Using Windows 7 security features in your data protection programDate: Apr 18, 2011
As enterprises prepare their Windows 7 migration strategies, making the most of the OS requires an understanding the various Windows 7 data protection features.
In this presentation, Lisa Phifer discusses Windows 7 security features like AppLocker, User Access Control, BitLocker, BitLockerToGo, Volume Shadow Copy and DirectAccess. These native Windows 7 tools can help security professionals in their strategy to protect corporate data. Phifer explains each Windows 7 security feature and outlines the pros and cons of each. You'll learn how these native Windows 7 security features can fit into your overarching data protection program.
You'll learn which Windows 7 security features best fit your environment and understand when and how to use them. You'll gain insight on how these native features can be more cost-effective, seamless and ubiquitous and understand when it's best to consider a best-of-breed security solution.
(This presentation was originally recorded in September 2010.)
About the presenter: Lisa Phifer is President and co-owner of Core Competence, a consulting firm focused on business use of emerging network and security technologies. At Core Competence, Lisa draws upon her 27 years of network design, implementation, and testing experience to provide a range of services, from vulnerability assessment and product evaluation to user education and white paper development. She has advised companies large and small regarding use of network technologies and security best practices to manage risk and meet business needs. Lisa teaches and writes extensively about a wide range of technologies, from wireless/mobile security and intrusion prevention to virtual private networking and network access control.
Read the full transcript from this video below:
Using Windows 7 security features in your data protection program
Welcome to the searchsecurity.com presentation Integrating Windows 7 Into
Your Data Production Strategy. I'm Lisa Phifer, principal of Core
Competence, a consulting firm that specializes in leading edge network and
security technologies. In this webcast, I will be taking you on a tour of
several new and improved security tools found in Windows 7. As many of you
probably know, Windows 7 represents a significant improvement over Windows
Vista, which all but the unluckiest companies opted to skip. You might say
Windows 7 is Windows Vista done right.
Many of the tools we will cover today were originally released in Vista and
then subsequently improved in Windows 7, but some of them are brand new in
Windows 7. Together, they make Windows 7 the most secure out-of-the-box
operating system Microsoft has ever released. However, as those of you who
are responsible for data protection know all too well, acquiring tools is
only the first step. Every company must decide which tools to use and how
to complement them to be more effective. In today's webcast, we hope to help
you take these steps during your own Windows 7 rollout.
Here's what we will be covering during the next half hour. First I'll walk
you through the new and improved Windows 7 security tools that most impact
data protection. Specifically, AppLocker, User Access Control, BitLocker,
BitLocker To Go, Volume Shadow Copy, and Direct Access. For each of these
new tools, I will explain what it does, what it's good for, and some pros
and cons that you want to consider when deciding whether and how to use the
tools. We will wrap up by discussing how these native Windows 7 security
tools can benefit, impact, and perhaps dovetail with your overall data
protection strategy. By the end of this webcast, I hope you will feel more
informed and you will know which Windows 7 tools are probably not for you
and which actually warrant more serious consideration, as well as why.
Gartner estimates half of companies will start to deploy Windows 7 this
year. This begs the question, which Windows 7? Redmond has a pension for
confusing names in features and Windows 7 is no exception. At least five
different editions of Windows 7 are widely available. More if you count
embedded systems in 32- or 64-bit versions of each operating system. Let's
start by cutting this big family down to size and identify a precious few
you will want to consider.
If you encounter Windows 7 starter at all, it will be on consumer netbooks.
The very first thing you should do is replace Windows 7 starter with the
more complete and useful version of Windows 7. If you encounter Windows 7
home, it will be on a consumer PC: maybe one owned by one of your employees
or one you purchased from a retail company. The first thing you should
consider is upgrading, at least to Windows 7 Ultimate. However, most
businesses, even small to medium businesses, should just purchase Windows 7
Enterprise. Don't let the Enterprise name fool you. Why? Windows 7 Ultimate
and Enterprise add cost, but they bring more to the table, especially when
it comes to security. You won't find Ad Blocker, or Bit Blocker, or Direct
Access in Windows 7 professional, or home, or starter. They have data
protection tools that require Ultimate or Enterprise at least in some
What about the difference between Ultimate and Enterprise? If you want
volume licensing and Software Assurance, you need to go with Enterprise. If
you don't mind activating Windows 7 on each individual PC, then Ultimate is
going to be sufficient. In today's presentation I'll be covering features
native to Windows 7 Enterprise and Ultimate either 32- or 64-bit. If you are
stuck with pro, home, or starter, some of the best features we are going to
talk about today will be missing.
