Windows 7 is due to officially be released on October 22, 2009. It is eagerly anticipated as a replacement for Vista, which was not well received by consumers and businesses due to hardware requirements and application support issues. That said, Windows 7 is an incremental release that streamlines the interface and addresses many of the flaws in Vista and is not an overhaul or rewrite of the underpinnings of the operating system.

 

Higher education networks often contain a mixture of managed and unmanaged Windows workstations. Managed Windows workstations are usually under the control of an administrative authority through Active Directory, are updated and managed using a central utility, such as SCCM or Altiris, and use an enterprise-wide anti-malware solution. On unmanaged Windows workstations, the typical user has administrator access and relies on automated updates from Microsoft and anti-malware companies.

 

The purpose of this paper is to provide guidance regarding the security of Windows 7. Where applicable, we include notes on differences in recommendations between unmanaged and managed workstations. Although there are several editions of Windows 7, for the purposes of this paper, we evaluated Windows 7 Enterprise only.

 

Pay attention to what you’re purchasing: There will be six different editions of Windows 7: Starter (OEM only), Home Basic (emerging markets only), Home Premium, Professional, Enterprise, and Ultimate. The first two will not be generally available to the public. Depending on which version you buy, you may be getting only a subset of security features. For instance, BitLocker and AppLocker are only available in the Enterprise and Ultimate editions. Many business-oriented features, such as EFS and the ability to be an Active Directory member, are not available in the Home editions. See the Windows 7 Comparison Chart for a detailed comparison of the features available in each edition of Windows 7. In addition to the differences between editions, OEM computer makers may preinstall Windows 7 with a different set of security defaults, or include third-party security packages.

 

Your upgrade path depends on what you’re currently using: If you are upgrading from Windows Vista, you may only upgrade to the same or higher edition. For example, if you have Windows Vista Business edition, you can upgrade to Windows 7 Professional, Enterprise, or Ultimate, but you are not eligible upgrade to Windows 7 Home Premium. Upgrades to any edition of Windows 7 are allowed from Windows XP clients. However, the actual upgrade process itself requires a complete re-install; in-place upgrades from Windows XP are not supported.

 

The security features are useful only if used: The security features in Windows 7, namely the Firewall, User Account Control (UAC), and the Action Center, will alert or prompt the user when an action is required. If users perceive this is happening too frequently and become annoyed, they may disable these features if they have administrative rights, reducing the overall security of their systems. User education and restricting administrator access reduces the likelihood of this. The ISO continues to strongly recommend that users not have administrative access to their workstations.

 

Consider using centralized management to enforce security: Many of the security controls in Windows 7 can be managed, or at least enabled, centrally. This allows you to force a system to be compliant with your policies. Consider using Active Directory group policies and other management tools.

 

Don’t get a false sense of security: Although Windows 7 has added a few new security features and enhanced ones introduced with Vista, it is still important to be vigilant and maintain a layered approach to security. An additional security layer that should not be neglected is anti-virus but might also include a perimeter firewall, host/network intrusion detection, and third-party auditing tools. Even operating systems that have a better security history than Windows and have implemented some of the same security features (such as privilege separation) for a much longer period of time are compromised occasionally.

 

You can afford to wait to upgrade: As long as your current systems are up-to-date and have the appropriate security controls in place for your environment, the improvements and new features offered in Windows 7 alone may not be enough to warrant an immediate upgrade. Microsoft will continue to support Windows XP and Vista with security updates for some time to come. It has been our experience, however, that Windows 7 performs significantly better on older hardware than Vista and is faster and more stable overall. Some of the new security features are especially compelling. We recommend that, as resources become available, Windows 7 be evaluated for deployment in your environment.

Internet Explorer 8

 

Internet Explorer 8 comes preinstalled with Windows 7 and is available for download for Vista and XP. IE 8 builds on many of the new security features included with IE 7 to make them more functional and user friendly.

 

Domain Highlighting is part of the new IE8 user interface and highlights what Internet Explorer perceives to be the owning domain of the site being viewed. The purpose of this feature is to help users identify the real site being viewed in order to reduce successful phishing attacks.

 

The SmartScreen Cross-Site Scripting (XSS) Filter helps protect users from reflected XSS vulnerabilities in Web applications. A reflected XSS attack occurs when an attacker is able to inject client-side code into a page that is executed when viewed by a user. Once the code has been executed, which often happens without the user’s knowledge, the attacker has complete control over the page and is able to do a number of things ranging from defacing the page to capturing any sensitive data entered by the user. This is an extremely common vulnerability. IE 8 analyzes all data entered by or returned to a user, neutralizing anything that doesn’t appear to have a valid use scenario to the application.

 

InPrivate Browsing allows users to prevent IE 8 from storing browsing history, cookies, and other data while browsing the Web. With this feature on, the browser will not store form data, passwords, addresses entered into the address bar, searches entered into the search bar, or any history entries. It will also delete all cookies and temporary files created during the session when the browser is closed.

 

Windows Sensor and Location Platform

 

The Windows Sensor and Location Platform enables applications to access data about the current environment and take actions accordingly. For instance, ambient light sensors may allow applications to change screen brightness or optimize content for readability based upon lighting conditions. Applications can take advantage of location sensors, such as GPS units, WWAN radios, and triangulation technology, to provide location-based functionality and locally relevant content.

