Tuesday, July 27, 2010

Windows 7

After a devastating wrong turn with Vista, Microsoft is back on its game with Windows 7. Sure, Windows 7 has annoyances – such as touting attractive features, but making most of them available only to those who pay extra for Enterprise (or Ultimate). But Windows 7 Enterprise delivers a plethora of improvements to justify the cost and pain of migration.

The login page:

Top 10 reasons to Upgrade to Win7:

Get quicker access to all of your stuff—use Pin and Jump Lists to keep the programs and files you use the most right at your fingertips.


Do more and wait less—improvements that can accelerate sleep and resume and make your PC more responsive help you get more done.

Better compatibility—works with a larger set of software and devices.

Share files and printers among multiple PCs—from one Windows 7-based PC to another, you can share files, music, photos, and even printers across your home network.

Stay entertained effortlessly—Watch TV shows for free when and where you want with Internet TV on Windows Media Centre.

Easily create and share movies—create great looking movies and slideshows and share them on YouTube in minutes.

Keeps your PC better protected with fewer interruptions—enjoy fewer system messages and alerts while still enjoying world-class security.

Touch and tap rather than point and click—Windows 7 makes PCs with touch screens easier and more intuitive to use.

Supports more TV, movies, videos, and music in more ways—get photos and more on your home PC with remote streaming while on the go.

Manage devices more easily—manage printers, cameras, music players, and other devices from a single, consistent, place.

The security benefits you could reap by upgrading to Windows 7 Enterprise include the following:

Improved platform security.

Windows 7 picks up where XP SP2 and Vista left off, extending Data Execution Protection and Address Space Layout Randomization to deter malware, even when browsing.

Kernel Patch Protection stops malware from hooking 64-bit kernel events, and Windows Service Hardening can enforce resource access profiles for included Microsoft services. Alas, not all applications use DEP and ASLR and only services can use WSH, but Windows 7 starts with a more solid foundation from which to fend off attackers. 

Safer browsing.

Internet Explorer 8, supplied with all versions of Windows 7, incorporates a wealth of security enhancements, including SmartScreen filtering, trusted domain highlighting, type 1 cross-site script attack filters, and InPrivate browsing.

IE8 takes advantage of ASLR and DEP and can apply more granular ActiveX settings—for example, letting admins authorize riskier ActiveX controls, but only by trusted sites or users. IE8 can also be installed on XP SP3 and Vista, but upgrading to Windows 7 makes the most of some IE8 features and provides further incentive to retire older, less secure browsers.

Secure protocol support.

Network protocols may not "wow" end users or sys admins, but they're a vital part of building a more secure foundation.

Windows 7 includes native support for IPv6 (including IPv6 IPsec) and DNSSEC. These more secure protocols make it harder for attackers to spoof IP packets and addresses by providing cryptographic authentication and integrity checks.

Enterprise networks must master other hurdles to actually use these protocols, but embedding protocol support in all of your endpoints satisfies one big pre-requisite. 

Location-aware connection security.
Windows 7 includes policy-based network segmentation, letting admins apply different Windows Firewall rules to each adapter based on location (e.g., Wi-Fi at the office, Wi-Fi at home, Wi-Fi at a public hotspot).

The Windows 7 Firewall itself has grown from outbound-only packet filtering into a full bi-directional TCP/IP firewall, enforcing rules that can now be centrally-configured with ActiveDirectory GPOs. Windows 7 still doesn't have the best personal firewall around, but this is a noteworthy improvement. 

Quick-and-easy file recovery.

Windows XP creates System Restore points to roll a damaged PC back to a know-good earlier state. Windows 7 and Vista beef this up with Volume Shadow Copy (VSC) – a service that backs up entire volumes, including Windows system files, program files, settings, and user files.

By default, shadow copies are created weekly on a Windows 7 PC with idle time. On-the-go workers can use VSC to recover a single lost document or a corrupted DLL in minutes, without connectivity or help. However, because shadow copies are stored on the same disk, they are not a replacement for routine data backup to archive. 

Always-on secure remote access.

For those tired of intrusive VPNs, Windows 7 Enterprise offers DirectAccess. DA uses auto-initiated, authenticated, encrypted IPv6/IPsec tunnels to securely connect remote Windows 7 users to private network resources.

DA tunnels can terminate at a Windows Server 2008 DA gateway or at any IPv6 Windows Server 2008 behind that gateway. Alas, in order to achieve user-transparent always-on secure remote access with DA, the enterprise must deploy Windows Server 2008 and IPv6. Fortunately, DA can wrap IPv6 inside IPv4 or HTTPS to traverse home and public networks that usually lack IPv6 today. 

Usable user access control.
The tighter User Access Controls first introduced by Vista are back in Windows 7 – after a rigorous reality-check back at Redmond. UAC deters apps and users from making unauthorized changes by defaulting to Standard User and requiring explicit permission to elevate privileges when needed.

Windows 7 now silently elevates many activities routinely needed by end-users (e.g., adding printers, changing time/date) to reduce prompting. Many Microsoft apps have also been refactored to segregate activities that do and do not require elevation, and admins can now configure prompts without disabling UAC altogether. 

Better desktop auditing.

Vista added XML-based audit events at a finer level of granularity. Windows 7 took this further by including more helpful information in audit events—for example, indicating not just that a given activity was permitted or denied, but why that decision was made. These enhancements improve forensic analysis and troubleshooting capabilities and make it possible to easily find all changes made by an individual user or group. 

Application whitelisting.

In Windows 7 Enterprise, XP/Vista Software Restriction Policy blacklists are replaced by AppLocker whitelists. SRPs were too hard to maintain and too easy to bypass.

Windows 7 AppLocker strikes a better balance by permitting or denying program launch based on Publisher Rules (recommended), Hash Rules (for programs without signatures), and Path Rules (as a last resort).

Publisher Rules check signatures on executables, installers, scripts, and libraries. A new wizard can even search an entire reference PC to find all programs and propose AppLocker Publisher Rules, falling back to Hash Rules only for programs without signatures. AppLocker still isn't for everyone, but it can deliver a more effective defense against malware while enforcing potentially-unwanted-program policies. 

On-the-go data protection.

BitLocker, introduced in Vista, is back in Windows 7 Enterprise with major improvements. BitLocker full-disk encryption can now be controlled by GPOs, use a wider PIN or two-factor authentication to unlock drives, and interface with a central recovery key store. Windows 7 also plugs the "USB hole" with BitLocker To Go—portable data encryption for USB drives.

BitLocker To Go stores an encrypted volume on a USB drive, along with a reader that can be used to decrypt those files on Vista or XP PCs. GPOs can be used to control whether unencrypted data can be written to USB, thereby enforcing encryption whenever files are permitted to leave an otherwise locked-down PC.

No comments:

Post a Comment