Windows 7 will have 29 percent fewer user account control (UAC) prompts than Windows Vista has, and fewer prompts in general, according to Paul Cooke, director of Windows Client Enterprise Security.
"We've put users in control and allowed them the ability to tune the level of prompting" using a slider bar, he said in an interview.
Other new security features in Windows 7 are DirectAccess and BitLocker To Go.
DirectAccess offers remote workers the same level of seamless and secure connectivity as they have in the office. The system automatically creates a secure tunnel to the corporate network and workers don't have to manually substantiate a connection, Cooke said.
DirectAccess also allows IT administrators to patch systems whenever a remote worker is on the network, he said.
BitLocker To Go extends the data encryption features introduced in Vista to removable storage devices like USB thumb drives and flash drives. A password or a smart card with a digital certificate stored on it can be used to unlock the data. The devices can be used on any other Windows 7-based machine with the correct password. On XP and Vista machines the data on the drives can be read but not modified, Cooke said.
Smart-card provider Gemalto is offering multifactor authentication for Windows 7 for even more secure access to machines accessing the network, said Ray Wizbowski, director of marketing and communications at Gemalto. Now, a user can insert a card into a smart-card reader built into a laptop and either enter a personal identification number or use a fingerprint to access the data, he said.
Windows 7 also includes AppLocker technology that allows administrators to control the software that runs in the corporate network to ensure that only authorized scripts, installers, and dynamic load libraries are accessed. It also can be used to keep unlicensed software off machines, according to Cooke. (Source: CNET)
Here are some of Windows 7's key security features:
Windows 7: Firewall
Windows 7 Firewall is the location where you control and configure firewall settings. A firewall is a virtual line of defense against unwanted computers or connections trying to break into your computer through your network.
The Vista firewall allowed you to choose whether you are on a public or private network.
With Windows 7, you have three choices - public network, home network or work network. The two latter options are treated as private networks.
If you select the "home network" option, you can set up a Homegroup.
In this case, network discovery is automatically turned on so you will be able to see the other computers and devices on the network and they will be able to see your computer.
With Windows 7, you have three choices - public network, home network or work network. The two latter options are treated as private networks.
If you select the "home network" option, you can set up a Homegroup.
In this case, network discovery is automatically turned on so you will be able to see the other computers and devices on the network and they will be able to see your computer.
Computers that belong to the Homegroup can share picture, music, video and document libraries and can share hardware devices such as printers.
If there are folders in your libraries that you do not want to share, you can exclude them.
If you select "work network," network discovery is on by default but you would not be able to create or join a Homegroup.
If you join the computer to a Windows domain (via Control Panel | System | Advanced System Settings | Computer Name tab) and are authenticated to the domain controller, the firewall will automatically recognize the network as a domain network.
If there are folders in your libraries that you do not want to share, you can exclude them.
If you select "work network," network discovery is on by default but you would not be able to create or join a Homegroup.
If you join the computer to a Windows domain (via Control Panel | System | Advanced System Settings | Computer Name tab) and are authenticated to the domain controller, the firewall will automatically recognize the network as a domain network.
"Public network" is the appropriate selection when you are connected to a public wi-fi network at an airport, hotel or coffee shop or using a mobile broadband network.
Network discovery will be turned off by default so that other computers on the network can not see yours and you cannot create or belong to a Homegroup.
With all network types, by default the Windows 7 firewall blocks connections to programs that are not on the list of allowed programs. Windows 7 allows you to configure the settings for each network type separately.
With Vista, even though you had profiles for both public and private networks, only one of them was allowed to be active at a given time.
If your computer happened to be connected to two different networks, you were out of luck. The most restrictive profile got applied to all connections, which meant you might not be able to do everything you needed to do on your local (private) network because you were operating under the rules for the public network.
With Windows 7 (and Server 2008 R2), a different profiles can be active for each network adapter. The connection to the private network is subject to the private network rules while traffic coming to or from the public has those rules applied.
in Vista when you created firewall rules, you had to list port numbers and IP addresses individually. Now you can specify ranges, which shaves time off of the performance of this common administrative task.
You can also create connection security rules that specify which ports or protocols are subject to IPsec requirements right there in the firewall console, instead of having to use the netsh command. For those who prefer the GUI, this is a handy improvement.
The connection security rules also support dynamic encryption. That means that if a server gets an unencrypted (but authenticated) message from a client computer, a security association can be negotiated "on the fly" to require encryption, making for more secure communications.
