Carried over from Vista are some of the key security features that made it a security success: Kernel Patch Protection, Data Execution Prevention, Address Space Layout Randomization, and Mandatory Integrity Levels. Windows Vista’s User Account Control has been revamped to improve the user experience. With Windows 7, the number of operating system applications and tasks that require administrative privileges is smaller. With a newer, more flexible consent prompt for users who run applications with administrative privileges, standard users can do more and all users receive up to 30% fewer prompts. Whether you want the maximum protection provided by UAC or the minimum, Windows 7 allows customization that prevents the temptation of just disabling it. Along with this, Windows 7’s audit capabilities are much more transparent. Whether someone has been granted or denied access, the reasons why and any changes implemented will be visible.
Lock Down Those Apps
In the age of application overload, features such as AppLocker may be key in some enterprises. Admins can prevent users from downloading harmful or memory-hogging applications, using the three rule system to label applications with “allow,” “deny,” and “exception.” AppLocker’s more honed capabilities include restrictions on certain applications based upon version number or department, allowing division of applications based on business-need.
Protect that Data
Vista’s data protections – Encrypting File System and Active Directory Rights Management Services support – are still supported in Windows 7 with minor updates. The major enhancement is with BitLocker drive encryption and BitLocker To Go, which encrypts data on removable media. Admins are given more flexibility with how much encryption removable media requires, and authorized IT admins always have access to BitLocker protected drives with the new Data Recovery Agent (DRA).
After partitioning your drive, you can view which drives are being protected by BitLocker. These drives will automatically be divided into fixed drives and removable drives. Upon turning on BitLocker, you will be prompted to enter a password or a smartcard. You will be provided with a BitLocker Recovery Key, in case of a lost password or failed authentication. You will be given the option to either print the recovery key or save it as a text file. BitLocker can encrypt in the background of Windows 7, and even run without a Trusted Platform Module. In order to do so – if your computer does not come with a TPM chip – you must change the group policy settings, as outlined by Tony Bradley:
1. Click the Windows logo at the bottom left (the Start button).
2. In the ‘Search Programs and Files’ field at the bottom of the Start menu, type gpedit.msc and press Enter.
3. Under Computer Configuration, navigate to Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating System Drives.
4. Double-click on the Require additional authentication at startup option.
5. Select the Enabled radio button at the top and check the Allow BitLocker without a compatible TPM check box.
6. Click OK.
Despite being the bane of every IT departments’ existence, removable drives are still widely used in the enterprise. Windows 7 confronts this glaring vulnerability with an extension of BitLocker. With BitLocker to Go, administrators have a lot of control regarding the use of removable storage devices. Simply changing Group Policy can make unencrypted drives read-only, enforcing that BitLocker to Go be applied before saving data to a removable drive.
And the community says…
Tell us what you like or desire from Windows 7 security capabilities, and see what other members of the community had to say.
For more information on Windows 7 Security Enhancements, check out the Microsoft TechNet Library.