Let's start with AppLocker. One Windows 7 Enterprise and Ultimate only
security tool is AppLocker. This is a new white list service that lets
you let authorized programs while automatically denying everything else. In
Windows 7 AppLocker white list replaces old XP and Vista software-
restriction policy black lists. Those old black lists were based on hashes
and path names. They were much too hard to maintain and they were fairly
easy to bypass. Ad Blocker strikes a much better balance by permitting or
denying program launch based on publisher rules. To permit unassigned
programs, you can still fall back to hash rules or path rules as your last
AppLocker Publisher rules check digital signatures on executables as well
as installers, scripts, and libraries. To get started AppLocker provides a
wizard that will search a referenced PC and propose published and hash
rules that will match that installed set of programs. AppLocker isn't
perfect but it can reduce your malware attack surface. It can also help you
enforce potentially unwanted program policies.
Here are a few things you might want to consider. Once you turn AppLocker
on, everything is going to be denied. It's easy to cripple a PC if you are
not careful. For best results, I also recommend starting in "audit only"
mode. In that mode you will be able to see what programs are actually being
used. This all by itself can be pretty insightful. Larger companies really
won't like the complexity of white listing, a lot of different programs and
versions that are used by thousands of users. Smaller businesses may find
AppLocker easy to use and effective enough to be worthwhile.
You can also use Active Directory group policy objects to
configure AppLocker, but it's
important to realize you don't have to do that. You can individually
configure AppLocker on each PC. Maintaining white lists can be time
consuming. AppLocker is well suited for kiosk PCs that have to be locked
down tightly. It is also well suited for PCs that have a pretty narrow
purpose and don't change much. If you must keep pace with frequent programs
or activeX updates then you want to look at a third-party enforcement tool
Next up is user access control. Those much maligned user access controls
introduced in Vista are back in Windows 7, but they did go through a big
reality check in Redmond. User access control discourages applications and
users from making unauthorized system changes, both defaulting the standard
user and requiring explicit permission when attempting privileged tasks.
For starters, Windows 7 makes user access controls more configurable,
ranging from 'always notify' for tightly controlled PCs to 'never notify'
for administrators. In between lies the default level, which is to notify
when programs try to make changes with the computer. That can happen with
or without switching to a secure desktop mode. In Windows 7 some of those
prompts are now eliminated by silently elevating many routine tasks such as
adding printers and changing the date and time.
Many Microsoft applications have been re-factored in Windows 7 in order to
segregate activities that do and don't require privileges. These steps have
eliminated a bunch of Vista prompts that annoyed people in the past.
Administrators can turn prompting off entirely without turning user access
control off. User access control is available on all Windows 7 editions,
and it can wean users off the common but risky practice of everyone running
as administrators or own PC. Doing this will help you contain accidental
and malicious actions that could compromise the system integrity. However,
users might perceive user access controls a bit heavy handed, so you have to
tread lightly here. For example, a frequent traveler might need to run as an
administrator if they need to install not just new printers but actually new printer
Now let's talk about BitLocker. BitLocker was a popular feature introduced
in Vista and its back in Windows 7 Enterprise with big improvements. This
tool can now use longer pins in two-factor authentication to unlock AES
encrypted data that is stored on hard disk volumes. When a volume is
protected by BitLocker, operating system files, temp files, hibernation
files, and user data, all these files are written to a disk in either 128-
or 256-bit AES-encrypted format. This is a cheap and easy way to prevent
data from being read when a PC is lost, stolen, or browsed by anyone who
doesn't have the access credentials. Encryption keys and the credentials
used to protect them are at the heart of every disk encryption tool. With
BitLocker encryption keys can be stored on the PCs trusted platform module
chip, TPM chip, or a USB key inserted into the PC, or recovered by an
Using TPM in combination with the second factor, like a smart card,
provides the most robust BitLocker protection for your data, although
that's not possible on all PCs. Most new laptops have TPM chips, but many
older laptops and desktops do not. Other BitLocker features added in
Windows 7 include: an agent, that interfaces with the recovery key store, as
well as centralized control over where and how BitLocker gets used. These
can help you ensure that encryption is applied correctly throughout your
workforce. However, there are still many things BitLocker can't do that a
third party with that degree of product can. We will talk more about that
later. But here I'll give you a quick example. BitLocker can't protect data that rests on a pre
Vista PC or a Windows Mobile or a Mac or even virtual hard disks. After
users provide a pin or USB stick at boot time, in order to unlock BitLocker
they do still have to log in to Windows separately. There is no single sign-
on. Finally smartcards are a great new feature for BitLocker, but unfortunately
they can't be used to unlock an encrypted boot drive.
Another new feature of Windows 7 is BitLockerToGo. If a stolen,
lost, or borrowed USB drive
falls into the wrong hands, BitLockerToGo can prevent any files stored
there from being copied or opened without entering the drives path phrase.
New in Windows 7 Enterprise and Ultimate, BitLockerToGo can create an AES-
encrypted container on any USB drive. In fact it borrows a lot from the
What makes BitLockerToGo so different is portability. We all
drives to do things like move files from one PC to another.
We take work home, we carry slides to a show, we might want to give files
to a colleague. And all those uses require a self-contained approach that
doesn't require installing software on the other end; a USB drive that
carries both your encrypted data and a portable program that you can use to
read and write that data. When BitLockerToGo is enabled on a given USB
drive, Windows 7 installs a reader that autoruns upon drive insertion.
Forevermore after that, all files that you copy onto the drive are
automatically encrypted. That encrypted container can be opened on other
PCs including not just Windows 7 but XP and Vista, by entering the drives
passphrase. Unfortunately, files can't be updated or added when you are
working on an XP or Vista PC. Those are read-only platforms for BitLockerToGo.
Also, BitLockerToGo doesn't work on non-Windows devices at all.
A free solution like BitLockerToGo makes it easy for
individuals to protect
their own USB drives. That helps businesses reduce data leakage by setting
group policies that mandate encryption whenever data is copied onto a USB
drive. Basically you can stop data from being copied onto a drive in
unencrypted format. Here again BitLockerToGo pales next to third-party
best of breed, portable data protection products. For example, BitLockerToGo
can't encrypt and it can't prevent data from leaking onto other kinds of
media like CDs, DVDs. And it also can't deliver robust FIPS-certified hardware
encryption like some other secure USB drives can.
Next let's talk about Volume Shadow Copy. Windows XP introduced system
restore points to roll damaged PCs back to known good earlier states.
Windows 7 actually beefs up that restore capability with Volume Shadow
Copy, VSC. That's a service that automatically and transparently backs up
entire volumes including Windows system files, program files, settings and
user files. This all happens automatically, when you turn on Volume Shadow
Copy. By default, Shadow Copies are created weekly on Windows 7 PCs and
change files are written in their entirety to another partition of the same
hard drive. That's done only when the PC is idol to reduce interference
with the user. If a document has been later on accidentally deleted or it's
corrupted, a user can easily browse his particular PC Volume Shadow Copy to
view and recover individual files. He can also use it to restore the entire
volume. And it's even possible to create a bootable virtual hard drive image with
Volume Shadow Copy. It's best to think of Volume Shadow Copy as an extra
layer of routine protection against data loss, one that costs nothing more
than the disk space that you will set aside for storage. On-the-go workers
can use VSC to recover their own files quickly without Internet
connectivity, without help desk support. However, VSC is not a full-feature
replacement for real time incremental data backup to persistent external
storage. VSC is slightly configurable. For example, copies can be made
daily or monthly or on demand. But shadow copies are created and stored
independently on each PC. They always keep updating themselves so they are
not archived. From a data management perspective that approach won't scale
beyond a handful of PCs.
OK, now for DirectAccess. For those tired of intrusive, hard-to-use VPNs,
Windows 7 Enterprise offers DirectAccess. DirectAccess offers auto
initiated authenticated encrypted IPv6 and IPsecTunnel to securely connect
remote Windows 7 users to resources that are inside your private network.
Those DirectAccess tunnels can terminate either at a Windows Server 2008
gateway that sits at the edge of your network, or an IPv6 Windows Server
2008 that sits behind that gateway somewhere inside your network. Here's
the catch. To achieve this transparent, always-on secure access, a direct
access server has to be installed on Windows Server 2008, with at least two
public routable network adapters. Furthermore, your network must be at
least somewhat IPv6 capable. If you haven't started IPv6 net yet, don't
worry about it. If you have though, you might recognize the next
requirement is that you have to have an IPv6 DNS namespace and address
prefix, for all remotely accessible resources. You also will need to have
public routable IPv6 addresses, for every single remote Windows 7 client.