The Windows 7 Firewall refines the much-improved firewall that was included in Windows Vista, and brings its "hidden" advanced features out into the open.
Network discovery will be turned off by default so that other computers on the network can not see yours and you cannot create or belong to a Homegroup.
With all network types, by default the Windows 7 firewall blocks connections to programs that are not on the list of allowed programs. Windows 7 allows you to configure the settings for each network type separately.
With Vista, even though you had profiles for both public and private networks, only one of them was allowed to be active at a given time.
If your computer happened to be connected to two different networks, you were out of luck. The most restrictive profile got applied to all connections, which meant you might not be able to do everything you needed to do on your local (private) network because you were operating under the rules for the public network.
With Windows 7 (and Server 2008 R2), a different profiles can be active for each network adapter. The connection to the private network is subject to the private network rules while traffic coming to or from the public has those rules applied.
in Vista when you created firewall rules, you had to list port numbers and IP addresses individually. Now you can specify ranges, which shaves time off of the performance of this common administrative task.
You can also create connection security rules that specify which ports or protocols are subject to IPsec requirements right there in the firewall console, instead of having to use the netsh command. For those who prefer the GUI, this is a handy improvement.
The connection security rules also support dynamic encryption. That means that if a server gets an unencrypted (but authenticated) message from a client computer, a security association can be negotiated "on the fly" to require encryption, making for more secure communications.
The Windows 7 Firewall refines the much-improved firewall that was included in Windows Vista, and brings its "hidden" advanced features out into the open.
Windows 7: Direct Access
Windows 7 DirectAccess gives mobile users seamless access to corporate networks without the need to use a Virtual Private Network (VPN.)
It is available in the Windows 7 Enterprise operating system and is not available in Windows 7 Professional. Enabling DirectAccess allows the entire network’s file shares, intranet websites and other applications to be available wherever there’s Internet.
DirectAccess also allows administrators to update Group Policy settings on remote computers.
Administrators can also distribute software updates whenever the computer is switched on, and has Internet access, even if the user isn’t logged in.
Windows 7 DirectAccess incorporates Internet Protocol Version 6 over Internet Protocol security (IPv6-over-IPsec) for encryption.
Traffic uses either a DirectAccess server which utilizes Windows Server 2008 R2, or all the traffic can just go through the corporate network.
Internet and Intranet traffic is separated by DirectAccess.
Both users and computers can be authenticated and Windows 7 DirectAccess supports multifactor authentication like smart cards.
Specific resources on the Intranet can be switched off for certain users or machines. Administrators can allow only specific servers or subnets. Other IT advantages include simplification and cost reduction.
Windows 7’s DirectAccess’ bi-directional connectivity provides a simplified user experience over VPN.
The user doesn’t have to think in terms of networks and the experience connecting to network resources appears seamless.
Productivity is enhanced because mobile users can keep connected to corporate networks all the time. The product ties in nicely with Folder Redirection, which synchronizes files across the network.
Key elements of DirectAccess are that the client runs Windows 7 Enterprise, Windows 7 Ultimate, or Windows Server 2008 R2.
A domain-joined computer running Windows Server 2008 R2 can act as the DirectAccess server. A solution needs a network location server, to let the client know if it’s on the intranet or Internet, and also Certificate revocation list (CRL) distribution points—essentially issuing certificates.
Microsoft suggest that enterprises will use DirectAccess and VPNs side-by-side for now because VPNs are compatible with Vista and earlier versions of Windows; VPNs are compatible with non-Microsoft operating systems; VPNs can work through non-domain joined computers and that VPNs don’t require Windows Server 2008 R2.
Deploying Microsoft DirectAccess can be with full intranet access, selected server access and end-to-end access.
Configurations can include DirectAccess with Network Access Protection (NAP); Using Hyper-V for redundancy issues and adding capacity by using IPSec on another server.
It is available in the Windows 7 Enterprise operating system and is not available in Windows 7 Professional. Enabling DirectAccess allows the entire network’s file shares, intranet websites and other applications to be available wherever there’s Internet.
DirectAccess also allows administrators to update Group Policy settings on remote computers.
Administrators can also distribute software updates whenever the computer is switched on, and has Internet access, even if the user isn’t logged in.
Windows 7 DirectAccess incorporates Internet Protocol Version 6 over Internet Protocol security (IPv6-over-IPsec) for encryption.
