of 9

Windows 7 Security - Strengths and Weaknesses

Published on June 2016 | Categories: Documents | Downloads: 22 | Comments: 0

Comments

Content

Redefining application delivery

NEW ENTERPRISE DESKTOP
s
CHAPTER 3

Windows 7 security: Strengths and weaknesses

CHAPTER 3 Windows 7 security

WINDOWS 7 SECURITY: WHAT’S NEW?

BEEFING UP WINDOWS 7’S NATIVE SECURITY

WORRY-FREE SECURITY MANAGEMENT

SECURITY SHORTCOMINGS AND THE ENTERPRISE

Windows 7 security: Strengths and weaknesses
Windows 7 administrators and users may be thrilled to hear about its native security features. Here’s a look at what you can expect, which features carry the most value and when you might want a little more protection.
BY FRANK OHLHORST

a lot of heat over the years when it comes to operating system security. The company hoped to change that with the release of Windows 7, which includes several new security features. The question is: Do its security features deliver enough protection?
MICROSOFT HAS TAKEN
2 NEW ENTERPRISE DESKTOP E-BOOK

To answer that question, it’s important to define the security features associated with Windows 7. If the OS falls short in the security department, organizations may need to look to third-party security products. And that can be a budget buster that would derail many Windows 7 deployments.

CHAPTER 3 Windows 7 security

WINDOWS 7 SECURITY: WHAT’S NEW?

WINDOWS 7 SECURITY: WHAT’S NEW?

BEEFING UP WINDOWS 7’S NATIVE SECURITY

WORRY-FREE SECURITY MANAGEMENT

SECURITY SHORTCOMINGS AND THE ENTERPRISE

One of the biggest complaints about Windows 7’s predecessor—Windows Vista—was its lack of security. In reality, Vista does have several valuable security features; it’s just the way that Microsoft presented those features to users that was the problem. Users were hassled by frequent pop-ups with cryptic messages that were difficult to interpret, and that led to excessive tech support calls as well as a general feeling that the OS was lacking sensible security. Truth be told, most of Windows 7’s security enhancements are based on security improvements that were introduced with Windows XP SP2 and later improved with Windows Vista. That means that most of the security fixes delivered via Windows 7 are minor changes, but they have a major impact on how users perceive its security. User Account Control. UAC is one Windows Vista feature that users struggled with. In Windows 7, UAC has undergone several improvements that make it more user-friendly without sacrificing essential security. UAC monitors the types of changes that an application is trying to make on the OS’s files and settings. For example, if an application needs to install libraries or make changes to Windows 7’s registry, UAC will analyze those changes and prompt the user before allowing any change to take place that may be overly intrusive.
I

First, users can reduce how often UAC requests permission to install or change a program. Users also have the option to turn off permission requests and set UAC to notify only. Those slight changes reduce support costs, eliminate unnecessary interruptions and circumvent many tech support requests.
I

AppLocker. This new security feature allows users to restrict program execution based on firewall profiles. Simply put, policies that determine which applications can be run are created and deployed to desktop PCs. Those policies can prevent unauthorized applications, such as file sharing services, from being executed on the PC—plugging a potential security hole. AppLocker is a handy feature for portable systems used in both the enterprise and home. Noncritical applications that are deemed less secure can be disabled when a user is connected to a corporate network and reenabled when that user is on a home or public network. AppLocker also features in-depth application controls that you can use to define polices to allow or prevent an application from launching. This feature has the potential to replace third-party filtering products that prevent applications from running across an enterprise. System Application Permissions. Microsoft’s System Application Permissions feature reduces the number of applications that require adminis-

I

3 NEW ENTERPRISE DESKTOP E-BOOK

CHAPTER 3 Windows 7 security

WINDOWS 7 SECURITY: WHAT’S NEW?

