Windows 7 Security Enhancements

Discussions of new Windows security enhancements have sent cyberspace aflutter; while the IT world is trying to prepare for the new advancements, office employees everywhere are rejoicing at the prospect of having to deal with less UAC prompts . Even though it has become increasingly apparent that in the tech world, advancements are made at lightning speed, Windows XP, which is eight years old, still powers 71 percent of all PCs, according to a recent report from Forrester .

Essentially, this translates to millions of users that Microsoft must convince to upgrade to the upcoming Windows 7 . This shouldn’t be too difficult, especially when taking into account Window’s new security enhancements, sure to impress even the most hardened of PC users. Let’s take a look at some of Window’s new security features and how they’ve been designed to help both home users and IT pros alike.

The Enhancements

According to Microsoft, Windows 7 will make remote connectivity to corporate networks seamless, protect data on thumb drives, and offer fewer user account control prompts to bug users when compared to Vista. Windows 7, which was released in public beta in January, will have 29 percent fewer user account control (UAC) prompts than Windows Vista has, and fewer prompts in general, according to Paul Cooke, director of Windows Client Enterprise Security.

It should come as no surprise that the always-efficient software giant has begun an education blitz about the security features of the newest version of its operating system, and what better place to begin the outreach to the public than at the start of the RSA Security Conference 2009 ? Updates concerning new security features can always be found online as well, thanks to the director of Windows Client Enterprise Security.

Recently, Cooke updated The Windows Security Blog with details on the new Windows 7 operating system, specifically the security features that will benefit the mobile worker. His update stems from hands-on experience at this week's RSA Conference, addressing five security features: Multiple Active Firewall Policies, DirectAccess, BranchCache, BitLocker To Go, and AppLocker. "We’re really excited about Windows 7’s new security features," Cooke said. "This next OS is built upon the proven security technologies in Windows Vista and provides a fundamentally secure computing platform. We not only utilized enhanced Security Development Lifecycle (SDL) process during planning, development, and testing, but we also have worked to make the security features more discoverable, usable and manageable. These enhancements give Windows 7 the expanded security offerings to provide the necessary security controls to help mobile workers access the information they need to be productive, wherever and whenever they need it."

The first segment of Cooke’s blog, Multiple Active Firewall Policies, describes how mobile users can create security problems when connecting to multiple networks on the road (while also connecting to the company network). Windows 7 eliminates the problem by enabling the PC to obtain and apply domain firewall profile information regardless of other networks that may be active on the PC. IT Pros can maintain a single set of rules for both remote clients and physically connected clients. Let’s take a closer look at this new security enhancement.

Multiple Active Firewall Policies

In Windows Vista, firewall policy is based on the type of network connection established—such as Home, Work, Public, or Domain. This can often be a security problem for IT professionals because mobile users will connect to multiple networks while on the road.

For example, say a Microsoft employee connects to the Internet through a “Public” network and as a result, the Public firewall policy is applied to the computer. Subsequently, if the employee then wants to connect to the Microsoft corporate network through their VPN, the IT configured firewall settings for accessing the “Domain” corporate network cannot be applied, because the first network type (and thus the firewall settings) had already been set.

Windows 7 gets rid of this IT pain through support for multiple active firewall policies. This enables the users PC to obtain and apply domain firewall profile information regardless of other networks that may be active on the PC. IT pros can now simplify connectivity and security policies by maintaining a single set of rules for both remote clients and clients that are physically connected to the corporate network, and know that the rules are appropriately applied.

The next feature Cooke discusses, DirectAccess, automatically establishes a bi-directional connection from mobile client computers to a corporate network. This means that the end-user is not required to connect via a VPN tunnel, but rather through a secured access through the Internet.

DirectAccess also uses IPSec to authenticate the computer and user, encrypt the data crossing over the Internet, and can now even be used to require employees to authenticate with a smart card. And since DirectAccess is always on, IT pros can distribute software updates and policies at any time. Let’s find out more about this improved feature.

DirectAccess

Many in the IT world are required to travel a lot, which means they need a lot of access to their corporate Intranet. Under these circumstances, SharePoint is used quite often, and a large number of Line of Business applications are all Web-enabled. The result: many users have to use their corporate VPN a lot. Unfortunately, it’s usually frustrating and annoying to users to have to stop what they’re doing and fire up their VPN connection.

Windows 7 works in conjunction with Windows Server 2008 R2 to make working outside of the office simpler and less frustrating with DirectAccess. DirectAccess works by automatically establishing a bi-directional connection from client computers to the corporate network. As a result, remote users have seamless, secure access to the corporate network any time they connect to the Internet, without having to manually initiate a traditional VPN connection. This, obviously, allows more productivity and allows users to focus on their work and not the remote access technology.

Now whenever users travel, not only can they access their corporate email, but they can also open Intranet sites, shared drives, use line-of-business applications, and have full access to all of the corporate resources they need to do their job, without having to manually create their VPN tunnel.

From a security perspective, DirectAccess is built on a foundation of proven, standards-based technologies like IPv6 and IPSec. IPSec is utilized to authenticate both the computer and user. This gives IT the capability to manage the computer even before users log on. IT can also choose to require users to authenticate with a smart card. IPSec is also utilized to provide encryption for communications across the Internet, with encryption algorithms such as AES.

DirectAccess also has a cool benefit for IT pros: it provides an always on, secure mechanism to remotely manage and update the PCs of their mobile workforce. Whenever a user's laptop has Internet connectivity, it is directly connected to the Microsoft corporate network. This gives IT more opportunities to distribute software updates and policies to users and other mobile workers, while also helping to keep all machines free of malware and other unwanted software.

Cooke also discusses BranchCache in his blog, which is a feature that will speed up network access for the employee working out of the branch office, performing as if they're working straight off the in-office corporate LAN. Let’s find out more about this specific feature.

BranchCache

DirectAccess is great for the mobile worker, but what about the remote worker who works out in a branch office location? One thing all branch offices seem to have in common is limited network bandwidth. Accessing large files in a branch office is always a slow, frustrating affair. Most users prefer a snappy network and quick downloads.

Windows 7 incorporates BranchCache, another technology that works in conjunction with Windows Server 2008 R2, which helps make network responsiveness of applications and data housed within a user’s data center feel snappy. This gives users in remote, branch offices the experience of working as if they were on the local area network (LAN) of the server they are accessing.

BranchCache also helps reduce the utilization of the wide area network (WAN). When BranchCache is enabled, a copy of any data accessed from Intranet Web sites and/or file servers is cached locally within the branch office. When another client on the same network requests the file, the client downloads it from the local cache without downloading the same content across the WAN.

As mentioned previously, aside from discussing Active Firewall Policies, DirectAccess, and BranchCache, Cooke also discusses BitLocker To Go, and AppLocker in his Windows Security Blog. BitLocker To Go, which is an extension to BitLocker in Vista, allows users to encrypt the disk volume of removable storage devices with a password and/or a digital certificate stored on a smart card. The program will also share data with Vista and XP users via a read-on program called BitLocker To Go Reader.

Additionally, Cooke said that Windows 7 will give control back to IT pros with AppLocker, which is a feature that helps them eliminate unknown and unwanted software from their network environment -- such as user-installed P2P programs, unnecessary games, unlicensed software, etc. AppLocker also allows end-users to install and run approved applications and software updates based upon their business needs.

Technical talk can seem quite overwhelming, especially for the average Window’s user, but just know this: these security enhancements are going to make your PC safer and your life easier. What more could you ask for?