Traffic uses either a DirectAccess server which utilizes Windows Server 2008 R2, or all the traffic can just go through the corporate network.
Internet and Intranet traffic is separated by DirectAccess.
Both users and computers can be authenticated and Windows 7 DirectAccess supports multifactor authentication like smart cards.
Specific resources on the Intranet can be switched off for certain users or machines. Administrators can allow only specific servers or subnets. Other IT advantages include simplification and cost reduction.
Windows 7’s DirectAccess’ bi-directional connectivity provides a simplified user experience over VPN.
The user doesn’t have to think in terms of networks and the experience connecting to network resources appears seamless.
Productivity is enhanced because mobile users can keep connected to corporate networks all the time. The product ties in nicely with Folder Redirection, which synchronizes files across the network.
Key elements of DirectAccess are that the client runs Windows 7 Enterprise, Windows 7 Ultimate, or Windows Server 2008 R2.
A domain-joined computer running Windows Server 2008 R2 can act as the DirectAccess server. A solution needs a network location server, to let the client know if it’s on the intranet or Internet, and also Certificate revocation list (CRL) distribution points—essentially issuing certificates.
Microsoft suggest that enterprises will use DirectAccess and VPNs side-by-side for now because VPNs are compatible with Vista and earlier versions of Windows; VPNs are compatible with non-Microsoft operating systems; VPNs can work through non-domain joined computers and that VPNs don’t require Windows Server 2008 R2.
Deploying Microsoft DirectAccess can be with full intranet access, selected server access and end-to-end access.
Configurations can include DirectAccess with Network Access Protection (NAP); Using Hyper-V for redundancy issues and adding capacity by using IPSec on another server.
Windows 7: BranchCache
BranchCache is a network performance tool available in Windows 7 and Server 2008.
It acts like a proxy that works only when requested by a client user.
The typical user scenario where BranchCache will be useful is where a branch office has a slow link back to the central office.
Any downloads that might occur will be slow because of the bandwidth connection.
BranchCache is designed for such remote office operations.
There are two modes in which BranchCache works, hosted or distributed.
Hosted mode: a 2008 server located on the branch office hosts the cached files.
Distributed Cache mode: a branch server is not necessary; file copies are directly cached onto the PC’s at the branch location.
When BranchCache is enabled, if there is a request for data across the network, a copy of the data or file is downloaded from the intranet website or a file server and it is cached locally within the branch office.
As the need arises if another user in the branch requests the file, the user gets access to the content almost immediately as it is downloaded from the local cache rather than over a limited bandwidth connection back to headquarters.
You can use either Group Policy settings or the netsh command-line tool to perform the following configuration tasks on BranchCache clients:
You must install the BranchCache feature using server manager in order to configure a Web server or an application server that uses the Background Intelligent Transfer Service (BITS) protocol.
You must install the BranchCache for Network Files feature, and configure the server using Group Policy in order to configure a file server to operate with BranchCache.
It acts like a proxy that works only when requested by a client user.
The typical user scenario where BranchCache will be useful is where a branch office has a slow link back to the central office.
Any downloads that might occur will be slow because of the bandwidth connection.
BranchCache is designed for such remote office operations.
There are two modes in which BranchCache works, hosted or distributed.
Hosted mode: a 2008 server located on the branch office hosts the cached files.
Distributed Cache mode: a branch server is not necessary; file copies are directly cached onto the PC’s at the branch location.
When BranchCache is enabled, if there is a request for data across the network, a copy of the data or file is downloaded from the intranet website or a file server and it is cached locally within the branch office.
As the need arises if another user in the branch requests the file, the user gets access to the content almost immediately as it is downloaded from the local cache rather than over a limited bandwidth connection back to headquarters.
Configuring BranchCache
BranchCache requires that you use Windows 7 PCs and Windows Server 2008 R2 servers.You can use either Group Policy settings or the netsh command-line tool to perform the following configuration tasks on BranchCache clients:
- Enable BranchCache
- Select one of two modes: Distributed Cache or Hosted Cache.
- If using Distributed Cache mode specify the size of the client computers’ cache. BranchCache can use up to 5% of the hard disk drive for the cache.
- If using Hosted Cache mode specify the location where the Hosted Cache will reside.
You must install the BranchCache feature using server manager in order to configure a Web server or an application server that uses the Background Intelligent Transfer Service (BITS) protocol.
You must install the BranchCache for Network Files feature, and configure the server using Group Policy in order to configure a file server to operate with BranchCache.
Windows 7: Biometrics
Biometrics offer users an easy way to log onto computers. Fingerprint readers can be used to authenticate and log users onto the machines.
The devices identify and authenticate the user through an infallible means of personal identification--unique fingerprints.
Windows 7 brings integrated biometric support. Many laptops include fingerprint readers and Windows 7 adds the functionality to use those readers.
Fingerprint recognition hasn’t been included in Windows before.
Previously, computer manufacturers had included their own software to operate the biometric device.
This was cumbersome and probably hindered the deployment of biometrics because it added a time consuming additional step for both IT departments and the end user.
The Windows Biometric Framework (WBF) included in Windows 7 allows users and administrators to log on to computers, grant elevation privileges through User Account Control (UAC) and manage the fingerprint hardware.
Enabling, limiting and blocking the use of the fingerprint readers can be administered through Group Policy settings.
The biometric support can be administered through the Control Panel just like any other element of Windows 7.
Users can adjust the way the biometric reader is used--to log on to a local computer or a domain. The Device Manager functions as the support mechanism for managing the drivers and Windows Update provides device driver support.
Windows Biometric Service (WBS) is a component for managing the biometric devices within Windows 7. It strictly separates the client applications and the biometric data.
WBS functions as a I/O proxy between the application and the device. It performs all capture, processing and storage--all within Windows 7.
Microsoft hopes its inclusion of biometric support in Windows 7 will add to the attractiveness of a Windows 7 upgrade.
In addition to laptops, Windows 7 biometric support can be used in stand-alone biometric readers and biometric readers could conceivably be deployed enterprise-wide with a consistent administrative and user experience.
This has not been possible before--biometric reader manufacturers or laptop makers provided their own technology stack resulting in unique interfaces.
Using the biometric pad on the computer adds an intriguing and amusing experience for the user and may encourage more users to incorporate user authentication in their daily use of laptops, thus improving security overall should the laptop get lost or stolen.
Microsoft has a white paper providing guidelines for WBF in Windows 7.
The devices identify and authenticate the user through an infallible means of personal identification--unique fingerprints.
Windows 7 brings integrated biometric support. Many laptops include fingerprint readers and Windows 7 adds the functionality to use those readers.
Fingerprint recognition hasn’t been included in Windows before.
Previously, computer manufacturers had included their own software to operate the biometric device.
This was cumbersome and probably hindered the deployment of biometrics because it added a time consuming additional step for both IT departments and the end user.
The Windows Biometric Framework (WBF) included in Windows 7 allows users and administrators to log on to computers, grant elevation privileges through User Account Control (UAC) and manage the fingerprint hardware.
Enabling, limiting and blocking the use of the fingerprint readers can be administered through Group Policy settings.
The biometric support can be administered through the Control Panel just like any other element of Windows 7.
Users can adjust the way the biometric reader is used--to log on to a local computer or a domain. The Device Manager functions as the support mechanism for managing the drivers and Windows Update provides device driver support.
Windows Biometric Service (WBS) is a component for managing the biometric devices within Windows 7. It strictly separates the client applications and the biometric data.
WBS functions as a I/O proxy between the application and the device. It performs all capture, processing and storage--all within Windows 7.
Microsoft hopes its inclusion of biometric support in Windows 7 will add to the attractiveness of a Windows 7 upgrade.
In addition to laptops, Windows 7 biometric support can be used in stand-alone biometric readers and biometric readers could conceivably be deployed enterprise-wide with a consistent administrative and user experience.
This has not been possible before--biometric reader manufacturers or laptop makers provided their own technology stack resulting in unique interfaces.
Using the biometric pad on the computer adds an intriguing and amusing experience for the user and may encourage more users to incorporate user authentication in their daily use of laptops, thus improving security overall should the laptop get lost or stolen.
Microsoft has a white paper providing guidelines for WBF in Windows 7.
Windows 7 and Smart Cards
Microsoft continues its support of smart cards in Windows 7. Smart cards--the little plastic cards containing a chip--can hold details of a card holder’s identity, and that coupled with a Personal Identification Number (PIN) is more secure than a password--the intruder needs both the physical card and knowledge of the PIN to gain access.
Logging on to a Windows 7 computer with a smart card is relatively simple for the end-user.
The computer needs to have a smart card reader attached or installed. The user inserts their smart card and presses Ctrl, Alt, Delete to bring up a logon screen.