BEEFING UP WINDOWS 7’S NATIVE SECURITY

WORRY-FREE SECURITY MANAGEMENT

trator-level permissions to execute. With Windows 7, users are prompted less frequently for permission to run system applications, an act that was once thought of as administrator level. Ideally, this will protect critical files by limiting who can run administratorlevel applications while giving end users enough flexibility to run applications that they need to access even though the apps were once deemed a security threat. Of course, controlling the installation and execution of applications is only part of the security picture. Microsoft has also invested in technology that protects data through encryption.
I

SECURITY SHORTCOMINGS AND THE ENTERPRISE

BitLocker. First introduced in Windows Vista, the BitLocker disk encryption feature has gone through some evolutionary changes that make it easier to use and applicable to more data stores. In Windows 7, BitLocker supports single-key instances, allowing data to be recovered using a common encryption key that the network administrator assigns. This essentially makes BitLocker more network-friendly. BitLocker encrypts a disk partition; that partition may be located on the system or on a removable device. If you are using BitLocker to secure your system’s hard drive, for example, it will create a system partition that contains the files needed to start your computer and an OS partition that contains your applications, data and Windows. The OS partition will be encrypted and the system partition

will remain unencrypted to allow your computer to start. BitLocker reaches its full potential on computers equipped with Trusted Platform Module (TPM). In these situations, BitLocker can use either transparent operation mode or user authentication mode when integrated with TPM. The TPM hardware detects if there are unauthorized changes to the preboot environment, including the BIOS and master boot record. If it detects any unauthorized changes, BitLocker requests either a recovery key on a USB device or that a user manually enters a recovery password. These cryptographic entries are used to decrypt the volume master key and allow the boot-up process to continue. A new feature in Windows 7 is BitLocker To Go, which is used to encrypt removable devices such as USB key drives, rewritable optical media and removable hard drives. BitLocker To Go secures information in transit. Network policies can be defined to require all users to encrypt data on removable devices, preventing possible data leakage. BitLocker To Go is designed to be very easy to use. You can apply encryption to a removable device by launching the application and then creating a passphrase (or using a smartcard) to encrypt/decrypt the drive. Once configured, BitLocker To Go can automatically encrypt USB drives whenever one is inserted into a PC. Its tight integration with Windows 7

4 NEW ENTERPRISE DESKTOP E-BOOK

CHAPTER 3 Windows 7 security

WINDOWS 7 SECURITY: WHAT’S NEW?

makes BitLocker To Go easy to use for removable media. It's also backward-compatible with earlier versions of Windows (XP and Vista). When an encrypted device is accessed by an earlier Windows version, a decryption utility stored on the device automatically executes and allows users with the proper passkey to access the data.
I

tion to outside sources. Windows Defender protects PCs using two methods: 1. Real-time protection. This method alerts the user when spyware and other potentially unwanted software attempts to install or run on the PC. Depending on the alert level, the user can choose one of three actions to occur when spyware is detected.
D QUARANTINE moves the software

BEEFING UP WINDOWS 7’S NATIVE SECURITY

WORRY-FREE SECURITY MANAGEMENT

SECURITY SHORTCOMINGS AND THE ENTERPRISE

Windows Defender. Spyware is another security concern, and Windows Defender addresses that problem. Microsoft improved Windows Defender’s user interface in Windows 7, making it easier to understand compared to previous versions. The feature also integrates with Windows 7’s Action Center. Windows Defender is the first line of defense against spyware and other unwanted software. It has less of an impact on system performance than it did in Vista and offers extensive scanning options. A new feature in Windows Defender called ”Clean System” provides one-click purging of all suspicious software. Antispyware is imperative in the Windows environment. Without it, spyware can be installed on a computer without the user’s knowledge whenever the PC is connected to the Internet. Spyware infections can also occur via email and during program installations. The biggest issue with spyware is its ability to secretly gather important personal or business information and then deliver that informa-

to another location on the computer and prevents it from running.
D REMOVE permanently deletes

the software from the computer.
D ALLOW adds the software to the

Windows Defender allowed list and lets it run on the computer. When set to allow, Windows Defender will not alert the user to risks. Users should only add software to the allowed list if that software comes from a trusted software publisher. 2. Scanning. This method examines every file on the PC for embedded spyware or spyware applications. Detected spyware can be automatically removed during the scanning process. Windows Defender relies on regularly updated signature files to function properly; Microsoft Windows Update Services (WSUS) updates signature files automatically. This is offered at no charge to registered Windows 7 users.

