Security Viewpoint – March 2009
Windows 7 builds upon the strong security lineage of Windows Vista and retains and builds upon the development 
processes and technologies that have made Windows Vista the most secure version of the Windows client to date. Basic security features such as Kernel Patch Protection, Service Hardening, Data Execution Prevention, Address Space Layout Randomization, and Mandatory Integrity Levels continue to provide enhanced protection against malware and attacks.
Windows 7 provides improved audit capabilities to make it easier for an organization to meet its regulatory and business compliance requirements.
Windows 7 continues the investment in UAC with specific changes to enhance the user experience. These changes include dropping the number of operating system applications and tasks that require administrative privileges and providing a flexible consent prompt behavior for users who continue to run with administrative privileges.
Windows 7 re-energizes application control policies with AppLocker, which is a flexible, easy-to-administer mechanism that allows IT to specify exactly what is allowed to run in the desktop infrastructure and gives users the ability to run applications, installation programs, and scripts that they require to be productive. As a result, IT can enforce application standardization within their organization while providing security, operational, and compliance benefits.
AppLocker provides an easy and powerful structure through three rule types: “allow,” “deny,” and “exception.” Allow rules limit the execution of applications to “known good” applications and block everything else. Deny rules take the opposite approach and allow the execution of any application except those on a list of “known bad” applications.
AppLocker introduces publisher rules that are based upon application digital signatures. Publisher rules make it possible to build rules that survive application updates because you can specify attributes such as the version of an application.
AppLocker rules also can be associated with a specific user or group within an organization. This provides granular controls that allow you to support compliance requirements by validating and enforcing which users can run specific applications.
AppLocker provides a robust experience for IT administrators through new rule creation tools and wizards. Using a step-by-step approach and fully integrated Help, creating new rules, automatically generating rules, and importing / exporting rules is intuitive and maintenance is easy.
Windows 7 addresses the continued threat of data leakage with manageability and deployment updates to BitLocker Drive Encryption and the introduction of BitLocker To Go, which provides improved protection against data theft and exposure by extending BitLocker support to removable storage devices.
BitLocker Drive Encryption (BitLocker for short) helps avoid a thief who boots another operating system or runs a software hacking tool from breaking Windows 7 file and system protections or performing offline viewing of the files stored on the safeguarded drive. Windows 7 BitLocker shares the same core benefits of Windows Vista BitLocker; however, the core functionality in Windows 7 BitLocker has been improved to provide a better experience for IT professionals and end users. Another alteration in Windows 7 BitLocker is the ability to right-click on a drive to enable BitLocker protection.
Windows 7 BitLocker adds Data Recovery Agent (DRA) support for all protected volumes. The DRA is a new key protector that is written to each data volume so that authorized IT administrators will always have access to BitLocker protected volumes.
BitLocker To Go extends BitLocker support to removable storage devices, including USB flash drives and portable disk drives. BitLocker To Go also gives administrators control over how removable storage devices can be used within their environment and the strength of protection that they require.
BitLocker To Go can be used on its own, without requiring that the system partition be protected with the traditional BitLocker feature. Finally, BitLocker To Go provides read-only support for removable devices on older versions of the Windows operating system, which allows users to more securely share files with those who are still running Windows Vista and Windows XP with the BitLocker To Go Reader.
All users will benefit from the flexible security configuration options in Windows 7—options that will help users achieve the unique balance of security and usability to meet their specific needs.
