The public version of Windows 7 is getting closer. Discussions and debates on the improvement of security in the new platform was raging, and some potential problems have also arisen. In this paper, we walk through the main changes and additions, and see what they mean for users and administrators.
Chester Wisniewski, Senior Security Advisor, Sophos
Windows 7 may succeed, if Vista does not?
The most famous of Windows Vista has received a poor reception at its output, and has never really taken off despite major efforts by Microsoft to encourage hardware manufacturers to use it. Many companies, wary of many issues, decided to stay with the tried and tested XP until the new platform stabilized with Service Packs and Updates
But Microsoft has taken a different course -. He fell onto a platform to create an alternative.
The upgrade comes with Vista-based visual and improve certain speed. But the platform brings a number of new security features and improved the most important of these was the User Account Control (UAC), which prevent unauthorized code execution. UAC was often annoying pop-ups and its application to the understanding of a user base largely untrained, which tend to ignore or disable the notification for the time to criticize to decipher their meaning. Some other small additions, such as BitLocker encryption software and address space randomization system, provided a little more safety, while other elements such as firewalls unilateral and Security Center has remained virtually unchanged. With Windows 7, Microsoft showed that it pays attention to his critics and seeks to address some of these problems. Some of the changes are largely cosmetic, with further improvements to the look and feel of Office, assumed the direction of Vista continues, following the example of rival operating system with some a much better reputation for optics and a bright friendly design. Among the hood there additions and improvements to the previous serious security measures that offer the promise of more security and usability. Microsoft redesigned the interface between the user and the security controls in Vista with the Vista Security Center is the most fun sounding, if somewhat ambiguous, the Action Center. In addition, the company creates UAC, the firewall function expanded in an extensive and comprehensive encryption. Microsoft also promises a new user friendly VPN. The implementation and completeness of these new ideas important factors in Windows 7 gain traction with users and IT departments that have resisted upgrading their systems. For the many who have been waiting for are the improvements no longer a choice. Microsoft is hoping for a repeat of the Vista experience to marketing and will do to avoid selling everything, upgrade to the customers on Windows 7. It is almost certain that Windows 7 is set aside XP. Therefore, the security level of the new platform have a significant impact on computer users worldwide, whether they like it or not
Action Stations. rebadged be Windows Security Center does not replace?
Microsoft Windows Security Center, introduced with Windows XP and it has remained largely unchanged since. With Windows 7, he received a major renovation . The new Action Center combines the management and control systems of the firewall, update, and anti-malware protection with a number of other system maintenance, including backup, troubleshooting, anti-spyware, the UAC and the overall state of network security.
Users of Windows Vista on a steady stream used by popups and alert the insignia of the old taskbar shield experience the greatest change. Windows 7 has more detailed lists of potential problems that occur often with useful information and advice. Integration with anti-malware solutions is much more granular, to inform the products for the operating system on when the update needed. In Vista, the only information the Security Center could be “updated” or “more than 30 days old.” The Products can also feed their own personalized information to users, allowing them to make better informed decisions, and users a degree of adjustment (for example you can disable features are not interested in monitoring)
new Action Center icon looks like a flag. It has a small red flag if something important needs to be fixed. At first glance, this seems a good idea to pop the end, which is almost invisible to users because of their frequent occurrence of many . But the flag may be a bit too far. The new alert system may be so dark as to be rendered useless improved
The integration and control and detailed mail to help the most users and developers of the security solution. However, finding the right Balance between user information with alerts and floods remains difficult irritant denied
access. UAC simplified, but still nervous of power ruined?
As part of the list Action Center (and a security feature -based platform), the UAC system had a radical overhaul to minimize their impact on the user. In Vista, where he appeared, the system quickly became famous for presenting an excess of alerts and intrusive requests for confirmation, which quickly deleted users so that the system is lame. changes to system settings, the main cause of these institutions, instead of installing new software or programs try to adjust something (if alerts are to be expected and in some cases, estimate). The new system has a finer control than just on or off the previous version and it is by default receive a confirmation by the efforts programs make use of third party to make changes and modifications, user-initiated. A simple slider allows users to define more or less strict data protection rules with ease. In addition, during the promotion rather frightening (and often short blackout) on the screen, the default notice that can be accompanied disabled. Microsoft has also redesigned to be more informative pop-ups.
