Establishing Digital Trust: Don't Sacrifice Security for Convenience
Right now, Windows 7 looks very much like Windows Vista because enhancements to the appearance and feel aspects of the operating system typically come late in the development process. Lucky for us, much of the awaited security functionality has already made its way into the beta build and we're going to look at some of the new changes for Windows 7.
Old friends, new twists
Returning from Windows Vista are Kernel Patch Protection, Service Hardening, Data Execution Prevention, Address Space Layout Randomization, and Mandatory Integrity Levels
Windows XP SP2 gave us the Security Center. Windows 7 discards this and in its place is an Action Center that incorporates alerts from 10 existing Windows features: Security Center; Problem, Reports, and Solutions, Windows Defender; Windows Update; Diagnostics; Network Access Protection; Backup and Restore; Recovery; and User Account Control.In Windows 7, users can adjust consent prompt behavior using a slider control, if they have administrative privileges. Microsoft says they'll still be protected against malicious software, even if they never see another alert. While this may or may not be true, users have been conditioned to see alerts whenever something is happening. Without them, perhaps a false sense of security will develop on the part of the end user.
Windows Filtering Platform
Windows 7 introduces something called the Windows Filtering Platform (WFP). The idea is that third parties can take advantage of aspects of the Microsoft Windows Firewall in their own products. Microsoft says "third-party products also can selectively turn parts of the Windows Firewall on or off, enabling you to choose which software firewall you want to use and have it coexist with Windows Firewall."
While this sounds nice on paper, I can't see a vendor teaming their product with the Windows firewall. Smart money says they'll just use their own and ignore the Microsoft solution.
One nice thing to note about Windows 7 is that it makes it easier to configure that all-important home network. When users hit network problems, they curse the firewall and they're often right to. Windows 7 addresses the problem by taking over home network setup and making sure the firewall doesn't interfere.
We also see that scrollbars were removed in the configuration settings screen, as has the Software Explorer feature, and real-time protection in Windows 7 has been improved to reduce the impact on overall system performance. A welcome change from the bloat of Vista.
An inclusive BitLocker
Vista sailed in along with a fleet of new security features, among them BitLocker, a whole-disk encryption tool designed to protect your data even after an attacker makes off with your laptop. BitLocker utilizes a chip called a Trusted Protection Module (TPM). The Vista TPM transparently decrypts the drive once you've authenticated yourself with a password or smart card. A laptop thief can't break into the locked drive, even after booting to a different OS or moving the drive to another computer.
BitLocker drive encryption also supports removable storage devices, such as flash memory drives and portable hard drives has been added in Windows 7. This means that users can keep sensitive data on all of their USB storage devices as well as the physical drives on the host mentioned above.
As a side note to Bitlocker, using groups, you can ban writing to any removable drive that isn't BitLocker-protected. It's a very useful tool against the very real problem known as podslurping. With this policy in place, employees can still bring in the virus-of-the-month on an unprotected drive, but they can't take away an unprotected copy of the personnel database. It's also helpful to know that BitLocker to Go also allows users to securely share data with other users who have not yet deployed Windows 7.
That said, the testing I performed proved otherwise. I could not get this to work so I went to Microsoft and they confirmed that this is an issue in the beta build but will be fixed before final GA release.
Biometrics, System Restore and AppLocker
Biometrics enhancements include easier reader configurations, allowing users to manage the fingerprint data stored on the computer and control how they log on to Windows 7. And System Restore includes a list of programs that will be removed or added, providing users with more useful information before they choose which restore point to use. Restore points are also available in backups, providing a larger list to choose from, over a longer period of time.
I've seen more problems caused by System Restore than solved by it; I'm not a big fan. Still, users often resort to it when trying to clean up a real or imagined malware problem. In Windows 7, you'll at least have a clear idea of what collateral damage may result, as it lists all programs and drivers that would be removed or brought back by invoking a particular System Restore point. It's way better than guessing at the right restore point and hoping for the best, which is what you have to do now.
Another enhancement is AppLocker, accessed through Local Security Policy. It's a way to control which programs users can and can't use, and it's a lot more flexible than Vista's Software Restriction Policies. Still, it's not for the average user. Most IT shops should be pleased with this enhancement. I can see it being tailored to just about any corporate need.
Virtually all the changes in the security area are simply tweaking and improving on existing Vista features. But then, that's what Windows 7 is all about, right? While the enhancements seen thus far in the beta are nice, they aren't stunning.
I hope to see even more improvements before Windows 7 hits the streets.
This article was first published on Enterprise IT Planet.