Monday, October 19, 2009

Windows 7 Security is Better than Ever

Windows 7 Security is Better than Ever

While many Microsoft users had several complaints about Windows Vista, security wasn't usually one of them. Compared to past versions of Windows, Vista was very secure and it sounds like Windows 7 will be even more of an improvement. Based on user-feedback, Microsoft took extra care to ensure Windows 7 has strong, yet user-friendly security. Let's take a look at some of those features.

Core System Security: Just like with Vista, Windows 7 was developed according to the Security Development Lifecycle. It was built from scratch while retaining key security features from Vista including Kernel Patch Protection, Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Mandatory Integrity Levels. These help protect against malicious software and other attacks.

Enhanced UAC : User Access Control (UAC) was introduced with Vista. It enforces least-privileged access and allows organizations to deploy the operating system without granting administrator access. The primary purpose of UAC was make software developers use better coding practices without being allowed access to sensitive areas of Windows but many people saw the feature as security. Many users associate UAC with access-consent prompts which had led to it becoming a source of negative feedback from Vista users.

However, in Windows 7, Microsoft reduced the number of applications and task that trigger the prompt. You can also adjust the the feature with a slider in the Control Panel under the heading "Change User Account Control Settings." The slider allows you to choose from four levels of protection ranging from "always notify" to "never notify." Obviously the decision is up to users and how much they are worried about security vs convenience. But either way, even when the slider is set to "Never Notify," UA is not completely disabled. Even though you no longer see the prompts, some of UAC's protections will remain, including Protected Mode Internet Explorer.

Integrated Fingerprint Scanner Support: Not activating the user name and password feature on your computer is basically like leaving your home with your doors unlocked. But even if you do take advantage, passwords can be figured out when an attacker is dedicated to its mission. As a matter of fact, experts have always suggested adding another layer of authentication to your computer for security purposes. This is why many computers, particularly laptops come with a built-in fingerprint scanner. Windows 7, however, takes fingerprint-scanning to a whole new level.

Windows 7 has better driver support which makes for more reliable fingerprint reading. To configure your fingerprint data reader with Windows 7, all you have to do is click on "Biometric Devices" inside your control panel and there you will have access to the console for enrolling and managing fingerprint data and customizing biometric-security settings. You can add scans of as many of your fingers as you'd like, but adding all ten is recommended. Simply choose the finger you want to scan and place your finger on your reader (or follow your hardware's guidelines for fingerprint scanning). Each finger will need to be scanned three times to be sure it is successful.

Protecting Data: If you aren't taking proper measures to protect or safeguard your computer, anyone who comes in contact with it can access any of your files or sensitive data. Considering thousands of computers are lost or stolen each year, this is definitely something computer users should be wary of. Vista made great waves in data-protection technology with Encrypting File System, and support for Active Directory Rights Management Services. Windows 7 not only updates some of the minor details of these features but it improves on Vista's Bitlocker drive encryption technology and adds BitLocker to Go for removable media such as USB flash drives.

Encrypting Drives with Bitlocker:
When BitLocker made its original debut with Vista, it could only encrypt the primary operating system but didn't allow encryption on removable or portable disks. Windows 7 has BitLocker to Go for that purpose - it allows you to protect data on portable drives while also sharing data with partners, customers, and other parties.

To use the BitLocker Drive Encryption, your disk volumes must be configured properly. When most people are setting up drive partitions, they don't realize that Windows requires a small, unencrypted partition for the core system files that begin the boot process. This is why Microsoft has created a tool that allows you to repartition the drive so that it's prepared for the BitLocker encryption. Once the drive is properly partitioned, you can encrypt it with BitLocker by finding it in the control panel. It will display the available drives and their current state. Next to any unencrypted drive, you will click on "Turn on BitLocker" to start the process of encryption. You will then need to assign a password or insert a smartcard. You will then have the opportunity to save the BitLocker Recovery Key as a file or a print-out (which is needed to unlock data ir your password or smartcard fails). Once the process is complete is you can click on "Manage BitLocker" to unlock encrypted drives automatically when you log into Windows.

Using BitLocker Without a TPM: Technically, BitLocker requires a TPM chip (Trusted Platform Module). Unfortunately, most computers don't have a TPM chip but Microsoft has included an option to use the BitLocker Drive Encryption without a compatible TPM. It's not an easy thing to do, but it is possible if you follow the following steps: click the start menu and type gpedit.msc in the "search programs and files' field. Under Computer Configuration, find "Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating System Drives." Click on "Require additional authentication at startup." Choose the "Enabled" radio button and check the "Allow BitLocker without a compatible TPM" box. Click OK.

No comments: