Windows 7 security enhancements

Windows 7 makes remote connectivity to corporate networks seamless, protects data on thumb drives, and offers fewer user account control prompts to bug users compared to Vista, Microsoft said on Monday.

The software giant began an education blitz about the security features of the newest version of its operating system at the start of the RSA 2009 security conference.

Windows 7, which was released in public beta in January, will have 29 percent fewer user account control (UAC) prompts than Windows Vista has, and fewer prompts in general, according to Paul Cooke, director of Windows Client Enterprise Security.

"We've put users in control and allowed them the ability to tune the level of prompting" using a slider bar, he said in an interview.

Other new security features in Windows 7 are DirectAccess and BitLocker To Go.

DirectAccess offers remote workers the same level of seamless and secure connectivity as they have in the office. The system automatically creates a secure tunnel to the corporate network and workers don't have to manually substantiate a connection, Cooke said.

DirectAccess also allows IT administrators to patch systems whenever a remote worker is on the network, he said.

BitLocker To Go extends the data encryption features introduced in Vista to removable storage devices like USB thumb drives and flash drives. A password or a smart card with a digital certificate stored on it can be used to unlock the data. The devices can be used on any other Windows 7-based machine with the correct password. On XP and Vista machines the data on the drives can be read but not modified, Cooke said.

Smart-card provider Gemalto is offering multifactor authentication for Windows 7 for even more secure access to machines accessing the network, said Ray Wizbowski, director of marketing and communications at Gemalto. Now, a user can insert a card into a smart-card reader built into a laptop and either enter a personal identification number or use a fingerprint to access the data, he said.

Windows 7 also includes AppLocker technology that allows administrators to control the software that runs in the corporate network to ensure that only authorized scripts, installers, and dynamic load libraries are accessed. It also can be used to keep unlicensed software off machines, according to Cooke.

More information about Windows 7 security features are in posts on the Windows Security Blog and the Windows Blog.

[monkeyfun14]

Waits for the FUD to roll of the uneducated fanboy's tongues.

[The_happy_switcher]

Keep waiting for Windows to be secure, some time in the year 2109 perhaps<br /><br />[Editor's note: Personal attack deleted.]

[monkeyfun14]

Its more secure then OSX pwn2own anyone?

[monkeyfun14]

Sticks and stones<br />Sticks and stones

[feranick]

@Applerocks:<br /><br />You have been watching too much of this:<br /><br />http://movies.apple.com/media/us/mac/getamac/2009/apple-mvp-time_traveler-us-20090419_480x272.mov

[danielwsmithee]

"Windows 7 also includes AppLocker technology that allows administrators to control the software that runs in the corporate network to ensure that only authorized scripts, installers, and dynamic load libraries are accessed. It also can be used to keep unlicensed software off machines, according to Cooke."<br /><br />As an embedded software engineer working in a corporate environment I could really see this feature being a major pain. I can just imagine having to call IT up every time I want to execute a script, utility, executable as part of my work. Many IT people already try to limit what tools an engineer can use (via approved tools lists) then question you if you are using anything else to get you job done. Most engineers that work in that type of environment just have to ignore IT in order to get their jobs done. This feature sound to me like a productivity killer in corporation with micro-managing IT organizations.

[Random_Walk]

One would suspect that the Group Policy object would be set to make exceptions for certain folks based on their usage... then again, until the admins figure down the feature, it's gonna suck :)

[danielwsmithee]

I'm sure that is true it will support making exceptions for people. The problem is that almost every tool/feature the IT department actually puts on the network they spend as little time configuring as possible.

[dhavleak]

It's possibly something for more locked down environments (picture a store kiosk or a point-of-sale machine) -- they usually run just a single app in full-screen mode, so you never even notice that it's ruinning windows/linux/whatever. Locking these machines down so they can only use a single app means that even if there's a glitch/bug causing the app to exit, a customer on your shop floor can't start snooping around.

[monkeyfun14]

@daniel<br /><br />Well thats IT's problem now isn't it?

[Random_Walk]

DirectAccess sounds cute, but I can do all of that right now with a simple SSL VPN coutesy of my Cisco ASA. The only diff is an icon which the remote user double-clicks (or a website addy), and enters username+password - this latter part worries me a bit with the Windows 7 angle, since, if it is all automatic, anyone who steals the laptop and cracks the SAM (not tough to do at all w/ local access and knowledge of the local auth cache) can get full (within user rights) access to the corporate network. <br /> <br />BitLocker to Go sounds nice, though. You would almost have to have the two used in concert, then pray that your remote user doesn't store the USB fob in the same laptop bag as, well, the laptop...

[dhavleak]

I like your passive/aggressive use of the word cute there :) <br /> <br />The difference isn't the *automation* of username/password.. It's the fact that you need to present an X509 cert that will reside on your smartcard - so if your laptop is stolen, people still need your smartcard to get access. At least, that's what I understood. That would take care of your bitlocker/usb-key/laptop and key in same back situation as well. <br /> <br />Of course, if the smartcard gets stolen (along with everything else), the employee needs to immediately call IT so they can revoke (stop trusting) it's cert.

[gnutux]

It's great to see Microsoft keeps their game with its sudden realization that security is important during the development of Vista. No longer can we mock Microsoft for being unsecure. However, Microsoft is making their OS work more like UNIX than before. Being a UNIX fan (running Linux, BSD and MacOS X), it's an interesting way forward.<br /><br />I haven't recommended Windows XP since 2003 when I started to recommend people to go Linux or Mac. Now, if they don't want Linux or Mac, I would simply refer them to Vista and to tell them to stay clear of XP and other Vista predecessor since they're simply not secure.

[David Dudley]

Technically speaking, Windows is far ahead of the MacOS when it comes to security via it's NX bit and ASLR. Running Chrome on Vista SP1 makes the user experience quite secure. Unfortunately, there are other holes inherent and Windows.<br /><br />And lest we forget the Mac botnet discovered by Symantec. Stupid users are a security vulnerability that no engineer can code away.<br /><br />http://www.techtree.com/India/News/Symantec_Discovers_First_Ever_Mac_Botnet/551-101234-582.html

[seven7dust]

thats good to hear !<br />will still continue with Macs though cause at the end of the day there's still no need for CPU hogging AV software plus the added hassle of updates n scans plus maintenance every week ! not to mention re-installs and slowdowns<br />cause at the end of the day thats wat matters to me as a user

[monkeyfun14]

I love how Mac users think there OS is immune to malware.<br />Any box can be taken down even linux with a good social engineering exploit.<br />Your computer is only as safe as the user.<br />Ignorance is bliss though fanboys.

[seven7dust]

@monkeyfun14<br />then explain why they still hasnt been a Widespread attack on Macs even after all these years the best they can come up with is a single botnet<br />yet Pcs are going down like flies everyday !<br />Like I said at the end of the day we Mac users don't need to spend time and effort on pointless things like updates and scans everyweek !<br />thats all that matters ! everything else is FUD !

[monkeyfun14]

http://www.geekzone.co.nz/foobar/6229<br />Educate yourself

[rapier1]

So as a mac user I have to wonder why seven7dust never has to update his mac. And really, if he doesn't run yasu on the daily, weekly, monthly rotation I have to wonder about his system performance as well.

[David Dudley]

Sorry to say that Apple products, like everything else out there, is quite insecure or else there would be no need for security updates and patches. Specifically, the Safari is quite the insecure browser and has many exploits available to it.<br /><br />http://support.apple.com/kb/HT1222<br /><br />I'll jump on the anecdotal evidence bus and state that as a former Apple worker and a never ending Windows user, I've never been required to install anti-virus software on my pc nor have I been infected with any malware. I have installed anti virus software to check, but as always, it lets me know I'm free and clear. So there! Since I've witnessed such an occurrence, we will all have to acknowledge my evidence as science fact.

[seven7dust]

Since I use both Pcs and Macs daily<br />Do I really need anything more than personal experience to judge something<br /><br />I really don't care which has more vulnerabilities or malware etc.<br />the fact remains that with my PC running Windows Xp<br />I need atleast 4-5 tools like Adaware spybot Avira Zone alarm and CC cleaner<br />and weekly or monthly scans and updates to keep it running optimally<br />on my Macbook zero, and guess wat I use more, my Mac obviously<br /><br />@rapier - I've never ever heard of a app like that and yes I've been running without slowdowns for over a year now ! but I've switched to Tiger though !<br />as far as updates ,do we really need to compare weekly windows update to OSX updates which happen like once in a blue moon not to mention AV definition updates <br />plus there's the fact that I use tiger so no updates for me even if I want !<br /><br />@monkeyfun - what exactly is the point of showing me a said linux virus which for some reason still hasn't infected linux machines , your right ignorance is bliss in your case<br /><br />@david - Since you don't run av software or anti-malware software on your PC<br />then both Pcs and Macs are secure by your scientific findings<br /><br />but unfortunately last week for the folks at the university of Utah <br />and for millions of other infected Pcs thougout history thats simply not been the case though it must be the users who are at fault then , cause we all know Microsoft ,they are perfectionists how can they produce Buggy software it's unheard of right<br /><br />cant think of any mac users ever experiencing such problems though, patches or no patches ! maybe it's the small 50 million userbase cause we know Apple they have a bad track record when it comes to security, a first ever Mac botnet was found last week after all

[Vegaman_Dan]

@Seven7dust wrote:<br /><br />"I really don't care which has more vulnerabilities or malware etc."<br /><br />Considering you post on every Microsoft or Apple story about how great Apple is and how horrible Microsoft is by comparison, you sure seem to have a pretty predetermined opinion. I'd say you do care quite a bit and have already made up your mind regardless of what the situation actually may be.<br /><br /><br />"I really don't care which has more vulnerabilities or malware etc.<br />the fact remains that with my PC running Windows Xp<br />I need atleast 4-5 tools like Adaware spybot Avira Zone alarm and CC cleaner<br />and weekly or monthly scans and updates to keep it running optimally on my MacBook zero."<br /><br />I think you missed some punctuation there. But in any case, if you needed to run that many security tools that frequently on your PC, then either you were lacking in basic computer security knowledge, or spending your time on porn sites / warez sites that would infect your machine so frequently. <br /><br />That's just the appearance you give with your comments.

[seven7dust]

@ Vegaman_Dan <br />all joking aside do you really believe that Windows is just as secure as OSX or linux ?<br />like the other posters !

[tm_anon]

@ Vegaman_Dan<br /><br />Strange, I took care of two computers, both running Windows XP. One was mine and one was my roommates. <br /><br />Mine had fewer viruses and malware, was in a more private physical location (meaning more porn), ran faster and was bought a year prior to my roommates computer which had more viruses and malware, was in a more public location (meaning less porn), ran slower and had a faster processor with more RAM. <br /><br />The difference was that I ran a nightly scan for malware, cleaned the cache, had a fully updated antivirus running constantly and kept my hard drive defragged. <br /><br />Now I run Ubuntu, the only viruses I ever see on my machine are Windows viruses that won't run anyway. Sure I clean them off, don't want to contribute passively to my friends getting infected but otherwise I have no reason to even bother with an antivirus program except for the possible future necessity of having one. <br /><br />Back to the original point. My roommates computer had viruses, malfunctioned and in the end before he moved out, wouldn't even update the antivirus program (I check for Conficker, it was something else). Mine was clean and ran like the day I bought it. I just switched because I was tired of working for the computer. Running that many security programs, as long as they don't conflict with each other, is the only way to ensure a clean Windows box no matter what websites you surf to. Viruses can come from anywhere, not just porn sites.

[Angmarr]

Thx Apple because of you Windows is getting better everyday, just the right competition that they needed. Not anywhere close to being powerful enough to overthrow, but just enough nagging to make windows better!

[shellcodes_coder]

Windows 7 will rule. Yo CrApple fan boys, say what ever you want but crap OS X is going down...

[ikramerica--2008]

Snow Leopard will be better. Early builds show massive speed improvements on multi-cores. Mac Pro is completely unleashed in Snow Leopard. Windows 7 may be what Vista should have been, Vista SP2, but that will still only be what Leopard is today. Snow Leopard will be step ahead...

[Angmarr]

@ shellcodes_coder<br /><br />Absolutely, the apple fad will die out soon

[shellcodes_coder]

ikramerica--2008: nice joke man. Which comedy show do you work for? I should watch that show because I wanna laugh AGAIN :)

[goodspeed8701]

os x users thinks they are free from botnets. till an AVS detects it you never can tell. you might be infected right now. One thing is for sure... there is no way os x can be more secured than windows. i used vista all the time without AVS and i never got infected not crash now i am on windows 7 same thing no AVS and its rock solid. Then i install microsoft virtual machine to run Xp and still no anti virus and i dont see any bsods or have to restart my xp. it just works. I also prefer windows cos its so diff from other os. os x looks like linux and solaris.

[Yo-wassup]

Mac isnt safer, it just small target.

