Modernizing Authentication — What It Takes to Transform Secure Access
After a devastating wrong turn with Vista, Microsoft is back on its game with Windows 7. Sure, Windows 7 has annoyances such as touting attractive features, but making most of them available only to those who pay extra for Enterprise (or Ultimate). But Windows 7 Enterprise delivers a plethora of improvements to justify the cost and pain of migration. The security benefits you could reap by upgrading to Windows 7 Enterprise include the following:
Improved platform security.Windows 7 picks up where XP SP2 and Vista left off, extending Data Execution Protection and Address Space Layout Randomization to deter malware, even when browsing. Kernel Patch Protection stops malware from hooking 64-bit kernel events, and Windows Service Hardening can enforce resource access profiles for included Microsoft services. Alas, not all applications use DEP and ASLR and only services can use WSH, but Windows 7 starts with a more solid foundation from which to fend off attackers.
Safer browsing.Internet Explorer 8, supplied with all versions of Windows 7, incorporates a wealth of security enhancements, including SmartScreen filtering, trusted domain highlighting, type 1 cross-site script attack filters, and InPrivate browsing. IE8 takes advantage of ASLR and DEP and can apply more granular ActiveX settingsfor example, letting admins authorize riskier ActiveX controls, but only by trusted sites or users. IE8 can also be installed on XP SP3 and Vista, but upgrading to Windows 7 makes the most of some IE8 features and provides further incentive to retire older, less secure browsers.
Secure protocol support.Network protocols may not "wow" end users or sys admins, but they're a vital part of building a more secure foundation. Windows 7 includes native support for IPv6 (including IPv6 IPsec) and DNSSEC. These more secure protocols make it harder for attackers to spoof IP packets and addresses by providing cryptographic authentication and integrity checks. Enterprise networks must master other hurdles to actually use these protocols, but embedding protocol support in all of your endpoints satisfies one big pre-requisite.
Location-aware connection security.Windows 7 includes policy-based network segmentation, letting admins apply different Windows Firewall rules to each adapter based on location (e.g., Wi-Fi at the office, Wi-Fi at home, Wi-Fi at a public hotspot). The Windows 7 Firewall itself has grown from outbound-only packet filtering into a full bi-directional TCP/IP firewall, enforcing rules that can now be centrally-configured with ActiveDirectory GPOs. Windows 7 still doesn't have the best personal firewall around, but this is a noteworthy improvement.
Quick-and-easy file recovery.Windows XP creates System Restore points to roll a damaged PC back to a know-good earlier state. Windows 7 and Vista beef this up with Volume Shadow Copy (VSC) a service that backs up entire volumes, including Windows system files, program files, settings, and user files. By default, shadow copies are created weekly on a Windows 7 PC with idle time. On-the-go workers can use VSC to recover a single lost document or a corrupted DLL in minutes, without connectivity or help. However, because shadow copies are stored on the same disk, they are not a replacement for routine data backup to archive.
Always-on secure remote access.For those tired of intrusive VPNs, Windows 7 Enterprise offers DirectAccess. DA uses auto-initiated, authenticated, encrypted IPv6/IPsec tunnels to securely connect remote Windows 7 users to private network resources. DA tunnels can terminate at a Windows Server 2008 DA gateway or at any IPv6 Windows Server 2008 behind that gateway. Alas, in order to achieve user-transparent always-on secure remote access with DA, the enterprise must deploy Windows Server 2008 and IPv6. Fortunately, DA can wrap IPv6 inside IPv4 or HTTPS to traverse home and public networks that usually lack IPv6 today.
Usable user access control.The tighter User Access Controls first introduced by Vista are back in Windows 7 after a rigorous reality-check back at Redmond. UAC deters apps and users from making unauthorized changes by defaulting to Standard User and requiring explicit permission to elevate privileges when needed. Windows 7 now silently elevates many activities routinely needed by end-users (e.g., adding printers, changing time/date) to reduce prompting. Many Microsoft apps have also been refactored to segregate activities that do and do not require elevation, and admins can now configure prompts without disabling UAC altogether.
Better desktop auditing.Vista added XML-based audit events at a finer level of granularity. Windows 7 took this further by including more helpful information in audit eventsfor example, indicating not just that a given activity was permitted or denied, but why that decision was made. These enhancements improve forensic analysis and troubleshooting capabilities and make it possible to easily find all changes made by an individual user or group.
Application whitelisting.In Windows 7 Enterprise, XP/Vista Software Restriction Policy blacklists are replaced by AppLocker whitelists. SRPs were too hard to maintain and too easy to bypass. Windows 7 AppLocker strikes a better balance by permitting or denying program launch based on Publisher Rules (recommended), Hash Rules (for programs without signatures), and Path Rules (as a last resort). Publisher Rules check signatures on executables, installers, scripts, and libraries. A new wizard can even search an entire reference PC to find all programs and propose AppLocker Publisher Rules, falling back to Hash Rules only for programs without signatures. AppLocker still isn't for everyone, but it can deliver a more effective defense against malware while enforcing potentially-unwanted-program policies.
On-the-go data protection.BitLocker, introduced in Vista, is back in Windows 7 Enterprise with major improvements. BitLocker full-disk encryption can now be controlled by GPOs, use a wider PIN or two-factor authentication to unlock drives, and interface with a central recovery key store. Windows 7 also plugs the "USB hole" with BitLocker To Goportable data encryption for USB drives. BitLocker To Go stores an encrypted volume on a USB drive, along with a reader that can be used to decrypt those files on Vista or XP PCs. GPOs can be used to control whether unencrypted data can be written to USB, thereby enforcing encryption whenever files are permitted to leave an otherwise locked-down PC.
Take a hard look at these and other Windows 7 security features to determine how you can get the biggest bang for your buck during your OS migration. Some of these features require additional infrastructure most notably DirectAccess. Several are only available when upgrading to Windows 7 Enterprise (or Ultimate). Most require careful planning and testing prior to broad rollout (e.g., UAC, AppLocker). However, if used wisely, Windows 7 can help many organizations strengthen their security postures.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.