Windows 7 And Security

Now that Windows XP has lost its service pack two support, many organizations and enterprises are seriously considering migrating to Windows 7. The latest operating system from Microsoft has been positively received with many glowing reviews. One of the advantages of Windows 7 are the new security features. This new functionality is a criteria businesses and IT administrators will desire to use their best benefit. Where Windows Vista introduced the User Account Control, Windows 7 improves upon it. Other new security controls include the higher level of protection against Trojans and other malware, App Locker, the encryption of removable media devices and hard drive volumes, an easier to use secure remote access, and larger support for cryptographic ciphers. Windows 7 also contains smart card support, biometrics, Kerberos, a network authentication protocol, support for DNS Sec standards that assist in the prevention of DNS exploitation attacks, and new functionality entitled Extended Protection for Authentication which assist in the prevention of highly sophisticated man in the middle operations that strike against trusted security protocols in use today including SSL and TLS.

The improved User Account Control is much less intrusive than the Windows Vista version is much more intelligent in distinguishing the difference between legitimate activities have potentially malicious ones in Windows 7. Some installations of Windows 7 may arrive with a different and default User Account Control security setting depending if you are a regular user or an administrator. If you are a standard user your security default settings will replace that the most secure setting possible. Administrators will have default security settings that are placed one notch below the most secure setting. Even though the User Account Control can prevent any misuse of administrator privileges, there is a bypass feature which can be used if you need a higher level of security. As a security best practice your environment should always be set at the most secure level, which is the ‘always notify’. At this setting users will be prompted to provide their passwords whenever they are about to perform a high risk action on the administrative level.

Bit Locker Drive Encryption Protection includes any operating system drive, any fixed data drives, and removable storage devices including any portable hard drives and USB memory flash drives. For removable drives this feature is named Bit Locker To Go. This feature also allows you to perform any necessary encryption on your USB flash drives, operating system volumes, and fix data drives from the Windows Explorer graphic user interface. This functionality also allows you to create a data recovery agent if you need to back up your Bit Locker keys. If your system is installed with a Trusted Platform Module computer-chip you have the ability to use a pin code.

Bit Locker now has the ability to create its own system partition without any user interaction. This partition will not have a drive letter and remains invisible in Windows Explorer. The partition also only requires one hundred megabyte of disk space. You also have the option to encrypt your drives one drive at a time or you can set the option to encrypt all removable media at the same time as a default. Encryption and decryption can be performed on any Windows 7 machine. A component named Bit Locker To Go Reader will operate on computer systems containing Windows Vista and Windows XP. This will allow you to open and view removable drive content that was encrypted within Windows 7 Bit Locker. As Bit Locker should be used on portable computer systems is a measure of security, the Bit Locker pin numbers and related recovery data should be stored in the Active Directory or at the very least you should configure a domain wide public key which will be your data recovery agent allowing your administrator to unlock a Bit Locker encrypted drive.

The new Windows 7 contains the latest revisions of industry ciphers including Advanced Encryption Standard, The Elliptical Curve Cryptography, and the Secure Hash Algorithm 2 hash family. Windows 7 also uses the entire group of cryptographic algorithms that have been approved by the National Institute Of Standards and Technology as well as the National Security Agency. These algorithms are utilized for general-purpose encryption software. These ciphers can also be used with the Transport Layer Security and also the Encrypting File System. The Encrypted File System can be used to protect your smartcards, not only making them more secure but also providing portability from one computer system to the next. Users do not have the ability to create their own self signed encrypting file system keys.

To bring the greatest browser security possible users should utilize Internet Explorer version 8. Internet Explorer version 8 is a more secure browser than the previous versions but is also more secure when used with Windows 7 than it was within Windows XP. A perfect example would be the most recent zero day hacking operation against Google. Those particular attacks were highly effective when used against Internet Explorer version 6 and did not work very well against version 8. Microsoft also ran their own separate test and discovered exploits and hacks were definitely harder to run against Internet Explorer version 8 and they were difficult still when using the browser within Windows 7. If you are still using version 6 of Internet Explorer, it is definitely time to download and install version 8.