[DOTA AllMoons]

nice comment...small target all right

[n25philly]

When it comes, it's going to come hard. Obscurity is a not a security measure<br /><br /><br /><br /><br />By Chris Foresman | Last updated April 16, 2009 4:35 PM CT<br /><br />If you let yourself get tempted into installing the pirated versions of iWork or Photoshop CS4 that circulated on Bit Torrent earlier this year, you may have unwittingly turned your Mac into a zombie. Security researchers for Symantec have turned up evidence that these zombie machines are being used to create a Mac-based botnet.<br /><br />Botnets are used to perform DDoS attacks on systems, gather sensitive personal information, and send out a majority of the spam that clogs up the 'Net. While commonly made out of infected Windows computers, this is the first known attempt to create one from Macs.<br /><br />The two variants of the iServices trojan, OSX.Trojan.iServices.A and OSX.Trojan.iServices.B, have been implicated in at least one DDoS attack. According to researchers Mario Ballano Barcena and Alfredo Pesoli, the malware has peer-to-peer communication, remote start-up, and encryption capabilities. <br /><br />"The code indicates that, wherever possible, the author tried to use the most flexible and extendible approach when creating it?and therefore we would not be surprised to see a new, modified variant in the near future," according to their report. They also noted that the person who activated the botnet is not the same as the original author of the malware code.<br /><br />After the trojans were reported in January, most anti-virus software was updated to remove the payloads associated with the iServices trojans. Removing the directories /System/Library/StartupItems/DivX and/or /System/Library/StartupItems/iWorkServices should help, but that doesn't rule out other remnants getting left behind?if you suspect you were infected with either of these trojans, you may want to look into AV software. We'll also again repeat our favored refrain of "Steer clear of pirated software and sketchy files from website or torrents," which should help you avoid infection in the first place.<br /><br />While Mac OS X doesn't suffer from the sheer amount of malware that Windows does, the creation of this botnet should serve as a warning that security through obscurity isn't a sound security policy?and Macs are far from being obscure any more.

[monkeyfun14]

Waits for the well that requires user interaction argument and apologists.

[sdorand]

Lots of great info about Windows 7 over at http://windows7releasedate.com/

[BluePWNR]

HEY!!!<br />I know Windows users and Mac Fanboys will never get along, but plz, can we just settle the point Windows is most often targeted by malware since most often they are holding sensitive data, and are relaitively easy to infect (if not properly maintained). but, a properly used and maintained Windows machine will probably have the same probabilty of being infected as a mac or linux...<br />now, could we stop the arguing, (i know i'm about to get flamed for this -.-)

[BluePWNR]

Edit: Addon<br />@Ikra I have a question about Apple Fanboys<br />Are all of them as naive as you about Windows security features? Since you just said what happens on a Mac when you download something, which is the exact same as on most Windows systems and pointed it out as an advantage for Macs. also, your ignorance makes me concerned about Apple Fanboys, are they naive about security or not. <br />This is why i stay in the malware section of the Forum ; `

[mufason]

Hackers just like the PC more. <br /> <br />Zoom <br /> <br />Regardless of which side you're on (though as a true computing enthusiast, you shouldn't be taking sides), you've heard the arguments back and forth on the which operating system is truly safer ? Mac OS X or Windows. <br /> <br /> <br />It is of the opinion of Charlie Miller, a well known Mac security guru, that even Snow Leopard, the latest version of Mac OS X, isn't as safe as Windows. <br /> <br /> <br />One key point is that Snow Leopard still doesn't have ASLR, or address space layout randomization, which randomly arranges the position of key data making it harder for hackers to target for exploits. <br /> <br /> <br />Miller said to TechWorld that Apple didn't change the ASLR from 10.5 to 10.6: "Apple didn't change anything. It's the exact same ASLR as in Leopard, which means it's not very good." <br /> <br /> <br />Apple didn?t completely missed the chance to tighten up security in Snow Leopard though, as the new QuickTime solves a lot of the issues that Mac OS X had before. <br /> <br /> <br />"Apple rewrote a bunch of QuickTime," said Miller, "which was really smart, since it's been the source of lots of bugs in the past." <br /> <br /> <br />One thing that Snow Leopard did adapt, which Windows has had since XP SP2, is DEP (data execution prevention). With DEP, buffer overflow attacks are much harder to execute. <br /> <br /> <br />Despite Miller's opinion that Windows is the more secure OS, the large install based of Microsoft-based systems make them a much more attractive target for hackers. Still, Miller would like to see security on all platforms. <br /> <br /> <br />"Snow Leopard's more secure than Leopard, but it's not as secure as Vista or Windows 7," he said. "When Apple has both [in place], that's when I'll stop complaining about Apple's security."