Enterprise Windows 7 pre-implementation Security Guide

For many years, many IT critics have been attacking Microsoft products. In addition, Microsoft's Windows Vista provided them with a new target. The availability and security of this product can upset many users. For this reason, many enterprises still use XP, rather than the successor Windows Vista.

However, with the recent release of Windows 7, most enterprises plan to upgrade more and more quickly. The official support for Windows 2000 and XP Service Pack 2 has already been completed, and XP Service Pack 3 will also end on March 13, June 2014. Does Windows 7 feel good security performance make enterprises more secure? In this short Windows 7 pre-implementation security guide, we will answer this question.

Even Microsoft's most hardcore critics agree that Windows 7 is far more secure than Windows XP and Vista, which is a huge improvement. However, DirectAccess, AppLocker, BitLocker and BitLocker to Go require more expensive systems to run, such as Windows 7 Enterprise Edition and Windows 7 flagship edition. The cost of upgrading to these versions is about 10% higher than that of the pro version, almost twice that of the pro version. In addition, enterprises that require Windows business performance need to apply for Software Assurance licenses for those computers. Microsoft's software maintenance projects), this License costs 30 to 50 dollars a year. In this case, compared with the security performance of products provided by third-party vendors, is Windows 7 worth the additional cost?

With DirectAccess, Windows 7 PCs do not need to be equipped with Virtual Private Network VPN) clients. VPN clients that are online at any time support multi-factor authentication and allow administrators to upgrade group policy settings and distribute updates to software and anti-virus programs as long as there is a connection between the client and the network ). The high integration of systems and services not only improves the overall security performance of the endpoints, but also greatly reduces the number of times that the Console requires users to connect to the VPN. However, DirectAccess needs to run on Windows Server 2008 R2. If the customer you support is not Windows 7, you need another VPN.

AppLocker can more easily limit the number of applications installed by users, but users can also choose other more mature products, such as the Parity Suite of Bit9 and the Bouncer of CoreTrace. Many products provide pre-generated application whitelists and blacklists with the automatic upgrade function, generate enterprise applications and usage reports, and provide protection for multiple versions of Windows systems, these services are not provided by AppLocker.

BitLocker provides password protection for hard drive of the computer To prevent information theft and loss. BitLocker To Go provides password protection for removable storage devices such as USB hard drive, but does not include the optical drive. Although BitLocker can protect data by destroying passwords, it cannot meet the needs of some auditors who need to see traces of security coverage when the hard disk is processed. Criticism of BitLocker To Go encrypting everything on the device seems untenable, and BitLocker To Go is not yet a mature data leakage protection product. For most system administrators, it is good that they can protect data on USB within the enterprise. The power of modern PCS means that the encryption process is not slower than the expensive DLP digital processor. The latter can only Encrypt sensitive data. However, BitLocker To Go also has a problem similar To DirectAccess. If not all customers use Windows 7, users still need another encryption method. Although BitLocker To Go-encrypted devices can be used on PCs installed with Windows XP and Windows Vista, the data in the device is read-only data.

For cross-platform use, products such as TrueCrypt provide great flexibility. TrueCrypt is free of charge, but it is not compatible with Windows Server policies or has high networking capabilities. With BitLocker, administrators can establish Windows group policies to implement BitLocke usage on removable storage devices and encrypt hard disks on servers and PCs. PGP's full disk encryption is a complete replacement encryption method, but this encryption method is more expensive than upgrading to Windows 7.

Microsoft's Windows system is benevolent and wise. Many critics accuse Microsoft of not supporting the best combination of security performance. It is of a single use and can only be used by small-scale enterprises. If users want to achieve the best combination of each part of their own security infrastructure, I believe no vendor will support this approach. If the user has a budget, it is understandable that such an optimal combination is intended. However, different security control methods and devices forced to stop use will incur a lot of additional costs, such as additional staff training costs and management costs. Unified Threat Management (UTM) is becoming increasingly popular. This shows that the best combination of solutions is neither realistic nor economical for many experienced administrators.

Optimizing the security performance of Windows 7 has the following benefits: it can enhance the compatibility between the operating system and group policies, and bring familiar user interfaces and commands. In this way, the system security configuration will become very simple, far stronger than adding third-party suppliers to the system's security products. This configuration reduces the user's need for multi-vendor relationships and multi-product knowledge mixing, and reduces the number of upgrades. Windows 7 is not perfect, but it is already quite good: it is far better to reasonably and correctly configure a good security product than to pursue a best product that does not exist at all.

1. Windows 7 5 Security Features
2. In-depth discussion on how to protect Windows 7 Security