Windows 7 brings several security enhancements that don't sacrifice usability. We look at the five best features that businesses should definitely be using.
Controlling what applications users can install or run is an effective way of maintaining the stability of users' systems, preventing malware and protecting the integrity of the network from bandwidth-hungry applications like BitTorrent.
In previous versions of Windows, this was handled by the Software Restriction Policies feature. These policies could be applied to prevent specific software from running based on either its location in the file system or its failure to match a cryptographic hash of a known, trusted application.
Software Restriction Policies could be a hassle to implement and maintain effectively. Some programs need to be installed outside of the typical path, necessitating new path rules to be generated. And hash-based policies offer powerful security but can fail whenever a program is updated. Any change to the program's code - even a bug fix or security update - changes the hash and, if allowed, would prevent the program from running. Thus, IT managers had to maintain and update a cumbersome list of hash rules and override programs' ability to update automatically.
AppLocker, available for Windows 7 Enterprise and Ultimate (as well as Windows Server 2008 R2), adds a new, more flexible method of controlling software: publisher rules. Publisher rules rely on information in a program's signature certificate, which more and more applications have today.
This information is far more detailed than the file path or hash data, which lets admins create complex rules such as allowing software only from a particular publisher, with a particular name, with a specific file name and/or of a particular version to be run. For example, a rule could be created to allow anything from Adobe to be run, or only Photoshop, or only the current and future versions of Photoshop.
AppLocker rules can be applied to any executable, script, installer or system library, giving users enough latitude to, say, install needed software or updates without an administrative override, while still preventing them from using unauthorised software.
Furthermore, AppLocker rules can be written to apply to specific users or user groups; your accounting team and your graphic design team probably have very different software needs, but with AppLocker, only one set of policies is needed to provide each group with its own unique set of restrictions and allowances. AppLocker can even distinguish among users who share the same computer.
A real timesaver is the ability to automatically generate rules from a trusted reference computer. Policies can be exported and applied globally across the network using Windows' Group Policy settings. (See Microsoft's TechNet for a step-by-step guide to using AppLocker.)
It's important to note that AppLocker rules apply only to users whose machines are running Windows 7 Enterprise or Ultimate editions. If some of your users have older Windows versions, you'll need to keep Software Restriction Policies in place for them. As more users upgrade to Windows 7, you can phase out SRP and rely on AppLocker.
NEXT PAGE: DirectAccess