Before Windows 7 a single firewall profile was the only one that could be used if a user had several network interfaces that were active, for example a work profile, a home or domain profile, or a public one. This situation created a security vulnerability when a system was connected to a local network domain as well as a wireless network that was less restricted. Windows 7 has the ability to see more than one network and place the correct firewall profile to the correct interface.

The System Restore feature has been restructured to include the user's personal content files as well as the Windows system files. System Restore now lets you view the files that will be restored in each particular restore version. This way you now have the ability to view the files that are about to be restored when you choose a certain restoration point.

The Direct Access feature will let remote users access their business resources including websites, shares, applications, and other related areas without the necessity of connecting to the usual types of virtual private networks. Direct Access will set up a bidirectional connectivity to the user's organizational network whenever the user connects their Direct Access portable system to the Internet. The advantage is the users will not have to perform any action and IT administrators will have the ability to manage the remote systems even if the systems are not currently connected to the virtual private network. When the Direct Access system connects through the Internet it will appear as if they are using and connected to the local network of the organization or enterprise. At this point the group policies, automatic push patching, and remote management utilities will work as normal. In order to use Direct Access an enterprise or organization should be using Windows Server 2008 R2 for their remote access server, Windows 7 Enterprise or Ultimate, IP version 6, PKI, and IP Sec.

Windows 7 brings an easier procedure to service accounts. The service accounts exist as Windows executes multiple services at once, including the core operating system and many tool functionalities. There also services related to any applications that may be installed. As hackers love to break into and exploit these many services they must be protected at all times. Passwords related to the service accounts should be edited and changed on a frequent basis in order to keep the risk of any attacks against these passwords low. When Windows 7 realizes a service account has been enabled to be a managed service account Windows controls the management of passwords as well as the service principal names. Enterprises desiring to use manage service accounts should also use the second version of Power Shell. Virtual service accounts have the same relation as managed service accounts and that Windows automatically controls the password management. Virtual service accounts exist for local services only and are easier to configure and utilize. Both virtual service accounts as well as managed service accounts should be used to manage the security of account passwords.

Some statistics show that cyber criminals take control of computer systems through missing security patches and fixes, zero day attacks that have not been fixed, drive-by type downloads, or configurations that were not performed properly. The truth stands that most systems become infected because users are tricked into directly installing applications because they were directed to do so from an e-mail or a website. These type of Trojans and other malware are usually disguised as falsified patches and security fixes, antivirus scanners because an advertisement indicated a user's drive was seriously infected, or a user downloaded a codec file that was required to play a certain type of video or media, or any other scheme a cyber criminal can invent that will fool a user into downloading and installing their malicious software. The best way to mitigate this type of user action within the work environment is to prevent users from installing any application that was not approved by the company. App Locker improves upon the Software Restriction Policies that was first introduced in the professional version of Windows XP. App Locker lets the user define specific rules of execution as well as exception rules that are based on various file attributes, including the file path, the publisher of the file, the name of the file, the product name, the version of the file, and more. Administrators can assign different groups to specific computers, users, various security groups, and any units of organization through the Active Directory.

As a default, App Locker will not let users open or execute a file that has not been permitted to be run. App Locker can also automatically create rules that serve as a set baseline. This feature will save administrators a great deal of time by placing anywhere from a few to hundreds of rules within a clean image. App Locker will support rule collections including Windows Installer, Executable, Script, and DLL. A rule collection entails a certain collection of file types. The DLL role encompasses all DLL files, while the executable rules contain 32-bit and 64-bit executable files and command files.

Windows 7 courses are a huge benefit to organizations moving forward from older operating systems. K Alliance and their extensive catalog has a strong Windows 7 training course detailing the many functions and enhancements that increase your workflows, improve your productivity, and give you the best platform possible to increase your knowledge base and skill sets.

About Us: Office Training CD offers Microsoft Office training CDs and DVDs. Everything you need to know about Microsoft Office and its product line is available, including entire enterprise training solutions. Other training courses including Windows 7 training courses assists users in gaining a solid knowledge base and understanding of the basic and advanced concepts and functionality within each and every application. Office Training CD is your advantage into a world quality training courses.