Windows 7 Security Enhancements
Updated: March 4, 2009
Applies To: Windows 7
This article provides an introduction to the security enhancements in Microsoft® Windows® 7. Built upon the security foundations of Windows Vista®, Windows 7 responds to customer feedback to make the system more usable and manageable and contains the right security enhancements to combat the continually evolving threat landscape.
For a complete view of Windows 7 resources, articles, demos, and guidance, please visit the Springboard Series for Windows 7 on the Windows Client TechCenter.
Built upon the security foundations of Windows Vista, Windows 7 responds to customer feedback to make the system more usable and manageable and contains the right security enhancements to help combat the continually evolving threat landscape. This paper will introduce the most significant security enhancements in Windows 7 and is broken into four sections:
Fundamentally Secure Platform: Windows 7 builds upon the great security enhancements pioneered in Windows Vista and responds to customer feedback to make the system more usable and manageable.
Helping Secure Anywhere Access: Windows 7 provides the appropriate security controls so that users can access the information they need to be productive, whenever they need it, whether they are in the office or not.
Protecting Users and Infrastructure: Windows 7 provides flexible security protection against malware and intrusions so that users can achieve their desired balance between security, control, and productivity.
Protecting Data from Unauthorized Viewing: Windows 7 extends BitLocker™ Drive Encryption to help protect data stored on portable media (e.g., USB Flash Drives, USB Portable Hard Drives) such that only authorized users can read the data, even if the media is lost, stolen, or misused.
Fundamentally Secure Platform
Windows 7 builds upon the strong security lineage of Windows Vista and retains all of the development processes and technologies that have made Windows Vista the most secure version of the Windows client to date. Fundamental security features such as Kernel Patch Protection, Service Hardening, Data Execution Prevention, Address Space Layout Randomization, and Mandatory Integrity Levels continue to provide enhanced protection against malware and attacks. Windows 7 is again designed and developed using Microsoft‘s Security Development Lifecycle (SDL) and is engineered to support Common Criteria requirements to achieve Evaluation Assurance Level 4 certification and meet Federal Information Processing Standard 140-2. From the solid security foundation of Windows Vista, Windows 7 makes significant enhancements to the core security technologies of event auditing and User Account Control.
Windows 7 provides enhanced audit capabilities to make it easier for an organization to meet their regulatory and business compliance requirements. Audit enhancements start with a simplified management approach for audit configurations and end by providing even greater visibility into what occurs in your organization. For example, Windows 7 provides greater insight into understanding exactly why someone has access to specific information, why someone was denied access to specific information, and all of the changes made by specific people or groups.
User Account Control (UAC) was introduced in Windows Vista to help increase security and improve total cost of ownership by enabling the operating system to be deployed without administrative privileges. Windows 7 continues the investment in UAC with specific changes to enhance the user experience: from reducing the number of operating system applications and tasks that require administrative privilege to a flexible consent prompt behavior for users who continue to run with administrative privilege. The result, standard users can do even more than ever before and all users will see fewer prompts.
Figure 1: User Access Control
Security Device Support
Windows 7 simplifies the process of connecting security devices to your PC, makes it easier to manage the devices you use, and helps you easily access common device-related tasks. From initial setup through day to-day use, security devices have never been easier to use in your environment
Security Enhanced Storage Devices
The widespread use of USB flash drives and other personal storage devices raises user concerns about the security of information on these devices. However, some users do not require the full data encryption features of BitLocker To Go™. Windows 7 provides support for password protection and certificate-based authentication for IEEE 1667 compliant USB storage devices. Users can utilize password protection of IEEE 1667 storage devices to help keep data private from casual disclosure.
Integrated Fingerprint Readers and Logon
Fingerprint scanners are becoming more and more common in standard laptop configurations, and Windows 7 ensures that they work well. It’s easy to set up and begin to use a fingerprint reader, and logging on to Windows using a fingerprint is more reliable across different hardware providers. Fingerprint reader configurations are easy to modify, so you can control how you log on to Windows 7 and manage the fingerprint data stored on the computer.
Improved Smart Card Support
Password-based authentication has well-understood security limitations; however, deploying strong authentication technologies remains a challenge for many organizations. Building upon the smart card infrastructure advances made in Windows Vista, Windows 7 eases smart card deployment through support of Plug and Play. Drivers required to support smart cards and smart card readers are automatically installed, without the need for administrative permissions or user interaction, easing the deployment of strong, two-factor authentication in the enterprise. Also, Windows 7 extends the platform support of PKINIT (RFC 5349) to include ECC-based smart cards, allowing the use of Elliptic Curve-backed certificates on smart cards for Windows Logon.
Helping secure Anywhere Access
Windows 7 provides the appropriate security controls so that users can access the information they need to be productive, whenever they need it, whether they are in the office or not. In addition to full support for existing technologies like Network Access Protection, Windows 7 provides a more flexible firewall, DNS Security support, and an entirely new paradigm in remote access.
The Domain Name System (DNS) is an essential protocol that supports many everyday Internet activities, including e-mail delivery, Web browsing, and instant messaging. However, the DNS system was designed more than three decades ago, without the security concerns we face today. DNS Security Extensions (DNSSEC) is a set of extensions to DNS that provide the security services required for today’s Internet. Windows 7 supports DNSSEC as specified in RFCs 4033, 4034 and 4035, giving organizations the confidence that domain name records are not being spoofed and helping them protect against malicious activities.
