Windows 7 Security Features Get Tough

Application Control

Windows 7 also introduces AppLocker, an enhancement to Group Policy settings that lets organizations specify which versions of which applications users have permission to run. For example, a rule might allow users to install Adobe Acrobat Reader version 9.0 or later, but it might block them from installing legacy versions without specific authorization. AppLocker contains a rule-generation wizard to make the process of creating policies much easier, and it includes automatic rule making for building a custom white list.

System Restore, first introduced in Windows ME, gets a much needed update in Windows 7. First, System Restore displays a list of specific files that will be removed or added at each restore point. Second, restore points are now available in backups, giving IT professionals and others a greater list of options over a longer period of time.

The Action Center is a new, integrated Control Panel feature that gives Windows 7 users a central spot for locating tasks and common notifications under a single icon. The Action Center includes alerts and configuration settings for several existing features, including the Security Center; Problem, Reports, and Solutions; Windows Defender; Windows Update; Diagnostics; Network Access Protection; Backup and Restore; Recovery; and User Account Control. Popup alerts are gone in Windows 7, replaced by a new task tray icon (a flag with an X) that provides streamlined access to the problem directly or to the Action Center for more information.

Perhaps the most famous and most annoying form of Windows Vista notification comes from the User Account Control (UAC) feature, which flashes administrative warnings whenever you need to configure a system setting. In Vista the choices are stark: Endure the messages, or turn off UAC. In Windows 7, you have additional options. A slider bar configures the appropriate notification level for your computer, and by default UAC will notify you only when programs try to make changes to your PC.

Better Performance

Windows Defender, Microsoft's antispyware product, gains a much-needed performance enhancement in Windows 7. But Microsoft has removed the Software Explorer tool, asserting that the utility doesn't affect spyware detection or removal. That might be true, but Software Explorer would allow you to see what programs and processes are running, including ones that you may not know about or want. Perhaps Microsoft will reverse this decision by the final build.

Another new feature of Windows 7 is the Windows Filtering Platform (WFP), a group of APIs and system services that allow third party vendors to tap further into Windows' native firewall resources, thereby improving system performance. Microsoft stresses that WFP is a development platform and not a firewall in itself, but WFP does address a few of Windows Vista's firewall problems.

In Vista, Microsoft introduced the concept of profiles for different types of network connections--home, network, public and domain. This, however, bound corporate IT professionals whenever a remote user accessed their corporate VPN, because the firewall was already set as either "home" or "public," and corporate network settings could not be applied later. Windows 7 and WFP in particular permit multiple firewall policies, so IT professionals can maintain a single set of rules for remote clients and for clients that are physically connected to their networks. Windows 7 also supports Domain Name System Security Extensions (DNSSEC), newly established protocols that give organizations greater confidence that DNS records are not being spoofed.

Features for Mobile Users

Windows 7 has two enhancements designed for mobile users. With DirectAccess, mobile workers can connect to their corporate network any time they have Internet access--without needing a VPN. DirectAccess updates Group Policy settings and distributes software updates whenever the mobile computer has Internet connectivity, whether the user is logged on to a corporate network or not. This ensures that mobile users stay up-to-date with company policies. And with BranchCache, a copy of data accessed from an intranet Web site or from a file server is cached locally within the branch office. Remote users can use BranchCache to access shared data rather than using a connection back to headquarters.

Windows 7 also makes enhancements to event auditing. Regulatory and business requirements are easier to fulfill through management of audit configurations, monitoring of changes made by specific people or groups, and more-granular reporting. For example, Windows 7 reports why someone was granted or denied access to specific information.

Subscribe to the Best of TechHive Newsletter

Comments