NATIONAL HARBOR, Md. -- Now is the time for organizations to prepare for broad adoption of Windows 7, but information security managers expecting best-of-breed security features from Microsoft's newest client OS will likely be disappointed.
In a presentation this week at Gartner Inc.'s Security and Risk Management Summit, Vice President and Gartner Fellow Neil MacDonald told attendees that the Windows 7 security features make the OS a marked improvement over the venerable Windows XP and the "disaster" that was Windows Vista. However, a number of its highly touted security features cost extra to obtain, require additional Microsoft products to run and typically don't work as well as similar capabilities from third-party vendors.
For instance, top-end security features like AppLocker, BitLocker, BitLocker to Go and DirectAccess require the more expensive Windows 7 Enterprise version, and also call for Enterprise Assurance or Software Assurance maintenance plans; the features don't come with the pre-configured PCs sold by HP or Dell.
Some organizations, MacDonald said, have tried to work around this limitation by purchasing Windows 7 Ultimate, a similar edition that also contains all the same security features as Enterprise. Despite being initially more expensive that Enterprise, Ultimate is $100 cheaper per user when factoring in the savings of not purchasing a maintenance plan. However, there are drawbacks to this approach as well.
"Ultimate is officially a consumer version, and comes with a consumer SKU, which means it has consumer-level support. So instead of getting 10 years of support and security patches, you only get five years," MacDonald said, "and you don't get volume license activation, so you'd have to manually activate each version."
Each of the individual Windows 7 security features has its pros and cons. AppLocker, Microsoft's highly touted application control or whitelisting technology, aims to make it easier to restrict the list of applications users can install. The trick, MacDonald said, is managing that list.
"Someone always has an exception, an application they want to run, so they generate a help desk call, and soon the care and feeding of the whitelist becomes cumbersome, because application needs change all the time," MacDonald said.
He added that a similar capability is already available for XP, and AppLocker's drawbacks, including no built-in software distribution mechanism and the need for customers to digitally sign many of their own applications, make it inferior to similar third-party products from vendors such as Symantec Corp.'s Altiris group and LANDesk Software.
MacDonald lauded the upgrades in another key security technology, Microsoft's BitLocker full disk encryption feature. After debuting in Windows Vista, the Windows 7 iteration offers several notable improvements, such as wider PIN character support, smartcard access to data drives, and a 100 MB boot partition, down from 1 GB in Vista.
Still, BitLocker's drawbacks are substantial, including a pseudo dual login (PIN and then credentials) for users, a complicated retrieval process should a user forget their PIN, and no back-level support for XP systems.
Similarly, the new BitLocker to Go feature in Windows 7 offers data encryption for removable drives and USB storage devices. MacDonald said it offers back-level read-only support for Windows XP SP2 and later OSes and was made by the same team that built BitLocker. Yet it doesn't support optical drives, lacks integration with Windows Mobile and non-Windows platforms, and can't be linked up with data leakage protection (DLP) to encrypt only sensitive data and skip non-sensitive data.
"It's not an enlightened solution for encrypting data," MacDonald said. "Everything you write will be encrypted. It's a blunt and coarse way of setting policy."
DirectAccess, Windows 7's built-in, always-on VPN client, boasts a "really cool demo," MacDonald said, by promising to transparently download patches and antivirus updates, but to use it a company must implement Windows Server 2008 R2. Its use of IPv6 can also make configuration difficult. "There are alternatives to this approach," MacDonald said, "that accelerate the theme of seamless remote access."
Attendee Mike McElravy, network security manager with Koch Business Solutions in Wichita, Kan., said his organization is testing Windows 7 and will likely begin migrating users later this year. He said he hasn't been impressed with the security features in Windows 7, especially BitLocker, and his firm may consider other vendors for application whitelisting technology.
Considering Microsoft has baked many of these features into Windows 7 from the ground up, McElravy said it doesn't seem like they work as well as they should, adding "other [security] vendors have an edge on Microsoft."
Fortunately, organizations have time to work through the complex issues that come with Windows 7 security features. MacDonald noted that Microsoft will offer XP support and updated patches through June of 2014, meaning companies can slowly transition to Windows 7 via typical hardware refresh cycles during the next 2-3 years.
In the meantime, MacDonald said the two most important things any organization can do to improve the security of its Windows clients is to migrate away from Internet Explorer 6 to virtually any other browser -- IE7, IE8, Firefox or Google Chrome -- and ensure the general user population does not have administrator-level privileges.
"You can do those things today on XP," MacDonald said. "Neither depends on having Windows 7, but you can use Windows 7 as a catalyst to make these changes happen."