After the release of Windows 7, although Windows 7 is difficult to shake the XP market position for the moment, Windows 7 is not a vase with only appearance. Besides its dazzling desktop applications, windows 7 has made many breakthroughs in enterprise-level security applications. This article will introduce the five security application features that are rarely known in Windows 7 Enterprise Edition.
Windows and security cannot always coexist. In the past, when users were prone to conflicts with system security, Microsoft always chose to sacrifice system security. Windows XP has suffered Network Worm intrusion in the recent period. Microsoft was originally installed with a firewall to defend against worm intrusion for XP, but to make it easier for users to use it, the firewall in the XP system is disabled by default.
In addition to these security issues that users can clearly feel, Vista has taken an important step in terms of security performance. In addition to continuing to update the security performance of the previous version of Windows 7 launched by Microsoft, many new features are added in other aspects. The most obvious improvement is the User Account Control System (UAC). This Account Control System is vulnerable to attacks in the Vista System, which brings many security risks, so many users shut down the system. However, in Windows 7, UAC has been greatly improved. The improved UAC has a good system defense function, which improves the identification of risks and work efficiency.
In addition, in fact, the Windows 7 system has also added some inconspicuous security features, especially for the purpose of protecting enterprise network security. The most important functions are as follows:
DirectAccess: This function allows remote computers to automatically and seamlessly access internal networks over the Internet without connecting to a virtual private network VPN ).
Windows Biometric FrameworkWindows Biometric identification architecture): This feature provides a standardized approach for fingerprint scanning and Biometric identification applications.
AppLocker: this function can lock applications in Windows to control the running status of applications.
BitLocker To Go: This is the most important feature, which extends the hard disk device by extending the hard disk encryption method of BitLocker.
Multiple active firewall profiles: Improves manual configuration of Multiple firewall programs to achieve better network communication protection.
It is understood that the current Windows 7 Enterprise Edition has the above features, but only the final version of other versions of Windows 7 has the above features.
Even if you cannot fully experience the advantages of all new features immediately, it is good to know these features in advance. In addition, if you have not completely upgraded to Windows 7 Enterprise Edition or the final version, you cannot run all the functions, at least you cannot experience DirectAccess.
We will introduce the functions that you can use right away. Next, let's take a look at how these new functions protect the security of Windows Network Computers.
Function 1: Configure and coordinate multiple firewalls
Compared with Vista, Windows 7 has a seemingly small but important improvement, that is, firewall configuration. The Vista system allows users to enable multiple firewall configurations and domain name links for public and private users. Each private network may be your primary Wi-Fi network. Users can log on to the private network without any authentication information as long as they enter the correct WEP or WPA key. However, identity authentication is required when you log on to the domain name network. The authentication methods include passwords, fingerprints, password cards, and some combined information.
Each configuration file can selectively connect to the application through the firewall. For example, if you want to build a small private network for your home or enterprise, you can set up shared files and print them. But for public networks, you should not share your files.
In general, the firewall of the Vista system works normally, except that the computer is connected to multiple networks at the same time, for example, both Ethernet and wireless network. In this case, the system uses the strictest configuration by default. This will cause many problems. For example, when you connect to the company's VPN through a public Wi-Fi hotspot, the Vista system will submit public configurations to the public network and domain network at the same time.
All Windows 7 series computers can start several firewall configurations at the same time to ensure more trusted network access and reduce access to untrusted networks. Because the remote access function has few limits on firewall configuration, you do not need to worry too much about the intrusion of external networks into the enterprise intranet.
Figure: in Windows 7, all ude network connections can use their own special firewall configuration
Function 2: Windows Biometric identification box Biometric Framework)
As fingerprint recognition technology is widely used in laptops, it is very important to develop a set of standards for processing human identification data. To solve this problem, the biometric identification box function is developed in Windows 7. Go to the biometric identification box in Windows to access the data using a standard method for storing fingerprint data and a common API. Although many developers are very interested in many sub-functions of the system, there are two things that enterprises must know before the application.
Figure: 10 finger fingerprints can be identified in the fingerprint recognition box
First, traditional fingerprint scanners can be connected to computers, but cannot be connected to enterprise networks, but Microsoft's Windows biometric identification box can.
Secondly, the Windows 7 fingerprint recognition system can store the fingerprint information of 10 fingers for each user. Although we do not want to hurt our fingers, once a finger appears unexpectedly, you can also use other fingers to log on to the system, which is obviously more intelligent than the traditional one.
Fingerprints are stored by biometric identification device applets on the Windows 7 control panel. After binding any Windows 7 system to the fingerprint scanner, you can log on to the system through fingerprints. Note that you must add or manage fingerprints as an administrator.
Function 3: BitLocker To Go
Currently, the most serious security risk is the loss of commercial secrets in mobile network applications. BitLocker in Vista protects user information by encrypting all the hardware devices in the notebook, so that no one can read the information even if the content is stolen or lost. BitLocker To Go in Windows 7 also protects user information through encryption, but it is simpler To do so, and the protection scope also extends To the pocket-sized micro-hard drive devices and small flash devices.
