Companies can expect the next Windows to improve authentication, data protection, privilege levels, and more
Some researchers noted that one of those Microsoft programs was the Control Panel program that changes UAC settings, and thus no UAC prompt was required to disable UAC altogether, and they showed a way for a program to make this change. I argued that this was actually logically consistent and that Microsoft shouldn’t change the behaviour, but they decided to force a prompt in at least some of these cases.
In addition, many internal operations, like changing the screen resolution and resetting network interfaces don’t trigger UAC prompts.
Making System Lock-downs Easier
AppLocker is a new set of services and tools to make system lock-downs easier to perform. This means that you can define which software users can run on the system, and they will be allowed to run no other software. Forms of this were possible in earlier versions of Windows through Software Restriction Policies, but these were difficult to set up correctly. An Microsoft Management Console (MMC) snap-in allows the administrator to create rules directly or to generate rules based on folder selection. Rules can be created based on the use of code signing certificates that allow for applications to be updated within the rules as long as the updates are signed with the right certificate.
Enhancements have been made to authentication for non-domain networks. Through the Homegroup feature, Windows 7 systems automatically find each other on the local network and offer to join the Homegroup; they need the Homegroup password to do this. Users can choose what to share on the network. Authentication is performed with a new protocol based on the Public Key Infrastructure, called PKU2U, or Public Key-based User to User.
Domain Name System Security Extensions (DNSSEC)
Finally, Windows 7 is the first client operating system (according to Microsoft) to come with; “… the necessary pieces to allow the client to verify that it is communicating securely with a DNS server and verify that the server has performed DNSSEC validation on its behalf.” Widespread concern about vulnerabilities in the DNS may lead to increasing adoption of DNSSEC by service providers, so this could result in a head start for Windows 7 users.
Microsoft adds that; “Windows Server 2008 R2 will allow the DNS Server to provide origin authority and data integrity artefacts. Basically, a server will be able to attach digital signatures to DNS data in responses as well as validate data received from other DNS servers.”
As with Vista, Windows 7 will probably be more secure right out of the box than preceding versions, but these enhancements show how the real value in security comes with an educated and on-the-ball IT staff. The ones willing to administer AppLocker and BitLocker proactively can save their organisations from troubles that seem like standard operating procedure to many. It’s all another sign of how you can do your security work proactively or you can do it reactively, and proactively is better.
Security Centre Editor Larry Seltzer has worked in and written about the computer industry since 1983.