5 NEW ENTERPRISE DESKTOP E-BOOK

CHAPTER 3 Windows 7 security

Windows Firewall. The software security firewall uses policies to control applications and access to the PC. it supports multiple profiles, which can be active concurrently or separately based on a user’s connection
I WINDOWS 7 SECURITY: WHAT’S NEW?

status or other defined policies. The feature protects the PC from hackers and malicious software; integration with third-party security applications can extend its capabilities or provide customized firewall policies.

BEEFING UP WINDOWS 7’S NATIVE SECURITY

BEEFING UP WINDOWS 7’s NATIVE SECURITY
improved security in Windows 7, most administrators require an additional layer of protection for antivirus, antispam, content filtering and protection from bots and rootkits. Third-party tools such as Internet security suites, antivirus suites, hosted security and network-based security services can fill this void. Larger Windows 7 deployments—where PCs are connected to enterprise networks—should use a managed security product. Such products allow administrators to monitor the security of each PC on the network, create security policies and generate reports to show that the PCs are adequately protected. There are two types of managed products: client-server based and hosted security. Client-server-based security solutions install a managed security application (or client) onto the desktop PC. A centralized server handles updates and policies and serves as a management platform. Client-server solutions are commonly deployed across a network; they require frequent signature updates and handson management, which can affect performance, cost and business objectives. Hosted security, or security in the cloud, uses a hybrid approach to secure a desktop. A small client application runs on the desktop system while all Internet traffic is routed through the remote security host’s servers for analysis. Major vendors in the hosted security space include Symantec, Trend Micro, Kaspersky and McAfee. Dozens of other vendors also play in this arena including ISPs and cloud services companies like Rackspace, Websense, Purewire (recently acquired by Barracuda Networks) and BrightCloud. Choosing between a client-server security product and a hosted solution can be a complex endeavor. Administrators should consider how traffic will traverse the network and calculate per-seat costs before making a decision between the two types of technologies. I
ALTHOUGH MICROSOFT

WORRY-FREE SECURITY MANAGEMENT

SECURITY SHORTCOMINGS AND THE ENTERPRISE

6 NEW ENTERPRISE DESKTOP E-BOOK

CHAPTER 3 Windows 7 security

WINDOWS 7 SECURITY: WHAT’S NEW?

BEEFING UP WINDOWS 7’S NATIVE SECURITY

WORRY-FREE SECURITY MANAGEMENT

Support for multiple profiles proves to be an important enhancement. For example, an administrator can finetune the protection and notifications needed for each network profile: Home, Work and Public. When a user connects to a public network (under the public profile) at a library or coffee shop, for instance, Windows Firewall can be set to block all incoming connections. When a user is connected through a home or work profile, some incoming connections may be needed for functionality. The user can also switch between profiles or temporarily override the settings in a profile if he needs an exception to the rule.

SECURITY SHORTCOMINGS AND THE ENTERPRISE

WORRY-FREE SECURITY MANAGEMENT

Since Windows 7 offers several integrated security features and applications, administrators may worry about managing it all. Several built-in management tools help minimize those concerns. Microsoft has greatly improved the local management capabilities on Windows 7—making PC management much easier with the new Action Center console. Action Center includes all alerts and warnings into a single console and informs the user of events that require attention—security problems, diagnostics and solutions. Having a single console is a more efficient way to deal with the numerous events, warnings and messages that Windows tends to broadcast.