They then select “Switch User” and click on the smart card icon. They then enter their PIN.
Smart cards can also be used to unlock an encrypted drive in Windows 7 using Microsoft’s BitLocker Drive Encryption. Bitlocker is available in Windows 7 Ultimate.
Bitlocker is upgraded in Windows 7 to include Bitlocker To Go. It should be noted that the Bitlocker To Go Reader, which is used to unlock Windows XP or Vista drives, can’t be used with a smart card.
Smart cards for un-encrypting BitLocker drives require a compatible certificate on the card. BitLocker will choose the certificate unless there are multiple compatible certificates on the card, in which case the user chooses the certificate.
Smart card settings in BitLocker are defined by Group Policy. Group Policy settings validate smart card certificate usage rule compliance on all drives--including operating system drives, and configure the use of smart cards on fixed data and removable drives.
One minor security issue to take into account when using a smart card and BitLocker is that the public key and thumbprint of the encryption certificate is stored unencrypted in the smart card’s certificate-based protector metadata on the drive.
This information could be used to identify the certification authority that issued the certificate.
Smart cards are a part of Microsoft’s public-key infrastructure that Microsoft has been integrating in Windows and now Windows 7.The smart card SDK has been integrated as part of Windows Base Services.
The SDK is available at the Microsoft Developers Network (MSDN.)
As a security guy, I worry about what would happen if I lost one of these USB sticks. What if I have some confidential or customer data on one of them?
Windows 7 helps address the continued threat of data leakage with introduction of BitLocker To Go: an extension to BitLocker in Windows Vista that allows me to encrypt the disk volume of removable storage devices with a password and/or a digital certificate stored on a smart card.
BitLocker To Go was designed to facilitate the secure sharing of data on removable storage devices and was designed to work on any standard removable storage device. No special, proprietary hardware is required.
So now, whether you are traveling with your laptop, sharing large files with a trusted partner, or taking work home, you can feel secure that your data is safe. Both traditional BitLocker and BitLocker To Go protected devices help ensure that only authorized users can read the data, even if the media is lost, stolen, or misused.
Logging on to a Windows 7 computer with a smart card is relatively simple for the end-user.
The computer needs to have a smart card reader attached or installed. The user inserts their smart card and presses Ctrl, Alt, Delete to bring up a logon screen.
They then select “Switch User” and click on the smart card icon. They then enter their PIN.
Smart cards can also be used to unlock an encrypted drive in Windows 7 using Microsoft’s BitLocker Drive Encryption. Bitlocker is available in Windows 7 Ultimate.
Bitlocker is upgraded in Windows 7 to include Bitlocker To Go. It should be noted that the Bitlocker To Go Reader, which is used to unlock Windows XP or Vista drives, can’t be used with a smart card.
Smart cards for un-encrypting BitLocker drives require a compatible certificate on the card. BitLocker will choose the certificate unless there are multiple compatible certificates on the card, in which case the user chooses the certificate.
Smart card settings in BitLocker are defined by Group Policy. Group Policy settings validate smart card certificate usage rule compliance on all drives--including operating system drives, and configure the use of smart cards on fixed data and removable drives.
One minor security issue to take into account when using a smart card and BitLocker is that the public key and thumbprint of the encryption certificate is stored unencrypted in the smart card’s certificate-based protector metadata on the drive.
This information could be used to identify the certification authority that issued the certificate.
Smart cards are a part of Microsoft’s public-key infrastructure that Microsoft has been integrating in Windows and now Windows 7.The smart card SDK has been integrated as part of Windows Base Services.
The SDK is available at the Microsoft Developers Network (MSDN.)
Windows 7: Bitlocker Drive Encryption
Bitlocker was hyped a lot in Windows Vista and it appears here as well.
It was meant to prevent unauthorized access to your hard drives by "locking" the information from unauthorized eyes.. It's back in Windows 7.
My primary method of transferring data is to use one of the half dozen or so USB sticks I carry around in my backpack. Over time, these USB sticks end up with all sorts of different data and documents on them.As a security guy, I worry about what would happen if I lost one of these USB sticks. What if I have some confidential or customer data on one of them?
Windows 7 helps address the continued threat of data leakage with introduction of BitLocker To Go: an extension to BitLocker in Windows Vista that allows me to encrypt the disk volume of removable storage devices with a password and/or a digital certificate stored on a smart card.
