Windows 7 Security – Part 2: Powerful, Transparent and Improved Security Features
By Emmanuel Arinze, CISSP
The
ever increasing hostility of the online environment
pressurized Microsoft into making security the primary
consideration when it released the Vista operating system.
Unfortunately, the same powerful security features that made it so secure also made the Vista experience somewhat less than user friendly.
As a result, users deserted Vista in
droves. Many who bought machines preloaded with Vista
actually uninstalled it and replaced it with XP, which still
remains Microsoft’s most popular operating system.
Microsoft has also introduced a host of new security features.
Much of the new security is
art the kernel level, and therefore invisible to the user,
but there are many that are very user configurable.
Windows 7 Core Security
Windows 7 was developed following the Microsoft Security
Development Lifecycle (SDL). This is a cyclic 7-stage process including
Training,
Requirements, Design, Implementation, Verification, Release
and Response.
At its core, Windows 7 improves upon security features such
as Kernel Patch Protection, Data Execution Prevention,
Service Hardening, Address Space Layout Randomization, and
Mandatory Integrity Levels.
Others are Data Redirection, Buffer Overrun Protection and Patchguard for additional security on 64-bit computers.
We will look at these and the SDL in some depth in later
articles.
User Configurable Security
As mentioned earlier,
Windows 7 includes many features
carried over in improved form from Vista, while introducing
new features of its own.
Windows 7 security features include the following:
-
User Account Control (UAC): User Account Control was introduced in Vista in order to enable legacy applications run under standard user rights. The UAC also helped independent software vendors develop their software to function properly with standard user rights. Windows 7 improves upon UAC with changes made specifically to reduce the number of operating system applications and tasks needing administrator privileges with the intention of presenting the user with fewer prompts to respond to. UAC was designed so that most users will use a standard account for in their daily computing activities. The dangers of using an administrator account for regular daily computing are thereby avoided. UAC will only request user consent when an application needs to carry out a task that has system-wide effect. The intrusiveness of the Windows 7 UAC is therefore greatly reduced compared to its Vista predecessor, and new configuration options make it much easier to manage.
-
Windows Firewall: The Windows 7 firewall helps keep your computer secure by controlling access to and from any networks it is connected to. The firewall monitors both inbound and outbound traffic and includes support for IPv6 (Internet Protocol version 6). In Widows 7, the firewall now includes multiple access firewall profiles. This feature enables protection for several different network connections in the increasingly common situation where a computer is connected to different networks simultaneously. It does this by enabling the user create a separate profile for each network connection. In addition, the advanced configuration console enables administrators have detailed control over firewall rules and other advanced settings.
-
Windows Defender: Windows Defender is an anti spyware program that constantly monitors system settings in order to prevent the installation of known spyware and warn the user about the presence of suspicious system activity behaving in a spyware-like manner. The Windows Defender interface has been totally redesigned for Windows 7 to include fewer confusing options.
-
Internet Explorer 8: Internet Explorer 8 is now designed to run in protected mode. In this mode, Windows permissions are used to rigorously limit what web pages and add-ons can do on your system. This reduces its vulnerability to malicious code installation. IE is now isolated and runs with reduced privileges. Unless the user grants the program specific permission to act otherwise, IE will only write data to locked temporary folders. Active X controls have been restricted and SmartScreen, a phishing filter has been implemented. The new inPrivate filtering and inPrivate browsing features prevent information about your browsing habits from being monitored.
-
Data Encryption: The improved Bitlocker Drive Encryption feature is designed to completely encrypt the contents of a hard drive while Bitlocker To Go does the same with portable storage devices such as USB flash drives. This means that if your flash drive, laptop, or even your desktop computer is stolen, the thief will not be able to access the contents of the drives. Windows 7 adds Data Recovery Agent (DRA) support for all protected drives. This feature allows authorized administrators to have access to Bitlocker protected drives.
Bitlocker stores its encryption keys on a Trusted
Platform Module (TPM) chip. This enables encryption and
decryption of the protected data. Bitlocker can be used
without a TPM chip, but the procedure is a bit more
complicated. It will be covered in a later article.
Bitlocker and Bitlocker To Go are only available on Windows
7 Enterprise and Ultimate editions.
-
Windows Biometric Service: The Windows Biometric Service is the key component of the Windows Biometric Framework introduced in Windows 7. This service enables support for biometric devices for computer login. It also enables the user to enter administrative credentials when these are required by the UAC. At present, only fingerprint readers are supported, but the framework has been designed to be expanded in the future.
-
Parental Controls: In Windows 7, Parental Controls provide features that help parents configure a secure computing environment for their children. The feature enables parents control how much time children can spend on the computer and which programs and games they can access, and when. The Parental Controls in Windows Media Center allow parents block access to TV shows and movies which they do not approve of.
-
Enhanced Auditing: With the enhanced auditing capabilities in Windows 7, organizations are enabled to meet their regulatory and business compliance requirements more easily. Management of audit configurations has been simplified to give a clearer view into computer use and to track IT user activities within the enterprise. It is now easier to see details of how and why users and groups have been given or denied access to data, while changes by individual users and groups are easier to track.
-
Applocker: Applocker is a mechanism that allows system administrators to specifically control what applications are allowed to run across the enterprise desktop environment. Applocker strengthens application control policies by enabling administrative control over the ability of users to install programs and run scripts. Applocker gives IT management improved capability to control or even enforce application standardization within the enterprise in a secure manner, resulting in improved operations and compliance.
-
Action Center: New in Windows 7, the Action Center consolidates security and maintenance notifications in one convenient location. It simplifies the process of recognizing issues and problems, understanding their importance, and fixing them. Some security messages managed by Action Center include Windows Update alerts, Internet Security Settings, Network Firewall messages, Spyware and related issues, User Account Control, and Virus Protection. Maintenance messages include Windows Backup, Troubleshooting, and Update checks.
The security tools and features mentioned above are an introduction to what makes Windows 7 the most secure Windows operating system so far. In coming articles we will also look at how to manage user accounts, passwords, and logons.
Tip: Click here to run a free scan for Windows related errors