Top Security Features in Windows 7
The Great Debate::-
Fundamentally Secure Platform
Windows 7 builds upon the strong security lineage of Windows Vista and retains all of the development processes and technologies that have made Windows Vista the most secure version of the Windows client to date. Fundamental security features such as Kernel Patch Protection, Service Hardening, Data Execution Prevention, Address Space Layout Randomization, and Mandatory Integrity Levels continue to provide enhanced protection against malware and attacks. Windows 7 is again designed and developed using Microsoft‘s Security Development Lifecycle (SDL) and is engineered to support Common Criteria requirements to achieve Evaluation Assurance Level 4 certification and meet Federal Information Processing Standard 140-2. From the solid security foundation of Windows Vista, Windows 7 makes significant enhancements to the core security technologies of event auditing and User Account Control.
Windows 7 provides enhanced audit capabilities to make it easier for an organization to meet their regulatory and business compliance requirements. Audit enhancements start with a simplified management approach for audit configurations and end by providing even greater visibility into what occurs in your organization. For example, Windows 7 provides greater insight into understanding exactly why someone has access to specific information, why someone was denied access to specific information, and all of the changes made by specific people or groups.
User Account Control (UAC) was introduced in Windows Vista to help increase security and improve total cost of ownership by enabling the operating system to be deployed without administrative privileges. Windows 7 continues the investment in UAC with specific changes to enhance the user experience: from reducing the number of operating system applications and tasks that require administrative privilege to a flexible consent prompt behavior for users who continue to run with administrative privilege. The result, standard users can do even more than ever before and all users will see fewer prompts.
Security Enhanced Storage Devices
The widespread use of USB flash drives and other personal storage devices raises user concerns about the security of information on these devices. However, some users do not require the full data encryption features of BitLocker To Go™. Windows 7 provides support for password protection and certificate-based authentication for IEEE 1667 compliant USB storage devices. Users can utilize password protection of IEEE 1667 storage devices to help keep data private from casual disclosure.
Fingerprint Readers and Logon (Biometric Security)
Fingerprint scanners are becoming more and more common in standard laptop configurations, and Windows 7 ensures that they work well. It’s easy to set up and begin to use a fingerprint reader, and logging on to Windows using a fingerprint is more reliable across different hardware providers. Fingerprint reader configurations are easy to modify, so you can control how you log on to Windows 7 and manage the fingerprint data stored on the computer.
A brand new feature in Windows 7 is DirectAccess, which allows remote users to connect securely to their corporate networks over the Internet without using a VPN. Administrators can apply Group Policy settings and otherwise manage the mobile computers and even update them whenever the mobile machines are connected to the Internet, regardless of whether the user is logged on to the corporate network.
With DirectAccess, IT professionals maintain fine-grained control over which network resources users can access. For example, Group Policy settings can be used to manage remote user access to enterprise applications. DirectAccess also separates Internet traffic from access to internal network resources, so that users can access public Web sites without generating additional communications traffic on the corporate network.
DirectAccess also supports multifactor authentication with smart cards and uses IPv6 over IPsec for encrypting the traffic.
DirectAccess is great for the mobile worker, but what about the remote worker who works out in a branch office location? I’ve worked in many a branch office and the one thing they all seem to have in common is limited network bandwidth. Accessing large files in a branch office is always a slow, frustrating affair for me. I, like most users, prefer a snappy network and quick downloads. All the waiting that I have to do– or you have to do — is just lost productivity that, at the end of the day, can hurt the company’s bottom line.
Windows 7 incorporates BranchCache, another technology that works in conjunction with Windows Server 2008 R2, which helps make network responsiveness of applications and data housed within your data center feel snappy. This gives users in remote, branch offices the experience of working as if they were on the local area network (LAN) of the server they are accessing.
BranchCache also helps reduce the utilization of the wide area network (WAN). When BranchCache is enabled, a copy of any data accessed from Intranet Web sites and/or file servers is cached locally within the branch office. When another client on the same network requests the file, the client downloads it from the local cache without downloading the same content across the WAN.