Figure: Enable BitLocker to encrypt Devices
You can use this function in Windows 7 Enterprise Edition. You just need to right-click the external device chart in resource manager and select "Turn on BitLocker" from the drop-down menu to open a wizard, perform Configuration Encryption as instructed, and wait until the program starts up. The waiting time is related to the speed of your computer and the configuration of the device, it takes only 20 minutes to configure a 2 GB flash device and a full-time GB or larger peripheral hardware device.
BitLocker To Go can be decrypted using passwords. enterprises can also use smart cards or multiple authentication methods.
Encryption for mobile devices is also available in the final Windows 7 Enterprise Edition. However, once you create an encrypted mobile device, you can read and write the device on any version of Windows 7. You can also install a reading application for an encrypted device, so that the Vista or XP system can only read the device.
This new security feature allows policy makers To write information To a secure BitLocker To Go device To prevent information from being stored in an insecure environment. Windows Server users can also allow third parties to use the Active Directory to keep a password. data can be restored when the password is lost or forgotten over and over again.
This feature allows enterprise decision makers To write important information To devices encrypted by BitLocker To Go. When you lose or forget your password, you can use the third-party active directory on the Windows server to obtain the password again.
Function 4: AppLocker application lock
By controlling the installation and running status of applications, You can effectively improve system stability and prevent malicious software intrusion and bandwidth issues that affect network speed.
In the original Windows version, these are all handled by the Software Restriction policy function. These policies provide practical preventive effects for specific software based on the local file system, but they do not prevent encrypted Trojans hidden in trusted application software.
Software Restriction Policies are difficult in actual operation and maintenance. Some applications need to be installed in a unique external path, so new path rules need to be developed. Although the hash-based policy can provide effective security protection, it becomes invalid every time a program is upgraded. Changing the hash value of any program code, or even fixing or updating an error, may also prevent the program from running properly. Therefore, IT managers have to maintain or modify lengthy hash rule forms and automatic update functions of programs.
The AppLock feature in Windows 7 Enterprise Edition and Windows Sever 2008 R2 is available, adding a new way to flexibly control software-publisher rules ). Publisher rules depend on signature authentication information of programs, which is also available to more and more applications.
The signature authentication information of an application is more detailed than the file path and hash data of the old version. It allows the system administrator to create complex rules, such as setting specific names, for example, set the file name to run software from a specific vendor, or run software of a specific software or version by a specific name. For example, you can create a rule to allow the system to run only Adobe programs, or only Photoshop, or even the latest version of Photoshop.
The AppLocker rule can be applied to any executable file, script, installer, or system library. It gives you various options, that is, you can install the required software, the Administrator does not need to control software updates and prevents unauthorized software installation.
In addition, the AppLocker rules can be written to specific users and user groups. For example, the accounting and graphic design groups must have different software requirements. Through the AppLocker rules, if one person in the group configures the rules, everyone can share, and AppLocker can even distinguish between user groups who share the same computer.
But it should be clear that AppLocker is only for the Windows 7 Enterprise Edition and Windows 7 final edition. If your users use an earlier version of Windows, you need to set a Software Restriction Policy for them. But as more and more users upgrade to Windows 7, you can discard SRP and switch to AppLocker.
Function 5: DirectAccess
Microsoft claims that DirectAccess is the next generation VPNs. DirectAccess allows users of Windows 7 Enterprise Edition and Windows 7 final edition to directly connect to the Windows Sever 2008 R2 server. In view of the fact that you usually need to initiate a request when connecting to a VPN, but with DirectAccess, after the computer connects to the network, the system will automatically connect to the company network, and the entire connection process is completely transparent.
Figure: Windows 7 DirectAccess connection
DirectAccess's automatic connection is greatly improved with the traditional VPNs connection. First, it uses IPsec and IPv6 network protocols for data encryption and end-to-end router connections. VPN encryption is separated from the VPN Server, while DirectAccess enables data to be encrypted throughout the process of uploading data from the enterprise intranet application server to the client.
DirectAccess uses a standard Internet port for communication, so it can pass through the firewall without any configuration. This is not what VPN users can do.
Another advantage of DirectAccess is that it can automatically create connections and maintain connections. Even if you are not directly using company resources, administrators can manage and update DirectAccess computers at the same time. Although users only access network resources through a VPN connection, the VPN connection is often time-consuming.
For example, if a remote user connects to a wireless hotspot in a local coffee shop, DirectAccess detects that the Internet connection is available and automatically establishes a connection with the DirectAccess server on the edge of the internal network. The user will be able to access internal resources that have been granted remote access permissions by the Administrator, such as internal sharing, websites and applications.
The connection time is mainly because VPN users must be isolated, scanned, and repaired before they can be authorized to log on to the company's intranet. The whole process will affect the connection speed, thus affecting the work efficiency of employees. However, with DirectAccess, the computer can be normally updated even when the enterprise intranet is sleeping, and the access to the enterprise network can be monitored.
However, it is impractical for most companies to move to DirectAccess immediately. This system relies on good network infrastructure, including Windows Server 2008 R2 and IPv6, which are not yet fully available to many enterprises, therefore, it may take several years for enterprises to move their environments completely to DirectAccess. In the next few years, VPN is still the mainstream.
Looking at the future network, the "home office" in a secure environment will be the development trend. At that time, the network can meet the needs of employees to work at home, just as smoothly as in the office.
- In-depth discussion on how to protect Windows 7 Security
- Windows 7 security secrets