The one saving grace is that DirectAccess can tunnel IPv6 inside IPv4 or
actually inside SSL in order to traverse subnets that are out in the
internet, that don't support IPv6 yet.
If all that network plumbing wasn't hard enough DirectAccess authentication
is pretty good, but it's based on machine certificates in combination with
user credentials, like domain passwords and smart cards. What this means is that
every remote user must run Windows 7 on a machine that has been joined to
your domain and has been issued its own digital certificate. Wow. Aren't
you glad you asked? If you can pull all this off, DirectAccess does offer
some interesting benefits. When users are offsite, DirectAccess provides
no fuss over-the-air data protection all the time even surviving mobile
roaming and network address translation, things that are pretty much on
traditional VPNs. When users are on site, DirectAccess automatically steps
out of the way, allowing unencrypted access to resources inside your
network. However, you must be comfortable using Windows Server 2008 as your VPN
gateway, because there aren't any third-party vendors that sell DirectAccess
capable, VPN Concentrator, or Firewall appliance.
While we have focused on Windows 7 security tools most relevant to data
protection, migrating to Windows 7 brings a plethora of security benefits. I
don't have the time to talk about them all here, but I'll give you a quick
preview of the most important ones. Windows 7 picks up where Vista left off
hardening the operating system platform, with features like data execution
protection and address space layout randomization. Those acronyms are
confusing, just know they deter malware, even when you are browsing the
web. Internet Explorer 8, which is supplied with all versions of Windows 7,
includes many security enhancements like smart screen filtering, trusted
domain highlighting, basic cross-site scripting attack filters and in
private browsing. Basically it's a big improvement on Internet Explorer.
Secure protocols form a vital part in any network foundation. Windows 7
does include data support for some new secure protocol specially Version
IP6 and DNS SEC, a secure version of DNS. What those do is make it much
harder for an attacker to spoof IP packets and addresses. It also lets you
use stronger encryption and integrity algorithms to protect your key
TLS sessions and your encrypted files. Windows 7 includes
policy based network segmentation that lets you apply different firewall
rules based on each location. For example, now you can add different rules
for Wi-Fi at home, at the office, and in a public hot spot. Windows 7 also
adds more helpful information to the granular XML based audit events that
were created in Vista. For example, not only do you hear that a given
activity was permitted or denied but now you can see why Windows made that
decision. To learn more about Windows 7 security visit Microsoft's website
or read the many Windows 7 tips that are posted on SearchSecurity.com. Note
that Internet Explorer 8 doesn't actually require Windows 7. So, if you are not
already using IE 8, get ready by retiring your older, less secure browser
Now that you are familiar with Windows 7 security tools, let's consider how
they impact and complement your overall data protection program. Just
because Windows 7 includes volume and USB encryption and always-on secure
mode access and white listing, it doesn't mean those tools are really free
or even really appropriate for your workforce. Even if they are, enabling
and maintaining them is going to be up to you. Overall it's fair to say
that these native Windows 7 security tools are not best of breed solutions.
Depending upon your needs and your environment, these tools may be relatively
inexpensive they will probably be more transparent. They will create a more
secure OS environment right from the get go. Although it is certainly not
true today, someday these native tools will be more ubiquitous than third-
party best of breed add-ons ever could be.
However, for every Windows 7 tool I've described, a dozen or so third-party
alternatives exist today. Those point solutions focus on specific problems.
They've been refined over time. That tends to make them more robust, more
flexible, more scalable and often more manageable, particularly if you need
to secure systems running other operation systems in addition to those
running Windows 7. The bottom line, there are two ways you can immediately
take advantage of Windows 7 security. First start using native tools that
add value to what you do today, without costing you very much. Second you
can use Windows 7 for leverage with any best of breed data protection
vendors you might work with. They may be willing to drop their prices or
throw in some extras in order to compete for your dollar.
Everyone's situation is different. Let's take a quick first pass on diving
Windows 7 security tools into two different camps. Those that provide clear
advantages for most businesses and those that take some head scratching. In
the first camp, I put the User Access Controls, Volume Shadow Copying and
BitLockerToGo. UAC and VSC are there whether you enable them or not. They
are in every version of Windows 7, and they can run transparently if you want
them to. They have only a few settings that you are going to have to mess
with. I also include BitLockerToGo in this camp because it is not really
an all or nothing decision. Even if you buy hardware encrypted USB drives
for users that handle regulated data and they need that extra protection,
PCs that run Ultimate or Enterprise anyway can still use BitLockerToGo to
protect those no-name drives that users pick up on their own at trade
shows, or from colleagues. These three tools are far from bulletproof, but all
of them can actually reduce your attack surface and therefore your risks.