BitLocker To Go was designed to facilitate the secure sharing of data on removable storage devices and was designed to work on any standard removable storage device. No special, proprietary hardware is required.
So now, whether you are traveling with your laptop, sharing large files with a trusted partner, or taking work home, you can feel secure that your data is safe. Both traditional BitLocker and BitLocker To Go protected devices help ensure that only authorized users can read the data, even if the media is lost, stolen, or misused.
Windows 7: AppLocker
Once deployed, the software configuration of a typical desktop begins to drift away from its desired state.
The inconsistencies come more often than not from the installation and execution of non-standard software within the desktop environment. Users bring software into the environment from a variety of sources: home, Internet downloads, peer-to-peer file sharing, and through e-mail.
The result is a higher incidence of malware infections, more help desk calls, and difficulty in ensuring that your desktops are running only approved, licensed software.
In addition, many non-productive applications installed by end users cause incompatibilities with business applications, cause performance degradation on the local desktop, or needlessly consume network bandwidth.
As a result, many organizations are looking to exert more control over their desktop environment through a variety of lockdown schemes. A leading analyst predicts that fifty percent of organizations with over 1000 desktops will deploy some desktop lockdown mechanism by the end of 2010.
As a first step in locking down their desktop environment, organizations typically look toward removing administrative privilege from their users.
Running as a standard, non administrative, user is a step in the right direction, because it does help limit the configuration changes that can be made in the desktop environment; however, running as a standard user does not eliminate unknown / unwanted software in your organization.
It is not uncommon for standard users to download and install applications that do not require any administrative privileges. Users are also able to download and run single file executables, like web browsers or malicious greeting cards that continually make the rounds. These threats put organizations at risk from malware that targets user data.
Once administrative access is removed, many organizations realize that it is not a total solution. In addition to the issues called out above, organizations also find that there is great benefit in allowing users the ability to install innocuous or approved software themselves but they still have a need to prevent users from installing software that is considered risky.
Application control solutions provide an alternative approach for allowing organizations to exert more control on the software that is executed in their desktop environment. Software Restriction Policies (SRP), in Windows XP and Windows Vista®, was one of the first application control solutions in the marketplace.
SRP gave IT administrators a coarse mechanism to define and enforce application control policies.
However, SRP could become a management burden in a very dynamic desktop environment where applications were installed and updated on a constant basis because they predominantly utilized hash rules. With hash rules, every time an application needs updating a new hash rule needs to be created.
As a result, AppLocker provides not only security protections, but also operational and compliance benefits by:
Deny rules take the opposite approach and allow the execution of any application except those on a list of “known bad” applications. While many enterprises will likely use a combination of allow rules and deny rules, the ideal AppLocker deployment would use allow rules with built in exceptions.
Exception rules allow you to exclude files from an allow/deny rule that would normally be included. Using exceptions, you can create a rule to “allow everything in the Windows Operating System to run, except the built-in games.” Using allow rules with exceptions provides a robust way to build a “known good list” of applications without having to create an inordinate number of rules.
AppLocker introduces publisher rules that are based upon application digital signatures. Publisher rules make it possible to build rules that survive application updates by being able to specify attributes such as the version of an application.
For example, an organization can create a rule to “allow all versions greater than 9.0 of the program Acrobat Reader to run if it is signed by the software publisher Adobe.” Now when Adobe updates Acrobat, you can safely push out the application update without having to build another rule for the new version of the application.
AppLocker supports multiple, independently configurable policies: executables, installers, scripts & DLLs. The multiple policies allow an organization to build rules that go beyond the traditional executable only solutions, providing greater flexibility and enhanced protection.
For example, an organization could create a rule to “allow the Graphics Department to get updates directly from Adobe for Photoshop as long as it is still Adobe Photoshop version 14.*”.
This allows IT to retain control but empower users to keep their systems up to date based upon their business needs. In addition, each of these policies can be individually placed into an audit only mode allowing you to test your rules before they start blocking applications from running and potentially hurting end user productivity.
AppLocker rules can be associated with a specific user or group within an organization. This provides granular controls that allow you to support compliance requirements by validating and enforcing which users can run specific applications.
For example, you can create a rule to “allow people in the Finance Department to run the Finance line of business applications.” This blocks everyone who is not in your Finance Department from running your finance applications (including administrators), but still provides access for those that have a business need to run the applications.
