Security Level in WIndows 7

[jacksmith]

Hi,
I have recently installed this good-working OS.I just want to discuss its security level with all of you to find if any one getting any virus problem.
_________________
social bookmarking | article submission service

[cdupuis]

The windows 7 architecture is very close to Vista and Windows 2008.

Right now it it hard to find great information on the internal details of the Windows 7 platform. It will come out at one point I am sure.

Here is some info I have seen on the Microsoft Web Site:

Windows 7: A First Look for IT Pros

Microsoft has just taken the wraps off the latest client operating system, Windows® 7. The first point to note—this is a pre-beta release, and is still an early first-look. While most information out there will focus on how Windows 7 makes everyday tasks easier, with improved user experience and productivity scenarios for end users, we thought we’d focus on information specifically of interest to IT professionals.

Built on the foundation of Windows Server 2008 and Windows Vista

To begin with, the core architecture of Windows 7 remains the same, as it is built on same foundation as Windows Server® 2008 and Windows Vista®. This ensures that almost all PCs, applications and devices that are compatible with Windows Vista will retain their compatibility with Windows 7. This is important if you are evaluating or deploying Windows Vista today; there is no reason to hold off and wait for Windows 7. In fact, investments in adopting Windows Vista (testing piloting, deploying) will pay off in a smoother transition to Windows 7 when it becomes available.

So what’s new in Windows 7?

In designing Windows 7, the engineering team had a clear focus on what we call ‘the fundamentals'—performance, application compatibility, device compatibility, reliability, security and battery life. This effort was aided by telemetry data on how PCs are being used and issues that resulted in poor performance or disruption. The focus on fundamentals didn’t start with Windows 7; in fact it is the continuation of the work on Windows Vista that materialized in Service Pack 1. While the first release of Windows Vista faced challenges with hardware and application compatibility, improvements introduced in SP1 and a maturing of the ecosystem has helped alleviate these issues.

Most important to IT pros will be enhancements to manageability and security—how it impacts your day-to-day work. Like Windows Vista, Windows 7 is engineered to make managing a PC environment more automated, controllable and efficient. Both client operating systems bring tools and monitoring capabilities that are not available in a Windows XP environment.

Further, Windows 7 imaging builds on the fundamental improvements made in Windows Vista, adding enumeration and driver management features. Data migration is faster and more flexible with a new ‘Hardlink’ feature, along with Offline Migration support.
Manageability

When we speak with IT pros, we usually hear about the pains you face maintaining a standard configuration and preventing end users from adding unauthorized software and hardware. In addition, for remote laptop PCs that spend most of their time off the corporate network, administering patches and updates is challenging and unreliable.

* In Windows Vista, the User Account Control (UAC) feature enabled more organizations to set their users to standard user mode, preventing unauthorized changes to the basic configuration.Windows Vista also added significantly more parameters that are manageable with Group Policy.
* In Windows 7, these two technologies advance further, with a customizable UAC that can be tuned to reduce the number of elevation prompts, if that is appropriate for the environment.
* Group Policy Preferences also extend the reach of what Group Policy can manage, and how settings are applied to specific users or computers, including non-GP aware components.
* Updating mobile PCs that spend most of their time off the network is a particularly challenging issue for IT organizations.Windows 7 will introduce DirectAccess, a capability that allows management and updating of internet-connected remote PCs, even when they are off the corporate network.
* For IT pros who are less than comfortable in a command-line scripting environment, the new Powershell v2 and its graphical editor help automate repetitive tasks with minimal development expertise.

Security and Compliance

Security is one of those evergreen issues in IT management, and Regulatory Compliance is becoming a greater challenge with regulation expansion around the world. While significant advancements in PC security were made with Windows XP SP2, nefarious innovations in malware and social engineering means PCs are still prone to disruptive threats. Additionally, implementing regulatory compliance policy—especially protecting confidential data on mobile PCs—is a particular challenge.

Windows Vista introduced an architecture model that improved security by limiting changes that could be made to the registry without administrative credentials, while providing more instances where users could be deployed in standard user mode. UAC helped protect PCs, but in the short term it caused some disruption because applications needed to avoid performing certain tasks, such as writing to the registry or writing data to protected folders. With SP1 a maturing ecosystem and in some cases the creative use of “shims,” most application compatibility issues have been resolved, while providing this added level of protection.

The introduction of BitLocker Drive Encryption in Windows Vista, and the extension of this protection to non-boot volumes in SP1 provided the higher degree of confidential data protection required in many industries.

Windows 7 builds on these advancements with a customizable User Account Control that allows IT pros to “tune” the feature based on their environment; for those instances where more flexibility is granted to users, fewer elevation prompts will appear. Conversely, in environments that require greater control over the IT infrastructure, UAC can be strengthened to minimize the changes a user can make.

