Windows 7 Security Enhancements
By Paul Cooke, Director, Windows Client Enterprise Security, Microsoft Corporation
Security is still a top concern for IT professionals; now that Windows® 7 Beta is available, questions regarding what Microsoft has done with the Windows 7 operating system abound. There is a lot of ground to cover—more than we can in a brief article— but there are three primary topics that merit our focus here.
- Windows 7 is built upon the security foundations of the Windows Vista® operating system while improving auditing and the User Account Control (UAC) experience.
- Windows 7 helps IT control what software can run in their environment with AppLocker™.
- Windows 7 enhances the core features of BitLocker™ Drive Encryption with the introduction of BitLocker To Go™ for removable storage devices.
Let’s take a look at each of these in a little more detail.
Fundamentally Secure Environment
Windows 7 builds upon the strong security lineage of Windows Vista and retains and builds upon the development processes and technologies that have made Windows Vista the most secure version of the Windows client to date. Fundamental security features such as Kernel Patch Protection, Service Hardening, Data Execution Prevention, Address Space Layout Randomization, and Mandatory Integrity Levels continue to provide enhanced protection against malware and attacks. Windows 7 has been designed and developed using the Microsoft Security Development Lifecycle (SDL), and it is engineered to support Common Criteria requirements to achieve Evaluation Assurance Level 4 certification and meet Federal Information Processing Standard 140-2.
Windows 7 provides enhanced audit capabilities to make it easier for an organization to meet its regulatory and business compliance requirements. Audit enhancements start with a simplified management approach for audit configurations and end with greater visibility into what occurs in your organization. For example, Windows 7 provides greater insight into understanding exactly why someone has received or been denied access to specific information, as well as visibility into the changes made by specific people or groups.
Streamlined User Account Control
User Account Control (UAC) was introduced in Windows Vista to help legacy applications run with standard user rights and help ISVs adapt their software to work well with standard user rights. Windows 7 continues the investment in UAC with specific changes to enhance the user experience. These changes include reducing the number of operating system applications and tasks that require administrative privileges and providing a flexible consent prompt behavior for users who continue to run with administrative privileges. As a result, standard users can do even more than ever before and all users will see fewer prompts.
Windows 7 re-energizes application control policies with AppLocker, which is a flexible, easy-to-administer mechanism that allows IT to specify exactly what is allowed to run in the desktop infrastructure and gives users the ability to run applications, installation programs, and scripts that they require to be productive. As a result, IT can enforce application standardization within their organization while providing security, operational, and compliance benefits.
AppLocker provides a simple and powerful structure through three rule types: “allow,” “deny,” and “exception.” Allow rules limit the execution of applications to "known good" applications and block everything else. Deny rules take the opposite approach and allow the execution of any application except those on a list of “known bad” applications. While many enterprises will likely use a combination of allow rules and deny rules, the ideal AppLocker deployment would use allow rules with built-in exceptions. Exception rules exclude files from an allow/deny rule that would normally be included. Using exceptions, you can, for example, create a rule to “allow everything in the Windows operating system to run, except the built-in games.” Using allow rules with exceptions provides a robust way to build a “known good list” of applications without having to create an inordinate number of rules.
AppLocker introduces publisher rules that are based upon application digital signatures. Publisher rules make it possible to build rules that survive application updates because you can specify attributes such as the version of an application. For example, an organization can create a rule to “allow all versions higher than 9.0 of the program Acrobat Reader to run if it is signed by the software publisher Adobe.” Now when Adobe updates Acrobat, you can safely push out the application update without having to build another rule for the new version of the application.
AppLocker rules also can be associated with a specific user or group within an organization. This provides granular controls that allow you to support compliance requirements by validating and enforcing which users can run specific applications. For example, you can create a rule to “allow people in the Finance Department to run the Finance line of business applications.” This blocks everyone who is not in your Finance Department from running your finance applications (including administrators), but still provides access for those that have a business need to run the applications.
AppLocker provides a robust experience for IT administrators through new rule creation tools and wizards. Using a step-by-step approach and fully integrated Help, creating new rules, automatically generating rules, and importing / exporting rules is intuitive and maintenance is easy. For example, IT administrators can automatically generate rules using a test reference machine and then import the rules into a production environment for widespread deployment. The IT administrator can also export policy to provide a backup of your production configuration or to provide documentation for compliance purposes.
BitLocker and BitLocker To Go
Each year, hundreds of thousands of computers without appropriate safeguards are lost, stolen, or decommissioned. However, the loss or theft of data is not just a physical computer issue. USB flash drives, e-mail, leaked documentation, etc. all provide additional avenues through which data can fall into the wrong hands. Windows 7 addresses the continued threat of data leakage with manageability and deployment updates to BitLocker Drive Encryption and the introduction of BitLocker To Go, which provides enhanced protection against data theft and exposure by extending BitLocker support to removable storage devices.
BitLocker Drive Encryption (BitLocker for short) helps prevent a thief who boots another operating system or runs a software hacking tool from breaking Windows 7 file and system protections or performing offline viewing of the files stored on the safeguarded drive. Windows 7 BitLocker shares the same core benefits of Windows Vista BitLocker; however, the core functionality in Windows 7 BitLocker has been enhanced to provide a better experience for IT professionals and end users. For customers who did not deploy Windows Vista with the BitLocker-required two-partition disk configuration, repartitioning the drive to enable BitLocker was more cumbersome than it needed to be. Windows 7 automatically creates the necessary disk partitions during installation to greatly simplify BitLocker deployments. Another change in Windows 7 BitLocker is the ability to right-click on a drive to enable BitLocker protection.
Windows 7 BitLocker adds Data Recovery Agent (DRA) support for all protected volumes. A big ask from customers, DRA support allows IT to dictate that all BitLocker protected volumes (the operating system, fixed volumes, and the new portable volumes) are encrypted with an appropriate DRA. The DRA is a new key protector that is written to each data volume so that authorized IT administrators will always have access to BitLocker protected volumes.
BitLocker To Go extends BitLocker support to removable storage devices, including USB flash drives and portable disk drives. BitLocker To Go also gives administrators control over how removable storage devices can be utilized within their environment and the strength of protection that they require. Administrators can require data protection for any removable storage device on which users want to write data while still allowing unprotected storage devices to be utilized in a read-only mode. Policies are also available to require appropriate passwords, smart card, or domain user credentials to utilize a protected removable storage device.
BitLocker To Go can be utilized on its own, without requiring that the system partition be protected with the traditional BitLocker feature. Finally, BitLocker To Go provides read-only support for removable devices on older versions of the Windows operating system, which allows users to more securely share files with those who are still running Windows Vista and Windows XP with the BitLocker To Go Reader.
Whether traveling with your laptop, sharing large files with a trusted partner, or taking work home, BitLocker and BitLocker To Go help ensure that only authorized users can read the data, even if the media is lost, stolen, or otherwise misused.
Built upon the security foundation of Windows Vista, Windows 7 introduces a number of security enhancements to give users the confidence that Microsoft is continuing to find better ways to safeguard users’ IT investments as well as data. Businesses will benefit from enhancements that help protect company sensitive information, that provide stronger protections against malware, and that help secure access to corporate resources and data. End users can enjoy the benefits of computers and the Internet knowing that Windows 7 is using new technologies and features to safeguard privacy and personal information. Finally, all users will benefit from the flexible security configuration options in Windows 7—options that will help users achieve the unique balance of security and usability to meet their specific needs.