Multiple Active Firewall Policies
In Windows Vista, firewall policy is based on the “type” of network connection established—such as Home, Work, Public, or Domain (which is a fourth, hidden type.) However, this can present security obstacles for IT professionals when, for example, a user connected to the Internet through a “Home” network then uses a virtual private networking to access to the corporate network. In such a case, because the network type (and thus the firewall settings) had already been set based on the first network to which the user connected, the firewall settings appropriate for accessing the corporate network could not be applied.
Windows 7 alleviates this source of pain for IT professionals through support for multiple active firewall policies, enabling user PCs to obtain and apply domain firewall profile information regardless of other networks that may be active on the PC. Through such capabilities, which are among the top features requested by enterprise customers, IT professionals can simplify connectivity and security policies by maintaining a single set of rules for both remote clients and clients that are physically connected to the corporate network.
Figure 2: Windows Firewall
With Windows 7, working outside the office becomes simpler. DirectAccess enables remote users to access the corporate network anytime they have an Internet connection, without the extra step of initiating a VPN connection—and thus increases their productivity when out of the office. For IT professionals, DirectAccess provides a more secure and flexible corporate network infrastructure to remotely manage and update user PCs. DirectAccess simplifies IT management by providing an “always managed” infrastructure, in which computers both on and off the network can remain healthy, managed, and updated.
With DirectAccess, IT professionals maintain fine-grained control over which network resources users can access. For example, Group Policy settings can be used to manage remote user access to enterprise applications. DirectAccess also separates Internet traffic from access to internal network resources, so that users can access public Web sites without generating additional communications traffic on the corporate network.
Best of all, DirectAccess is built upon industry standards such as IPv6 and IPsec to ensure that your enterprise communications remain safe and secure.
Protecting Users and Infrastructure
Windows 7 provides flexible security protection against malware and intrusions so that users can achieve their desired balance between security, control, and user productivity. AppLocker™ and Internet Explorer® 8 are two key examples of technology investments that raise the bar for operating system protections against malware intrusion in Windows 7.
Windows 7 reenergizes application control policies with AppLocker: a flexible, easy to administer mechanism that allows IT to specify exactly what is allowed to run in the desktop infrastructure and gives users the ability to run applications, installation programs, and scripts that they require to be productive. As a result, IT can enforce application standardization within their organization while providing security, operational, and compliance benefits.
Figure 3: AppLocker
AppLocker provides simple, powerful rule structures and introduces publisher rules: rules based upon application digital signatures. Publisher rules make it possible to build rules that survive application updates by being able to specify attributes such as the version of an application. For example, an organization can create a rule to “allow all versions greater than 9.0 of the program Acrobat Reader to run if it is signed by the software publisher Adobe.” Now when Adobe updates Acrobat, you can safely deploy an application update without having to build another rule for the new version of the application.
Internet Explorer 8
Internet Explorer 8 delivers improved protection against security and privacy threats, including the ability to help identify malicious sites and block the download of malicious software. Privacy is enhanced through the ability to surf the Web without leaving a trail on a shared PC, and through increased choice and control over how Web sites can track user actions. Internet Explorer 8 also helps inspire confidence and trust through improved restrictions for ActiveX® controls, enhanced add-on management, improved reliability (including automated crash recovery and tab restoration), and enhanced support for accessibility standards.
Protecting Data from Unauthorized Viewing
Each year, hundreds of thousands of computers without appropriate safeguards are lost, stolen, or decommissioned. However, data leakage is not just a physical computer issue. The ubiquity of USB Flash Drives, e-mail communications, leaked documentation, etc. all provides other potent avenues for data to fall into the wrong hands.
Windows 7 retains the data protection technologies available in Windows Vista like the Encrypting File System (EFS), built-in Active Directory® Rights Management Services technology, and granular USB port controls. In addition to the incremental updates in these technologies, Windows 7 provides several significant improvements to the popular BitLocker Drive Encryption technology.
BitLocker and BitLocker To Go
Windows 7 addresses the continued threat of data leakage with manageability and deployment updates to BitLocker Drive Encryption and the introduction of BitLocker To Go: enhanced data protection against data theft and exposure by extending BitLocker support to removable storage devices. By extending support for BitLocker to FAT data volumes, a broader range of disk formats and devices can be supported, including USB Flash Drives and portable disk drives. This will allow users to deploy BitLocker for a broader range of data protection needs.
Whether traveling with your laptop, sharing large files with a trusted partner, or taking work home, BitLocker and BitLocker To Go protected devices help ensure that only authorized users can read the data, even if the media is lost, stolen, or misused. Best of all, BitLocker protection is easy to deploy and intuitive for the end user, all the while leading to improved compliance and data security.
BitLocker To Go also gives administrators control over how removable storage devices can be utilized within their environment and the strength of protection that they require. Administrators can require data protection for any removable storage device that users want to write data upon; while still allowing unprotected storage devices to be utilized in a read-only mode. Policies are also available to require appropriate passwords, smart card, or domain user credentials to utilize a protected removable storage device. Finally, BitLocker To Go provides configurable read-only support for removable devices on older versions of Windows allowing you to more securely share files with users who are still running Windows Vista and Windows XP.
Figure 4: BitLocker Drive Encryption
Built upon the security foundations of Windows Vista, Windows 7 introduces the right security enhancements to give users the confidence that Microsoft is helping keep them protected. Businesses will benefit from enhancements that help protect company sensitive information, that provide stronger protections against malware and that help secure anywhere access to corporate resources and data. Consumers can enjoy the benefits of computers and the Internet knowing that Windows 7 is the state of the art at helping to protect their privacy and personal information. Finally, all users will benefit from the flexible and discoverable configurations options of the Windows 7 security help everyone achieve the right balance of security versus usability for their unique situation.
ConceptsWhat's New for IT Pros in Windows 7