For data protection, Windows 7 introduces BitLocker ToGo™, extending encryption to removable drives. This feature gives greater control over information leaving the corporation, as well as helping to protect lost or stolen USB drives.

Windows 7 also incorporates improvements to the Firewall Profiles and allows IT to control access to specific applications by specific users, but we’ll cover these in more detail in future articles.
Deployment

Windows Vista introduced Windows Imaging Format (WIM), allowing a hardware and language-independent image to be created and deployed. In many instances, a single image could be deployed and maintained worldwide, providing a more predictable environment. Several new tools, including the Microsoft Deployment Toolkit, the Application Compatibility Toolkit, and Microsoft Assessment and Planning toolkit helped streamline the planning, testing and deployment of a large-scale deployment.

In Windows 7, image creation and deployment is enhanced with advances such as Dynamic Driver Provisioning, the Deployment Image Service and Management tool, Multicast Multiple Stream Transfer, and improvements to user state migration. We’ll go into further detail in future Springboard Series articles, so check back frequently.
Summary

Windows 7 promises advancements in manageability, security, deployment and end user productivity. Does this mean you should wait or skip? The fact is that you can get the many of the advantages today in Windows Vista. While the original release of Windows Vista ran into application and hardware compatibility issues, much progress has been made with Windows Vista SP1 and a maturing ecosystem, and this progress continues in Windows 7.

If your organization hasn’t begun looking seriously at Windows Vista, or you evaluated Windows Vista prior to SP1 and found too many challenges, it now makes sense to re-evaluate—both to benefit from more advanced PC environment, and to get ahead of the adoption curve for Windows 7.

To learn more about Windows 7, Windows Vista or any of the Windows Client technologies, please visit www.microsoft.com/springboard for the latest in information, guidance and community connections.

http://technet.microsoft.com/en-us/library/dd266801.aspx

[cdupuis]

Windows 7 Security Enhancements

Security Viewpoint – March 2009
See other Security Viewpoint columns

By Paul Cooke, Director, Windows Client Enterprise Security, Microsoft Corporation

Security is still a top concern for IT professionals; now that Windows® 7 Beta is available, questions regarding what Microsoft has done with the Windows 7 operating system abound. There is a lot of ground to cover—more than we can in a brief article— but there are three primary topics that merit our focus here.

* Windows 7 is built upon the security foundations of the Windows Vista® operating system while improving auditing and the User Account Control (UAC) experience.
* Windows 7 helps IT control what software can run in their environment with AppLocker™.
* Windows 7 enhances the core features of BitLocker™ Drive Encryption with the introduction of BitLocker To Go™ for removable storage devices.

Let’s take a look at each of these in a little more detail.
Fundamentally Secure Environment

Windows 7 builds upon the strong security lineage of Windows Vista and retains and builds upon the development processes and technologies that have made Windows Vista the most secure version of the Windows client to date. Fundamental security features such as Kernel Patch Protection, Service Hardening, Data Execution Prevention, Address Space Layout Randomization, and Mandatory Integrity Levels continue to provide enhanced protection against malware and attacks. Windows 7 has been designed and developed using the Microsoft Security Development Lifecycle (SDL), and it is engineered to support Common Criteria requirements to achieve Evaluation Assurance Level 4 certification and meet Federal Information Processing Standard 140-2.

Enhanced Auditing

Windows 7 provides enhanced audit capabilities to make it easier for an organization to meet its regulatory and business compliance requirements. Audit enhancements start with a simplified management approach for audit configurations and end with greater visibility into what occurs in your organization. For example, Windows 7 provides greater insight into understanding exactly why someone has received or been denied access to specific information, as well as visibility into the changes made by specific people or groups.

Streamlined User Account Control

User Account Control (UAC) was introduced in Windows Vista to help legacy applications run with standard user rights and help ISVs adapt their software to work well with standard user rights. Windows 7 continues the investment in UAC with specific changes to enhance the user experience. These changes include reducing the number of operating system applications and tasks that require administrative privileges and providing a flexible consent prompt behavior for users who continue to run with administrative privileges. As a result, standard users can do even more than ever before and all users will see fewer prompts.
AppLocker

Windows 7 re-energizes application control policies with AppLocker, which is a flexible, easy-to-administer mechanism that allows IT to specify exactly what is allowed to run in the desktop infrastructure and gives users the ability to run applications, installation programs, and scripts that they require to be productive. As a result, IT can enforce application standardization within their organization while providing security, operational, and compliance benefits.

