Companies can expect the next Windows to improve authentication, data protection, privilege levels, and more
The evidence that Windows Vista is far more secure than Windows XP, both in theory and in practice, is abundant. With new features and standards, Microsoft hopes to make Windows 7 even more secure, especially for companies.
A paper on the company’s Technet site explores several new security features in Windows 7, most of which have a business angle to them. In all cases, there’s nothing completely new, but there is better design and easier implementation for IT and users of strong security capabilities.
The Windows Biometric Framework (WBF) is part of a general reworking of the log-on process that began in Vista. Earlier log-on architectures were built into special programs called GINAs, which were complex and difficult for third parties to add on to with biometrics and other modifications. Vista replaced GINAs with a Credential Provider infrastructure, and WBF fits right into this model.
WBF includes a standard interface for biometric device drivers, a standard set of services provided, application programming interfaces (APIs), management services including group policies, and user interface components. Both kernel-mode and user-mode drivers are supported, with user-mode drivers helping with overall system stability. There are ways for applications to work with biometric authentication, and the actual biometric data is never exposed to them; it’s easy to change a password that has been compromised, not so easy to change your fingerprints. The initial WBF implementation will only support fingerprint devices, but it can be expanded in the future.
Numerous enhancements have been made to BitLocker drive encryption in Windows 7. Management has been made more consistent and easier to use. Setting up BitLocker drives in Vista can be cumbersome, especially when the operating system is already installed. Windows 7 improves this in several ways. The set-up of Windows 7 creates a separate active system partition, and the BitLocker behaviour on an existing system will repartition the system in an appropriate way.
BitLocker To Go makes it easy to use BitLocker on removable media such as USB drives. A group policy allows the default for USB media to be read-only unless they are encrypted with BitLocker To Go; and data can be recovered from any BitLocker To Go device by using a special enterprise key. Some read access is available for BitLocker To Go media, on Windows Vista and XP, but not write access.
No Password Please
User Account Control (UAC) changes in Windows 7 have already generated some controversy. The main change is that, by default, when the program performing the elevation is a Windows program, identified as such through digital signature, no UAC prompt is performed. The idea is that you need not be prompted for purely administrative tasks and can focus on the really risky operations, like installing new software. This change also eliminates some cases with Vista where users would get two prompts for what seemed like one operation.