Microsoft has a significant reduction in the number Pop-ups, and information promised in fact, pop-ups in Windows 7 are now on exactly what is allowed improved, it must make the system more efficient. It is not clear whether the system user to use it properly because most users do not need to understand is to inform to make, and many are “protected administrator” is not capable of thinking beyond just make disappear the popup. On a standard desktop computer with the user default so that the popup disappear to make it as simple as yes or no, this is not standard, so that users who are trained to simply press the Enter key will be protected against unwanted changes and probably by a non-functional software frustrated. Another problem with these default settings is that the malware, the system could, as he will run in a trusted application and work around from there. In fact, some malware spoofing style observed UAC prompt the user for permission to get to work unhindered. The system from its previous condition, hardly used is improved. But it still lacks the characteristics of platforms, with more models for ground safety in the place where such warnings usually an appropriate context and detail so that users can type exactly what is necessary and require a password associated administrator password from a well by the administrator, so that users about what they are, and responsibility requires thinking for their own security. The concept of UAC driven user-friendly rather than expert-driven, it is a questionable approach in a world that is rarely the responsibility of the consumer. Although personal files and tools the user’s consent and the operating assets of the basic system require to be protected consistently
border controls. Windows Firewall is now fully functional?
Of course, with only incoming protection as control solutions by two-way firewall itself offered, he was far from ideal. Although the basic packet filtering with government offered some protection against common exploits, he had no advanced features such as anti virus full, and without central management, policy enforcement and auditing have been unsuitable for serious business networking. well informed for most administrators, it’s just another thing, it before To disable the provision of a comprehensive protection. If nothing else, but he was the ignorant or just lazy, user at home every day is a rudimentary measure is to protect against many forms of attack. With the new operating system Windows Firewall Finally old. The new version offers an appropriate port filtering inbound and outbound protocols, including IPv6 support, and a number of functions. information about the user-level configuration is available, but the corporate network improvements are even greater, with full management and reporting are well integrated into the subsystem policy group. This sounds like a great advantage for home users and professionals, but it depends how far it is assumed that in turn depends on the disposition of the people adjust to safety practices for long. Home users to all people use but the most uninformed their Internet security suites both firewall and anti-malware, firewall, with the general structure and the integration behavior specialist anti-set malware has a much higher level of protection. At the corporate level, similar practices are in most cases with suppliers of security solutions group desktop firewall with other layers of protection and make their own management and centralized reporting systems. Security experts admin responsible for monitoring and maintenance of all security networks in the major. Furthermore, it will still control the Anti-Malware, NAC and other security implementations that are not so well integrated into their influence by Microsoft. Security experts it may also have a learning curve with the style of the group policy object management (even if it is with software and user- level policy administrators, and their needs into account) is because it is so different models in standard workflow management systems of safety, to fulfill specific to the complex needs of the firewall configuration. For most home users and will support work, distribution of security management tasks for multiple tools, layout and use of systems, a fairly obvious to be a waste of time. The use of firewalls from existing providers of trust seems to be the norm for the foreseeable future
Tunnel remain to come. direct access, a simple VPN for all?
For corporate clients directors, is one of the most interesting features of Windows 7 security should find the new direct access system, which developed essentially a built-in VPN client to allow for users’ easy and secure enterprise-resource access when out of the office “(Source: Microsoft Windows 7 main page). It is intended to be fully integrated and always with firewalls and NAT configurations, and allows both remote access to corporate networks and remote management systems robots by network administrators. Remote users are becoming more common and the problems they represent for security administrators growing network complexity and the number and requirements. Microsoft has recognized the need for substantial improvements in content, to remote, it seems that it it is very simple and easy to stay on the road safely.
However, there are large and the implementation of safety issues here. The first stumbling block is an admin tried to implement direct access is its complete dependence Hit IPv6. Although theoretically superior technology and much more scalable in IPv4, IPv6 does not have much to do if progress in the real world. This means that administrators must IPv6 implementation on both workstations and enterprise networks, with the inevitable learning curve with security breaches and implementation of complex technologies and unfamiliar for the first time . by The Alternative, as recommended by Microsoft, the implementation of translation technology is both the client and server, various tools and systems for both need to find additional overhead and different complexity for the administrator – and of course risk for additional security measures, the complexity does
This sure to bite the bullet and be early adopters of IPv6 must not forget the lessons IPv4 from the introduction -. if a large number have been discovered serious security flaws. It seems inevitable that similar problems with IPv6 if the user base has been established and fell on them, and “Early adopters are to be created in a cycle of struggle against the imposition of fire and bug fixes that are out. ironed
There are also dangers in the way Microsoft is using the system, running to cover the tunnel safely in corporate networks should, but that other activities such as surfing the Internet for normal use of the machine (usually wireless), probably save to corporate resources. This approach is immediately raise the alarm with the security-conscious admins who see such a configuration as a bridge between their networks open to well protected and sifted the limits of Internet threats should be. In other words, this approach definitely be avoided. If IPv6 is finally becoming the norm, this system is a major leap forward. But it is premature and lacks a bit of the completeness of vision, the network administrator to stick with their serious’ll existing VPN provider for some time
blocked.?. BitLocker, an encryption system in the Business Ready
BitLocker Drive Encryption, which was introduced in Vista, was slightly enlarged and improved was Windows 7 once it is included in Enterprise and Ultimate Edition. He needs material and including a compatible BIOS and the boot partition, clear of the access encrypted system drive. For best performance, a module for trusted platform that provides a range of services including enable self starter to key storage and cryptographic functions familiar base is recommended. In its transparent mode operation, it offers a bit more control integrity at startup if need decryption, or at least a further confirmation before proceeding, if unauthorized changes are made were. The user-authentication-mode provides a secure level of encryption that require password or a key on a USB drive before the system being protected or other volumes are stored decrypted.
Windows 7 has an extra set of functions, the removable USB drives, which should be compatible with Windows Vista encrypt. without modification of XP users will need a new plugin to data stored on hard drives encrypted keys, access at least read the plugin only protection when the drive is disconnected from the machine .. When connected, all data is vulnerable on the hard disk for harvest when the machine is compromised similarly by malware
how are improvements in the firewall, Microsoft seems to make a good job for the provision have an encryption system of quality its operating system installed. But again, similar to the situation with its firewall, it remains to be seen whether the company will convince even to long-standing problems in confidence inspiring security, to the admins of them, from their existing, known and trusted cryptography expert migrate to suppliers. management remains a key issue, with the implementation of the central key management and disaster recovery, far short of implementing strongly linked site.
BitLocker in name only AppLocker provides a list of basic white designed so that only approved software on Windows systems 7 run. Available only in editions Enterprise and Ultimate, it is about the group policy template
foreseeable More or less. For further safety benefits and potential pitfalls
considering these directors introduction of Windows 7 Check in a corporate environment, a number of other areas, where it is some good points and dangers needs.
Some have clearly built-in virtualization XP mode, which allows full compatibility with older software, like a big highlighted advantages for users including the possible disadvantages of the security -.. a good reason there is little centralized management for XP systems in virtual mode about how to n. “No matter what virtual machine, the client system are all standard patch management and security software client for secure storage require many inexperienced users think virtual host systems protected by the host security – No subject’s own requirements for plugging and anti-malware. Therefore, these users tend to leave these virtual hosts to open the attack and attack, so important to use these systems by the users of the building lead to growth of infected computers to attack the rest of the world.
in a corporate setting, it seems little need for the XP mode, as most professional software runs natively on Windows 7 smooth The main objective of the XP mode seems to be the players cling to Favorites years. Most of the admins should only disable XP desktops, and those that should allow it to follow the usual requirements for virtualization with all the extra work client-side security patch as closely as possible through out
were rumors that the European antitrust Microsoft may be forcing a so-called E Edition “for the European market. makes this edition users to select from a number of leading browser during the installation the open operating system just for them, without Internet Explorer, . While this may be fascinated by interest to home users by the perceived additional security and convenience of some browsers may, enterprise management software in general is getting better by Microsoft served at regular intervals, often quite late patch system. In addition, only a few companies has prepared fully under-funded trust in the alternatives relatively open source on. For most, ie, using standard and the alternatives available such as browsers secondary if necessary, is expected to remain the norm.
Microsoft strongly for some time insist on NT by default in most versions of Windows, file extensions, which was exploited by malware authors for many years hiding criticized for their goods as something other than what is hiding. is the problem has been around for Windows was , and is considered one of the simplest moves Microsoft do to could show its commitment to its users away offer malware considered. The authentication model has a password of the main obstacles on the popular usability of Microsoft-Block and the company seems to recognize have that the model also has shortcomings as a security system. a complement to Windows 7, which are likely to be universal seems praised the built-in support for biometric devices. He maintains the fingerprint reader and comes with access to the API for developers other types of biometric identification. An increasing number of devices now have built-in fingerprint reader. Although readers have been implemented with varying degrees of success, this can be away from the easily broken or stolen authentication password model is more personal, unique and specific confirmed the identity. The success or failure of this new model will be added depending largely on close integration depend on the platform of hardware, software and Web services and Microsoft took an important step towards the end of this package. With all these new Features will keep Windows 7 am safe?
What do his motivation from a genuine desire, things, or rather only one sensible to appear business case more credible comes to security issues, Microsoft has tried to back move to a model . appropriate security measures, the company has some interesting and useful tools, users and network administrators to gain control of their systems and data have, however, many of these new tools shortcomings of one kind or another -. and some serious gaps in the completeness of their vision and their consistent implementation. Still others seem like good and comprehensive packages waiting to be able to use them for the rest of the world.
Of course we never have the new platform of ending the need for anti-malware and other security risks to expect and control solutions. But at least Microsoft is for the most security problems for its large user base among educated, home users at-once its new Security Essentials free screen motivated passes anti-malware.