What does Windows 7 bring to the system security administrator?

As we all know, Microsoft has been very concerned about operating system security since Windows XP SP2. Despite the popularity of Windows Vista in terms of performance and compatibility, Windows Vista is rarely criticized for its security. In fact, one of the main mistakes of Vista is that the strict User Account Control UAC caused by the focus on security, which affects the entire system.

Now, in Windows 7, Microsoft has reduced the UAC control function but not paid more attention to security) and added security functions, which are more conducive to end users and system security administrators in many aspects. Next, let's look at it.

Application Control Policy

AppLocker is a new security feature introduced in Windows 7. It can control the installation and use of enterprise applications to ensure security. Remember that only Windows 7 of the flagship edition and enterprise edition contains AppLocker to work closely with Windows Server 2008 R2.

AppLocker allows you to create rules using attributes such as the digital signature of a file. These rules can be used to control user access and use of any type of executable files. Of course, as a flexible tool, you can use AppLocker to create exception rules. You can apply rules to the entire security team, or create rules for individual users more accurately. To better understand the role of AppLocker, you can view the demo on the Microsoft TechNet website.

BitLocker and BitLocker To Go

BitLocker is introduced in Windows Vista and can now be used in Windows 7 as a security function, it prevents unauthorized access to the desktop system and data leakage from lost/stolen laptops. As we all know, BitLocker's encrypted file system EFS has reached a new level in terms of functionality. It can use hardware-level encryption on hard disks, which not only protects actual data files, even system files can be included, including temporary files, swap files, sleep files, and other data blocks.

In Windows 7, BitLocker is further extended. With the new BitLocker To Go, it can now support USB flash drives for Mobile storage. This means that there is no risk of data leakage for easily lost USB flash drives.

Remember that BitLocker and BitLocker To Go are only available for Windows 7 of the enterprise and enterprise editions. For more information about BitLocker and BitLocker To Go, you can view the demos on the Microsoft TechNet website.

User Account Control

As we all know, User Account Control is not very popular in Vista, but it is still an important security tool for Vista, the "you are sure" prompt can prevent the execution of malware due to negligence, and permission control can be used to prevent processes with potential risks. In Windows 7, UAC has been improved and used more conveniently.

For example, some types of tasks can be approved by standard users without the intervention of the system administrator. This reduces the number of prompts and provides convenience for end users, reduce the burden on system administrators. In addition, a professional system administrator can adjust or even disable the UAC level on the control panel. In addition, the new Local Security Policy can be used for UAC prompts to local system administrators and standard users.

ActiveX Control Installation Service

As we all know, ActiveX controls are self-registered COM used by Internet Explorer, Office, and Windows Media players to provide users with a more interactive experience. ActiveX controls are usually distributed. In the cab file, users of the standard account do not have the permission to install them. However, in Windows 7, the new ActiveX control installation service is enabled by default, in this way, the system administrator can easily deploy websites configured in the trusted site area by using group policies, and install ActiveX controls without intervention. This reduces the time required for additional telephone support and ActiveX controls for repackaging and distribution.

Direct Access

The new direct access function of Windows 7 is closely integrated with Windows Server 2008 R2, which makes enterprise networks without VPN more convenient for end users. As long as direct access is enabled, a secure two-way connection can be automatically established between the mobile system and the company network. Mobile staff can establish a secure two-way connection without relying on VPN, securely connect to any location of the enterprise network through the Internet. With the help of direct access, IT professionals do not need to worry about additional expenses incurred by providing and maintaining VPN configurations.

Multi-Role firewall policy

As we all know, the Windows Firewall policy in Vista is based on the public, home, and work/domain types of network connections, and supports only one connection type at the same time. Unfortunately, such restrictions may cause various problems when different firewall policies are required. For example, when a mobile user accesses the public network and then initiates a VPN connection to the company network.

To adapt to this situation, Windows 7 firewall provides new features that allow multiple firewall policies to be enabled at the same time so that the appropriate firewall policies take effect no matter what type of connection is being used, this ensures the security of mobile/remote users and can access the corresponding network. On the other hand, the new multi-role firewall policy allows security professionals to maintain a set of systems suitable for mobile/remote systems and physical connections.

And more...

Although I have been impressed by the new security features of Windows 7, I have made many improvements in the existing security features. For example, the architecture of the encrypted file system (EFS) has been adjusted and added to the Elliptic Curve Cryptography (ECC) mode, which meets the level B security requirements stipulated by the National Security Agency.

With the support of the new ECC, the Kerberos Authentication Mode also supports more powerful logon passwords for smart cards. The NTLM authentication protocol now supports a minimum of 128-bit security encryption policy by default, but you can also lower the level. For more information about the new security features of Windows 7, see the latest client security changes article on the Microsoft TechNet website.