AppLocker provides a simple and powerful structure through three rule types: “allow,” “deny,” and “exception.” Allow rules limit the execution of applications to "known good" applications and block everything else. Deny rules take the opposite approach and allow the execution of any application except those on a list of “known bad” applications. While many enterprises will likely use a combination of allow rules and deny rules, the ideal AppLocker deployment would use allow rules with built-in exceptions. Exception rules exclude files from an allow/deny rule that would normally be included. Using exceptions, you can, for example, create a rule to “allow everything in the Windows operating system to run, except the built-in games.” Using allow rules with exceptions provides a robust way to build a “known good list” of applications without having to create an inordinate number of rules.

AppLocker introduces publisher rules that are based upon application digital signatures. Publisher rules make it possible to build rules that survive application updates because you can specify attributes such as the version of an application. For example, an organization can create a rule to “allow all versions higher than 9.0 of the program Acrobat Reader to run if it is signed by the software publisher Adobe.” Now when Adobe updates Acrobat, you can safely push out the application update without having to build another rule for the new version of the application.

AppLocker rules also can be associated with a specific user or group within an organization. This provides granular controls that allow you to support compliance requirements by validating and enforcing which users can run specific applications. For example, you can create a rule to “allow people in the Finance Department to run the Finance line of business applications.” This blocks everyone who is not in your Finance Department from running your finance applications (including administrators), but still provides access for those that have a business need to run the applications.

AppLocker provides a robust experience for IT administrators through new rule creation tools and wizards. Using a step-by-step approach and fully integrated Help, creating new rules, automatically generating rules, and importing / exporting rules is intuitive and maintenance is easy. For example, IT administrators can automatically generate rules using a test reference machine and then import the rules into a production environment for widespread deployment. The IT administrator can also export policy to provide a backup of your production configuration or to provide documentation for compliance purposes.
BitLocker and BitLocker To Go

Each year, hundreds of thousands of computers without appropriate safeguards are lost, stolen, or decommissioned. However, the loss or theft of data is not just a physical computer issue. USB flash drives, e-mail, leaked documentation, etc. all provide additional avenues through which data can fall into the wrong hands. Windows 7 addresses the continued threat of data leakage with manageability and deployment updates to BitLocker Drive Encryption and the introduction of BitLocker To Go, which provides enhanced protection against data theft and exposure by extending BitLocker support to removable storage devices.

BitLocker Drive Encryption (BitLocker for short) helps prevent a thief who boots another operating system or runs a software hacking tool from breaking Windows 7 file and system protections or performing offline viewing of the files stored on the safeguarded drive. Windows 7 BitLocker shares the same core benefits of Windows Vista BitLocker; however, the core functionality in Windows 7 BitLocker has been enhanced to provide a better experience for IT professionals and end users. For customers who did not deploy Windows Vista with the BitLocker-required two-partition disk configuration, repartitioning the drive to enable BitLocker was more cumbersome than it needed to be. Windows 7 automatically creates the necessary disk partitions during installation to greatly simplify BitLocker deployments. Another change in Windows 7 BitLocker is the ability to right-click on a drive to enable BitLocker protection.

Windows 7 BitLocker adds Data Recovery Agent (DRA) support for all protected volumes. A big ask from customers, DRA support allows IT to dictate that all BitLocker protected volumes (the operating system, fixed volumes, and the new portable volumes) are encrypted with an appropriate DRA. The DRA is a new key protector that is written to each data volume so that authorized IT administrators will always have access to BitLocker protected volumes.

BitLocker To Go extends BitLocker support to removable storage devices, including USB flash drives and portable disk drives. BitLocker To Go also gives administrators control over how removable storage devices can be utilized within their environment and the strength of protection that they require. Administrators can require data protection for any removable storage device on which users want to write data while still allowing unprotected storage devices to be utilized in a read-only mode. Policies are also available to require appropriate passwords, smart card, or domain user credentials to utilize a protected removable storage device.

BitLocker To Go can be utilized on its own, without requiring that the system partition be protected with the traditional BitLocker feature. Finally, BitLocker To Go provides read-only support for removable devices on older versions of the Windows operating system, which allows users to more securely share files with those who are still running Windows Vista and Windows XP with the BitLocker To Go Reader.

Whether traveling with your laptop, sharing large files with a trusted partner, or taking work home, BitLocker and BitLocker To Go help ensure that only authorized users can read the data, even if the media is lost, stolen, or otherwise misused.
Conclusion

Built upon the security foundation of Windows Vista, Windows 7 introduces a number of security enhancements to give users the confidence that Microsoft is continuing to find better ways to safeguard users’ IT investments as well as data. Businesses will benefit from enhancements that help protect company sensitive information, that provide stronger protections against malware, and that help secure access to corporate resources and data. End users can enjoy the benefits of computers and the Internet knowing that Windows 7 is using new technologies and features to safeguard privacy and personal information. Finally, all users will benefit from the flexible security configuration options in Windows 7—options that will help users achieve the unique balance of security and usability to meet their specific needs.