In the second camp I've put APP Blocker, BitBlocker, and DirectAccess. All
these require Enterprise or Ultimate. They are more intrusive and resource
intensive and they compete with best of breed solutions that have been
around for much longer and frankly are more mature. If you have already
invested in an SSL VPN, or cross-platform encryption product, or data leak
prevention product they probably offer more than Windows 7 does today.
These Windows 7 tools should be considered candidates for your long term
strategy, the only really compelling reason to deploy these immediately is to fill a very
important gap. If you decide to do that, don't just compare the cost of
Windows 7 Enterprise to the cost of an endpoint security agent from a
third party. Take the time to perform a benefit analysis that considers
total cost of ownership: needs, risk, and of course, current state of your
To illustrate this decision-making process take a look at BitLocker volume
encryption. For many companies protecting data from risk is job No. 1.
Especially on devices that leave the office. That might include laptops,
smart phones, and USB drives. Is BitLocker the best way for you to fill
that security need? If you have other devices to protect, that don't run
Windows 7, if you have Windows 7 PCs to protect that don't run Enterprise
or Ultimate, or if you have laptops that don't have TPM chips then
BitLocker can, at best, address only part of your needs.
If you have already deployed a best-of-breed full-disk encryption product
is there any reason to use BitLocker instead? Possibly. For example, if your existing
deployment only covers laptop encryption you might decide BitLocker is good
enough for encrypting desktops. If your existing best-of-breed solution
doesn't yet run on 64-bit processors, maybe BitLocker will be an easy way
for you to avoid leaving data exposed on new 64 bit PCs. Finally if you
have not yet deployed laptop encryption, what are you waiting for? Your
laptops run Windows 7 Enterprise or Ultimate turn BitLocker on. Still
evaluate whether BitLocker is the right strategic tool for longer term use.
Finally notice that I haven't mentioned Windows Server 2008 very much.
That's because with sole exception of DirectAccess, all these Windows 7
security tools can be used without Windows Server 2008. If you haven't yet
deployed Windows Server 2008 or you don't want to deploy Windows Server
2008, don't fret. You can still use AppLocker or BitLlocker or Volume
Shadow Copy. That said, there are some advantages for deploying Windows
Server 2008 in conjunction with these Windows 7 security tools. Most of
these tools require settings that are managed more efficiently and
effectively over a larger number of PCs using Group Policy Objects that
you define centrally and then associate with active director users and
groups. If you deploy BitLocker or BitLockerToGo, Windows Server 2008 can
also serve as your central recovery key store, so that you can always get
that data back even if the user forgets their password or the user leaves
the company but leaves you the PC.
If you deploy Ad Blocker in an audit mode or you configure any other tool
to generate audit events, Windows Server 2008 can also help you monitor
what is happening throughout your workgroup and your domain. Windows
Server 2008 can form a significant part of your overall security platform.
From Active Directory account management to Network Access Protection health
checks to overall security policy administration and enforcement. If you
need to secure more than a dozen or so users and PCs, you might want to
invest in Windows Server 2008, no matter how you decide to make use of
Windows 7 native security tools.
During this webcast we introduced Windows 7 security tools that can play a
role in your overall data protection strategy. Hopefully by now you know
that AppLocker tries to stop malware and unwanted programs from actually
running. User Access Controls help you protect the PCs integrity from
accidental or malicious actions. BitLocker encrypts data that rests on your
PCs hard drive. BitLockerToGo encrypts data transported on portable USB
drives. Buying Shadow Copy uses transparent backups to help you reduce the
risk of data losses and DirectAccess protects data in transit sent and
received by Windows 7 users that are remote from your network. These native
tools can make a PC more robust and secure. But again deciding whether and
how to use them is up to you. I believe that most business should turn a
few of these on immediately and to leave the rest for careful consideration
and then future use when and if needed, probably after you get more Windows
7 systems deployed. Finally perhaps the best thing about Windows 7 is that
it ups the ante on endpoint security. Best-of-breed vendors are going to
have to work harder to beat Windows 7 now, and that will improve the PC
security for all of us.
Thank you for watching this presentation and have a safe day.