After a devastating wrong turn with Vista, Microsoft is back on its game with Windows 7. Sure, Windows 7 has annoyances – such as touting attractive features, but making most of them available only to those who pay extra for Enterprise (or Ultimate). But Windows 7 Enterprise delivers a plethora of improvements to justify the cost and pain of migration. The security benefits you could reap by upgrading to Windows 7 Enterprise include the following:
Improved platform security.
Windows 7 starts where XP SP2 and Vista has stopped, extends data execution protection and address space layout randomization malware stop, even if you’re browsing. Kernel patch protection stops hooking 64 bit kernel events malware and Windows service hardening can access resource profiles force included for Microsoft services. Alas, not all applications DEP use and ASLR and services can use only WSH, but Windows 7 starts with a solid foundation repel the attackers.
Internet Explorer 8 with all versions of Windows 7 is fed, contains a wealth of security extensions, including trusted domain highlighting, SmartScreen filter, type-1 cross site script attack filter, and InPrivate browsing. IE8 uses ASLR and DEP and apply detailed ActiveX settings, ActiveX controls, approve riskier for example let Admins only by trusted sites or users. IE8 can also be installed on XP SP3 and Vista, but an upgrade to Windows 7 makes the most of some IE8 features and provides more incentives for older, less secure browser retirement.
Secure protocol support.
Network protocols may not “wow” end users or sys admins, but they’re a vital part of building a more secure foundation. Windows 7 includes native support for IPv6 (including IPv6 IPsec) and DNSSEC. These more secure protocols make it harder for attackers to spoof IP packets and addresses by providing cryptographic authentication and integrity checks. Enterprise networks must master other hurdles to actually use these protocols, but embedding protocol support in all of your endpoints satisfies one big pre-requisite.
Location-aware connection security.
Windows 7 includes policy-based network segmentation, letting admins apply different Windows Firewall rules to each adapter based on location (e.g., Wi-Fi at the office, Wi-Fi at home, Wi-Fi at a public hotspot). The Windows 7 Firewall itself has grown from outbound-only packet filtering into a full bi-directional TCP/IP firewall, enforcing rules that can now be centrally-configured with ActiveDirectory GPOs. Windows 7 still doesn’t have the best personal firewall around, but this is a noteworthy improvement.
Quick-and-easy file recovery.
Windows XP creates System Restore points to roll a damaged PC back to a know-good earlier state. Windows 7 and Vista beef this up with Volume Shadow Copy (VSC) – a service that backs up entire volumes, including Windows system files, program files, settings, and user files. By default, shadow copies are created weekly on a Windows 7 PC with idle time. On-the-go workers can use VSC to recover a single lost document or a corrupted DLL in minutes, without connectivity or help. However, because shadow copies are stored on the same disk, they are not a replacement for routine data backup to archive.
Always-on secure remote access.
For those tired of intrusive VPNs, Windows 7 Enterprise offers DirectAccess. DA uses auto-initiated, authenticated, encrypted IPv6/IPsec tunnels to securely connect remote Windows 7 users to private network resources. DA tunnels can terminate at a Windows Server 2008 DA gateway or at any IPv6 Windows Server 2008 behind that gateway. Alas, in order to achieve user-transparent always-on secure remote access with DA, the enterprise must deploy Windows Server 2008 and IPv6. Fortunately, DA can wrap IPv6 inside IPv4 or HTTPS to traverse home and public networks that usually lack IPv6 today.
Usable user access control.
The tighter User Access Controls first introduced by Vista are back in Windows 7 – after a rigorous reality-check back at Redmond. UAC deters apps and users from making unauthorized changes by defaulting to Standard User and requiring explicit permission to elevate privileges when needed. Windows 7 now silently elevates many activities routinely needed by end-users (e.g., adding printers, changing time/date) to reduce prompting. Many Microsoft apps have also been refactored to segregate activities that do and do not require elevation, and admins can now configure prompts without disabling UAC altogether.
Better desktop auditing.
Vista added XML-based audit events at a finer level of granularity. Windows 7 took this further by including more helpful information in audit events—for example, indicating not just that a given activity was permitted or denied, but why that decision was made. These enhancements improve forensic analysis and troubleshooting capabilities and make it possible to easily find all changes made by an individual user or group.
In Windows 7 Enterprise, XP/Vista Software Restriction Policy blacklists are replaced by AppLocker whitelists. SRPs were too hard to maintain and too easy to bypass. Windows 7 AppLocker strikes a better balance by permitting or denying program launch based on Publisher Rules (recommended), Hash Rules (for programs without signatures), and Path Rules (as a last resort). Publisher Rules check signatures on executables, installers, scripts, and libraries. A new wizard can even search an entire reference PC to find all programs and propose AppLocker Publisher Rules, falling back to Hash Rules only for programs without signatures. AppLocker still isn’t for everyone, but it can deliver a more effective defense against malware while enforcing potentially-unwanted-program policies.
On-the-go data protection.
BitLocker in Vista was introduced, enterprise with important improvements is back in Windows 7. BitLocker full disk encryption can now be controlled by GPO, use a broader PIN or drives and interfaces with any key recovery two-factor authentication to unlock key to save. Windows 7 also plug “USB hole” with BitLocker to go-portable data encryption for USB drives. BitLocker to go stores an encrypted partition on a USB drive with a reader can be used to these files on Vista or XP PCs can be decrypted. GPOs can control whether unencrypted data on USB can be written which enforcement, if allowed files encryption, to exit an otherwise locked PC.
Take a hard look at these and other Windows 7 security features to determine how you can get the biggest bang for your buck during your OS migration. Some of these features require additional infrastructure – most notably DirectAccess. Several are only available when upgrading to Windows 7 Enterprise (or Ultimate). Most require careful planning and testing prior to broad rollout (e.g., UAC, AppLocker). However, if used wisely, Windows 7 can help many organizations strengthen their security postures.