Action Center lists important messages regarding security and maintenance settings that require attention. Items recorded in red are important and indicate significant issues that should be addressed soon—an outdated antivirus program that must be updated, for example. Yellow items are suggested tasks that you should consider addressing. These could include recommended maintenance tasks. Action Center checks several security and maintenance-related items, which helps indicate the computer’s overall performance and security status. When the status of a monitored item changes (if antivirus software becomes out of date, for example), Action Center sends the user a message to the notification area on the taskbar. The status of the item in Action Center changes color to reflect the severity of the message. The tool then recommends an action. Administrators can also use Windows Group Policies to control Windows 7’s security features. Group Policies can be defined to enforce security requirements ranging from password complexity and length to incorporating specific firewall profiles into Windows Firewall. Microsoft’s in-depth security guide—The Windows 7 Security Guide—covers those capabilities, as well as other security-related procedures, such as enforcing compliance and auditing systems. For those deploying Windows 7 as part of a virtual

7 NEW ENTERPRISE DESKTOP E-BOOK

CHAPTER 3 Windows 7 security

WINDOWS 7 SECURITY: WHAT’S NEW?

BEEFING UP WINDOWS 7’S NATIVE SECURITY

desktop infrastructure (VDI), the security guide is a must-read. Other security improvements include support for newer devices including biometric access devices that are used as a secure method to log into Windows 7. That feature will prove handy for the scores of notebook computers that use fingerprint readers. Windows 7 also has plugand-play support for ECC-based smart cards.

Cathy Gagne Editorial Director [email protected]

Margie Semilof Executive Editor [email protected]

WORRY-FREE SECURITY MANAGEMENT

SECURITY SHORTCOMINGS AND THE ENTERPRISE

SECURITY SHORTCOMINGS AND THE ENTERPRISE

Overall, Windows 7’s security features are welcome improvements and may free some companies from having to purchase third-party security products, especially for spyware protection, application execution and desktop firewalls. But Windows 7 still falls short in the antivirus department. Since the OS lacks a full enterprisewide antivirus solution, business users will need to purchase additional antivirus protection. In most cases, enterprise antivirus solutions are part of a full security suite—negating many of the inherent advantages of Windows 7’s security features. Home and mobile users, however, can see the proverbial silver lining. Microsoft Security Essentials, an antimalware suite for registered Windows 7 users, has virus protection and other security features. Download it for free here. I

Michelle Boisvert Managing Editor [email protected]

Martha Moore Copy Editor [email protected]

Linda Koury Art Director of Digital Content [email protected]

Marc Laplante Publisher [email protected]

ABOUT THE AUTHOR:

Frank Ohlhorst, CNE, MCP, L+, N+, A+, is an IT journalist who has also served as a network administrator and applications programmer before forming his own computer consulting firm. Visit his blog at www.ohlhorst.net.

©2010 TECHTARGET. ALL RIGHTS RESERVED.

8 NEW ENTERPRISE DESKTOP E-BOOK

RESOURCES FROM OUR SPONSOR

• Leveraging Windows 7, Dell Desktops for Virtualization, Cloud Infrastructures and Beyond • Dell 3-2-1 Reference Configurations: High Availability Virtualization with Dell PowerEdge R515 servers • Microsoft Integrated Virtualization ROI Calculator

About Dell and Microsoft: For more than 25 years, Dell and Microsoft have worked to deliver jointly-developed solutions that simplify IT management, optimize performance and evolve the way your business operates. Since the very beginning of our long-term partnership together, Dell and Microsoft have aligned to deliver customer-driven, innovative solutions that span the entire Microsoft® product portfolio. Today, any organization — no matter its size or location — can easily integrate our joint solutions and discover immediate business value while reducing operating costs. Whether you need software, hardware, infrastructure consulting or life cycle systems support, Dell leverages its global partnership with Microsoft to be your single point of contact for integrated IT solutions

Sponsor Documents

Hide

Forgot your password?

Or register your new account on INBA.INFO

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close