AppLocker provides a robust experience for IT administrators through new rule creation tools and wizards. Using a step-by-step approach and fully integrated help, creating new rules, automatically generating rules and importing / exporting rules is intuitive so that rules are easy to create and maintain.
For example, IT administrators can automatically generate rules using a test reference machine and then import the rules into a production environment for widespread deployment. The IT administrator can also export policy to provide a backup of your production configuration or to provide documentation for compliance purposes.
AppLocker is a new technology in Windows 7 that will be part of the Enterprise SKU, while the legacy Software Restriction Policies will be available in the Business and Enterprise SKUs.
The inconsistencies come more often than not from the installation and execution of non-standard software within the desktop environment. Users bring software into the environment from a variety of sources: home, Internet downloads, peer-to-peer file sharing, and through e-mail.
The result is a higher incidence of malware infections, more help desk calls, and difficulty in ensuring that your desktops are running only approved, licensed software.
In addition, many non-productive applications installed by end users cause incompatibilities with business applications, cause performance degradation on the local desktop, or needlessly consume network bandwidth.
As a result, many organizations are looking to exert more control over their desktop environment through a variety of lockdown schemes. A leading analyst predicts that fifty percent of organizations with over 1000 desktops will deploy some desktop lockdown mechanism by the end of 2010.
As a first step in locking down their desktop environment, organizations typically look toward removing administrative privilege from their users.
Running as a standard, non administrative, user is a step in the right direction, because it does help limit the configuration changes that can be made in the desktop environment; however, running as a standard user does not eliminate unknown / unwanted software in your organization.
It is not uncommon for standard users to download and install applications that do not require any administrative privileges. Users are also able to download and run single file executables, like web browsers or malicious greeting cards that continually make the rounds. These threats put organizations at risk from malware that targets user data.
Once administrative access is removed, many organizations realize that it is not a total solution. In addition to the issues called out above, organizations also find that there is great benefit in allowing users the ability to install innocuous or approved software themselves but they still have a need to prevent users from installing software that is considered risky.
Application control solutions provide an alternative approach for allowing organizations to exert more control on the software that is executed in their desktop environment. Software Restriction Policies (SRP), in Windows XP and Windows Vista®, was one of the first application control solutions in the marketplace.
SRP gave IT administrators a coarse mechanism to define and enforce application control policies.
However, SRP could become a management burden in a very dynamic desktop environment where applications were installed and updated on a constant basis because they predominantly utilized hash rules. With hash rules, every time an application needs updating a new hash rule needs to be created.
Windows 7 AppLocker
Windows 7 addresses the growing desire for application control solutions in the enterprise with the introduction of AppLocker: a simple and flexible mechanism that allows administrators to specify exactly what is allowed to run in their desktop environment.As a result, AppLocker provides not only security protections, but also operational and compliance benefits by:
- Keeping unlicensed software from running in your desktop environment
- Preventing vulnerable, unauthorized applications from running in your desktop environment, including malware
- Stopping users from running applications that needlessly consume network bandwidth or otherwise impact the enterprise computing environment
- Preventing users from running applications that destabilize their desktop environment and increase helpdesk support costs
- Easing enterprise software deployments and maintenance through effective desktop configuration management
- Allow users to install and run approved applications and software updates based upon their business needs
- Helping ensure your desktop environment is in compliance with corporate policies and industry regulations such as PCI DSS, Sarbanes-Oxley, HIPAA, Basel II, and others
Deny rules take the opposite approach and allow the execution of any application except those on a list of “known bad” applications. While many enterprises will likely use a combination of allow rules and deny rules, the ideal AppLocker deployment would use allow rules with built in exceptions.
Exception rules allow you to exclude files from an allow/deny rule that would normally be included. Using exceptions, you can create a rule to “allow everything in the Windows Operating System to run, except the built-in games.” Using allow rules with exceptions provides a robust way to build a “known good list” of applications without having to create an inordinate number of rules.
AppLocker introduces publisher rules that are based upon application digital signatures. Publisher rules make it possible to build rules that survive application updates by being able to specify attributes such as the version of an application.
For example, an organization can create a rule to “allow all versions greater than 9.0 of the program Acrobat Reader to run if it is signed by the software publisher Adobe.” Now when Adobe updates Acrobat, you can safely push out the application update without having to build another rule for the new version of the application.
AppLocker supports multiple, independently configurable policies: executables, installers, scripts & DLLs. The multiple policies allow an organization to build rules that go beyond the traditional executable only solutions, providing greater flexibility and enhanced protection.