“This is my favorite feature”
Software Restriction Policies are included in XP and Vista and they seemed like a great idea. Administrators can use Group Policy to keep users from running particular programs that might present a security threat. But they’ve never been used that much because they aren’t easy to use.
Windows 7 has improved on the concept with a new feature called AppLocker. Windows 7 reenergizes application control policies with AppLocker: a flexible, easy to administer mechanism that allows IT to specify exactly what is allowed to run in the desktop infrastructure and gives users the ability to run applications, installation programs, and scripts that they require to be productive. As a result, IT can enforce application standardization within their organization while providing security, operational, and compliance benefits.
AppLocker provides simple, powerful rule structures and introduces publisher rules: rules based upon application digital signatures. Publisher rules make it possible to build rules that survive application updates by being able to specify attributes such as the version of an application. For example, an organization can create a rule to “allow all versions greater than 9.0 of the program Acrobat Reader to run if it is signed by the software publisher Adobe.” Now when Adobe updates Acrobat, you can safely deploy an application update without having to build another rule for the new version of the application.
Protecting Data from Unauthorized Viewing
Each year, hundreds of thousands of computers without appropriate safeguards are lost, stolen, or decommissioned. However, data leakage is not just a physical computer issue. The ubiquity of USB Flash Drives, e-mail communications, leaked documentation, etc. all provides other potent avenues for data to fall into the wrong hands.
Windows 7 retains the data protection technologies available in Windows Vista like the Encrypting File System (EFS), built-in Active Directory® Rights Management Services technology, and granular USB port controls. In addition to the incremental updates in these technologies, Windows 7 provides several significant improvements to the popular BitLocker Drive Encryption technology.
Bit Locker To Go
Microsoft added BitLocker internal hard drive encryption in Vista to protect data on stolen laptops. In Windows 7, the feature has been extended to protect external hard drives and USB thumb drives.
Called “BitLocker To Go”, the feature, available only in Windows 7 Enterprise and Ultimate editions, allows external storage devices to be restricted with a passphrase set by IT before users have permission to copy data to them.
Internet Explorer 8 for Safer Browsing
Although you can use Internet Explorer 8 with Windows XP or Vista, the latest version of IE comes loaded on Windows 7 machines. Despite its recent browser market share dips, IE8 does offer improved security features for both consumers and enteprises.
Internet Explorer 8 delivers improved protection against security and privacy threats, including the ability to help identify malicious sites and block the download of malicious software. Privacy is enhanced through the ability to surf the Web without leaving a trail on a shared PC, and through increased choice and control over how Web sites can track user actions. Internet Explorer 8 also helps inspire confidence and trust through improved restrictions for ActiveX® controls, enhanced add-on management, improved reliability (including automated crash recovery and tab restoration), and enhanced support for accessibility standards.
Multiple Active Firewall Policies
In Windows Vista, firewall policy is based on the “type” of network connection established—such as Home, Work, Public, or Domain (which is a fourth, hidden type.) However, this can present security obstacles for IT professionals when, for example, a user connected to the Internet through a “Home” network then uses a virtual private networking to access to the corporate network. In such a case, because the network type (and thus the firewall settings) had already been set based on the first network to which the user connected, the firewall settings appropriate for accessing the corporate network could not be applied.
Windows 7 gets rid of this IT pain through support for multiple active firewall policies. This enables my PC to obtain and apply domain firewall profile information regardless of other networks that may be active on the PC. Now IT Pros can simplify connectivity and security policies by maintaining a single set of rules for both remote clients and clients that are physically connected to the corporate network and know that the rules are appropriately applied.
Built upon the security foundations of Windows Vista, Windows 7 introduces the right security enhancements to give users the confidence that Microsoft is helping keep them protected. Businesses will benefit from enhancements that help protect company sensitive information, that provide stronger protections against malware and that help secure anywhere access to corporate resources and data. Consumers can enjoy the benefits of computers and the Internet knowing that Windows 7 is the state of the art at helping to protect their privacy and personal information. Finally, all users will benefit from the flexible and discoverable configurations options of the Windows 7 security help everyone achieve the right balance of security versus usability for their unique situation.