more secure on Windows 7 than on Windows XP.
The recent Chinese Google zero-day hacking attack demonstrates this more effectively than anything I could come up with.
The Chinese attacks work most effectively on IE6 and not very well on IE8. Microsoft tested a number of related exploits and found that they were significantly harder to accomplish in IE8, and harder still in IE8 on Windows 7.
Naturally, application and website compatibility issues will guide how quickly Windows shops can move to the new browser - but run some tests.
I have no shortage of clients who are still clinging to IE6 and haven't conducted any compatibility testing in over a year.
Often when I goad them into retesting their troublesome application with IE 8, it works.
NEXT PAGE: Multiple active firewall policies