Windows 7 Security Features Get Tough
Microsoft hass responded with its latest operating system, Windows 7, currently in public beta and expected to ship later this year. In Windows 7, new security features have been added, popular features expanded, and familiar features enhanced. Here's a look at a dozen or so security improvements that we expect will convince even the most recalcitrant corporate clients to upgrade.
Improved Migration Tools
Microsoft says that Windows 7 will be faster and easier to roll out across an enterprise than previous OS migrations were. Much of the credit for the anticipated improvement goes to new tools such as Dynamic Driver Provisioning, Multicast Multiple Stream Transfer, and Virtual Desktop Infrastructure.
With Dynamic Driver Provisioning, drivers are stored centrally, separate from images. IT professionals can arrange for installation by individual BIOS sets or by the Plug and Play IDs of a PC's hardware. Microsoft says that reducing the number of unnecessary drivers installed will help avoid potential conflicts and will accelerate installation. With Windows 7, as with Windows Vista, IT professionals can update system images offline, and even maintain a library of images that includes different drivers, packages, features, and software updates.
Rolling out any particular image across the entire network--or even installing individual images on desktops--is faster in Windows 7, thanks to the new Multicast Multiple Stream Transfer feature. Instead of individually connecting to each client, deployment servers "broadcast" the images across the network to multiple clients simultaneously.
Virtual Desktop Infrastructure (VDI), another desktop deployment model, allows users to access their desktops remotely, thereby centralizing data, applications, and operating systems. VDI supports Windows Aero, Windows Media Player 11 video, multiple-monitor configurations, and microphone support for voice over IP (VoIP) and speech recognition. New Easy Print technology permits VDI users to print to local printers. But use of VDI requires a special license from Microsoft, and doesn't offer the full functionality of an installed operating system.
Protecting Corporate Assets
Once the OS is installed, organizations may protect their assets with authentication for log-in. Windows Vista included drivers for fingerprint scanners, and Windows 7 makes such devices easier for IT professionals and end-users to set up, configure, and manage. Windows 7 extends the smart card support offered in Windows Vista by automatically installing the drivers required to support smart cards and smart card readers, without administrative permission.
IT professionals may further protect the contents of their Windows 7 volumes with BitLocker, Microsoft's whole-disk encryption system. Windows Vista users have to repartition their hard drive to create the required hidden boot partition, but Windows 7 creates that partition automatically when BitLocker is enabled. In Windows Vista, IT professionals must use a unique recovery key for each protected volume. But Windows 7 extends the Data Recovery Agent (DRA) to include all encrypted volumes; as a result, only one encryption key is needed on any BitLocker-encrypted Windows machine.
BitLocker To Go is a new feature that lets users share BitLocker-protected files with users running Windows Vista and Windows XP. The BitLocker To Go desktop reader provides simple, read-only access to the protected files on non-BitLocker-protected systems. To unlock the protected files, the user must provide the appropriate password (or smart-card credentials).
Windows 7 also introduces AppLocker, an enhancement to Group Policy settings that lets organizations specify which versions of which applications users have permission to run. For example, a rule might allow users to install Adobe Acrobat Reader version 9.0 or later, but it might block them from installing legacy versions without specific authorization. AppLocker contains a rule-generation wizard to make the process of creating policies much easier, and it includes automatic rule making for building a custom white list.
System Restore, first introduced in Windows ME, gets a much needed update in Windows 7. First, System Restore displays a list of specific files that will be removed or added at each restore point. Second, restore points are now available in backups, giving IT professionals and others a greater list of options over a longer period of time.
The Action Center is a new, integrated Control Panel feature that gives Windows 7 users a central spot for locating tasks and common notifications under a single icon. The Action Center includes alerts and configuration settings for several existing features, including the Security Center; Problem, Reports, and Solutions; Windows Defender; Windows Update; Diagnostics; Network Access Protection; Backup and Restore; Recovery; and User Account Control. Popup alerts are gone in Windows 7, replaced by a new task tray icon (a flag with an X) that provides streamlined access to the problem directly or to the Action Center for more information.
Perhaps the most famous and most annoying form of Windows Vista notification comes from the User Account Control (UAC) feature, which flashes administrative warnings whenever you need to configure a system setting. In Vista the choices are stark: Endure the messages, or turn off UAC. In Windows 7, you have additional options. A slider bar configures the appropriate notification level for your computer, and by default UAC will notify you only when programs try to make changes to your PC.
Windows Defender, Microsoft's antispyware product, gains a much-needed performance enhancement in Windows 7. But Microsoft has removed the Software Explorer tool, asserting that the utility doesn't affect spyware detection or removal. That might be true, but Software Explorer would allow you to see what programs and processes are running, including ones that you may not know about or want. Perhaps Microsoft will reverse this decision by the final build.
Another new feature of Windows 7 is the Windows Filtering Platform (WFP), a group of APIs and system services that allow third party vendors to tap further into Windows' native firewall resources, thereby improving system performance. Microsoft stresses that WFP is a development platform and not a firewall in itself, but WFP does address a few of Windows Vista's firewall problems.
In Vista, Microsoft introduced the concept of profiles for different types of network connections--home, network, public and domain. This, however, bound corporate IT professionals whenever a remote user accessed their corporate VPN, because the firewall was already set as either "home" or "public," and corporate network settings could not be applied later. Windows 7 and WFP in particular permit multiple firewall policies, so IT professionals can maintain a single set of rules for remote clients and for clients that are physically connected to their networks. Windows 7 also supports Domain Name System Security Extensions (DNSSEC), newly established protocols that give organizations greater confidence that DNS records are not being spoofed.
Features for Mobile Users
Windows 7 has two enhancements designed for mobile users. With DirectAccess, mobile workers can connect to their corporate network any time they have Internet access--without needing a VPN. DirectAccess updates Group Policy settings and distributes software updates whenever the mobile computer has Internet connectivity, whether the user is logged on to a corporate network or not. This ensures that mobile users stay up-to-date with company policies. And with BranchCache, a copy of data accessed from an intranet Web site or from a file server is cached locally within the branch office. Remote users can use BranchCache to access shared data rather than using a connection back to headquarters.
Windows 7 also makes enhancements to event auditing. Regulatory and business requirements are easier to fulfill through management of audit configurations, monitoring of changes made by specific people or groups, and more-granular reporting. For example, Windows 7 reports why someone was granted or denied access to specific information.