For example, an organization could create a rule to “allow the Graphics Department to get updates directly from Adobe for Photoshop as long as it is still Adobe Photoshop version 14.*”.
This allows IT to retain control but empower users to keep their systems up to date based upon their business needs. In addition, each of these policies can be individually placed into an audit only mode allowing you to test your rules before they start blocking applications from running and potentially hurting end user productivity.
AppLocker rules can be associated with a specific user or group within an organization. This provides granular controls that allow you to support compliance requirements by validating and enforcing which users can run specific applications.
For example, you can create a rule to “allow people in the Finance Department to run the Finance line of business applications.” This blocks everyone who is not in your Finance Department from running your finance applications (including administrators), but still provides access for those that have a business need to run the applications.
AppLocker provides a robust experience for IT administrators through new rule creation tools and wizards. Using a step-by-step approach and fully integrated help, creating new rules, automatically generating rules and importing / exporting rules is intuitive so that rules are easy to create and maintain.
For example, IT administrators can automatically generate rules using a test reference machine and then import the rules into a production environment for widespread deployment. The IT administrator can also export policy to provide a backup of your production configuration or to provide documentation for compliance purposes.
AppLocker is a new technology in Windows 7 that will be part of the Enterprise SKU, while the legacy Software Restriction Policies will be available in the Business and Enterprise SKUs.
Windows 7: Enterprise Security
There is a lot of buzz about the security features in the upcoming release of Microsoft’s Windows 7 operating system, especially User Account Control (UAC).
Microsoft designed UAC to control the elevated “administrator” privilege that is so dangerous from an IT security perspective.
UAC debuted in Windows Vista to help reduce privilege levels of all users, non-IT and IT employees alike, when tasks were being performed that did not require elevation.
Despite these good intentions, however, Vista’s UAC received a tremendous amount of negative feedback due to the number of “pop-up” windows that occur during routine use of the desktop.
Windows 7 features a new approach to UAC, providing a “slider” to control how often UAC pop-ups occur and for which actions they are monitoring.
The questions these changes raise include:
When a task is triggered that causes a protected part of the operating system to be modified, UAC will prompt the user for consent (if an administrator) or prompt the user for the credentials necessary for the privilege to perform the action (if the user is a standard user).
For standard users, UAC is not an ideal solution. With the prompt for credentials that UAC provides, there are only two possible solutions to allow the action to be performed. The first is the “over the shoulder input from an IT employee” when there is a prompt, which is not feasible due to mere logistics.
The second is to give the user alternate credentials, which in essence grants the user administrative privileges to the entire computer. Both options provide poor solutions to the issue.
However, for administrators, UAC provides an excellent solution for protecting the computer against actions that were not launched by the user, but were launched from malicious code running in the background.
Microsoft designed UAC to control the elevated “administrator” privilege that is so dangerous from an IT security perspective.
UAC debuted in Windows Vista to help reduce privilege levels of all users, non-IT and IT employees alike, when tasks were being performed that did not require elevation.
Despite these good intentions, however, Vista’s UAC received a tremendous amount of negative feedback due to the number of “pop-up” windows that occur during routine use of the desktop.
Windows 7 features a new approach to UAC, providing a “slider” to control how often UAC pop-ups occur and for which actions they are monitoring.
The questions these changes raise include:
- What exactly does UAC do?
- How should UAC be set in order to protect your desktops?
- Is the “slider” a good decision?
What UAC is designed to do
When UAC is enabled in either Vista or Windows 7 the goal is the same - to protect the user from unknown malware and viruses running in the background, as well as from unauthorized changes to the operating system files and Registry.When a task is triggered that causes a protected part of the operating system to be modified, UAC will prompt the user for consent (if an administrator) or prompt the user for the credentials necessary for the privilege to perform the action (if the user is a standard user).
For standard users, UAC is not an ideal solution. With the prompt for credentials that UAC provides, there are only two possible solutions to allow the action to be performed. The first is the “over the shoulder input from an IT employee” when there is a prompt, which is not feasible due to mere logistics.
The second is to give the user alternate credentials, which in essence grants the user administrative privileges to the entire computer. Both options provide poor solutions to the issue.
However, for administrators, UAC provides an excellent solution for protecting the computer against actions that were not launched by the user, but were launched from malicious code running in the background.
No comments:
Post a Comment