 

Support exists for numerous other sensors like accelerometers, RFID readers, cameras, temperature sensors, and motion detectors. Sensors also do not have to be built into the device, but may be a publicly-accessible resource such as traffic and weather stations.

 

While all sensors are turned off by default to protect user privacy, when enabled there is not much granularity. When a sensor is enabled, it works for all programs running under a particular user or all users. There is no way to allow only specific applications to access data from a sensor. Fortunately, there are confirmation dialog boxes that appear to inform users of the risks involved with this and only users with administrative rights can enable a sensor. We recommend that sensors be left off unless needed.

 

Managed environment notes: Group policy can be used to enable and disable sensors.

 

Data Recovery Agents with BitLocker

 

There are some new features available with BitLocker in Windows 7 in a managed environment. BitLocker, originally introduced with Windows Vista, provided a way for users to encrypt an entire hard disk. This was a positive step, but there were concerns as to how the data would be recovered in the event that the encryption key was lost. Data Recovery Agents allow the creation of a certificate-based recovery agent that can be used to recover the contents of any BitLocker protected volume. The group policy settings for Operating System Drives, Fixed Data Drives, and Removable Data Drives are separate to provide flexibility in how recovery options are configured for the different threats each drive type is likely to experience.

 

Recovery key and key escrow options for BitLocker in an unmanaged environment are unchanged.

 

BitLocker To Go

 

With Windows 7, BitLocker is now capable of encrypting USB storage devices in addition to hard drives. This is a really nice addition as removable drives are easy to steal and are often misplaced or lost. Removable drives will automatically show up in a new section of the BitLocker Drive Encryption control panel making the whole process very easy. Access to an encrypted device can be restricted by either a passphrase or a smart card. During the encryption process, it is possible to create a recovery key that can be used in the event that the passphrase is lost or forgotten to recover the data.

 

Even users who haven’t upgraded to Windows 7 can benefit from this new feature. Windows XP SP3 and Vista SP1 can both read devices protected by BitLocker To Go with the passphrase or smart card. To enable this support, the USB drive must be formatted with FAT or FAT32. NTFS formatted drives protected with BitLocker To Go are not be usable with XP or Vista.

 

Managed environment notes: Group policies can not only control the length and complexity of the passphrase, but also mandate the use of BitLocker protection on removable devices before being able to write to them.

 

HomeGroup

 

HomeGroup is intended to provide a simple way to share specific types of files and resources with other Windows 7 computers. When setting up a network connection, Windows 7 will prompt the user to specify the location of the machine as one of Public, Home, or Work. If the user selects Home, a wizard starts, guiding the user through the process of setting up a HomeGroup. HomeGroups can be configured to share the contents of the Music, Videos, Pictures, Documents, and/or Printers folders. Access to a HomeGroup is restricted only with a simple password, which is created automatically by Windows. When other computers join the same network, they are prompted to join the HomeGroup. Domain joined computers can also be a part of a HomeGroup.

 

Since HomeGroups have no real access controls or security past the initial password required to join, we recommend that users do not use this feature to share files and resources. Instead, they should continue to use the advanced file sharing functionality that has been present with Windows for several versions. Selecting Work as the machine location during the network setup will disable the ability to create or join a HomeGroup. 

 

Windows Firewall

 

With Windows 7, the firewall profiles have been changed. There are now Domain, Work, Home, and Public profiles available. Work and Home are both considered private networks, but Home enables the use of the aforementioned HomeGroups. Each profile can be configured independently and multiple profiles may be active at the same time if the computer is connected to multiple networks. Each connected network adapter may have a different profile and rule set applied.

 

The firewall interface has also been updated with this release to expose more of the advanced configuration options. Users no longer have to use the MMC snap-in to manage the outbound connection rules as this functionality is exposed in the standard interface.

 

With previous versions of the firewall, events were only logged to a text file. Now events are also logged to the Applications and Services event log, which means that the event viewer can be used to search and filter firewall events.

 

Managed environment notes: In a managed environment, firewall policies can be enforced via group policies.

 

Windows XP Mode for Windows 7

 

Windows XP Mode for Windows 7 is intended to be a quick and easy way to provide enhanced application compatibility with older applications that may not function correctly in Windows 7. It uses Microsoft’s Virtual PC technology to create a Windows XP virtual machine that is integrated with the host environment. Applications installed in the virtual machine can be run from the Windows 7 desktop and will appear like native applications with access to the contents of the clipboard, printers, and user folders. Windows XP Mode is included with the Professional, Enterprise, and Ultimate editions of Windows 7 and requires a processor with hardware assisted virtualization.

 

Should you choose to use this technology, it is very important to realize that the Windows XP virtual machine is a completely separate computing environment and must be secured, patched, and kept updated independently of the Windows 7 host operating system.

 

Windows 7 Security Enhancements

 

Windows Sensor and Location Platform

 

Seven steps to securing Windows 7

 

Using Data Recovery Agents with BitLocker

 

What’s new in the Windows 7 Firewall?