Many IT commentators have made a steady living over the years trashing Microsoft products. Unfortunately, Windows...
Vista gave them fresh ammunition, as both its usability and security features frustrated users. For that reason, many organizations have remained with XP, shunning its much-criticized successor.
However, with the recent release of Windows 7, the time is fast approaching when the majority of businesses must begin planning for an upgrade. Official support for Windows 2000 and XP Service Pack 2 has already ended, and support for XP Service Pack 3 will end in June 2014. So, will the much vaunted security features of Windows 7 make your organization more secure? In this short pre-implementation Windows 7 security guide, we'll attempt to answer that question.
Even hard-core Microsoft critics agree that Windows 7's security features make it a marked improvement over both Windows XP and Vista. However, security features like DirectAccess, AppLocker, BitLocker and BitLocker to Go require the more expensive Windows 7 Enterprise and Windows 7 Ultimate version. An upgrade to this version is around 10% more than an upgrade to the Pro edition and almost twice that for the Home Premium edition. Also, organizations that want the Enterprise features will need to license those PCs with Software Assurance, Microsoft's software maintenance program, which adds another $30 to $50 per license to your bill each year. So is Windows 7 security worth the value for the money, compared to security features provided in similar third-party products?
DirectAccess certainly is, as it eliminates the need for a virtual private network (VPN) client on a Windows 7 PC. This always-on VPN client supports multifactor authentication and allows administrators to update Group Policy settings and distribute software and antivirus updates whenever a client connects to the Internet. This tight system and service integration will not only improve overall endpoint security, but will also greatly reduce the number of help desk calls from users struggling to make a VPN connection. You will, however, need a Windows Server 2008 R2 in order to run DirectAccess and you'll still need to run an alternative VPN if you support any non-Windows 7 clients.
AppLocker aims to make it easier to restrict the list of applications users can install, but there are plenty of alternative, more complete products to choose from, such as Bit9 Inc.'s Parity Suite and Bouncer by CoreTrace Corp. Many offer pre-populated application whitelists and blacklists with automatic updates, , and provide protection for multiple versions of Windows with reports on application prevalence and usage across an organization, which AppLocker does not provide.
BitLocker provides encryption protection of a computer's hard drive in the case of loss or theft, while BitLocker To Go provides encryption for removable devices like USB drives, it does not encrypt optical drives. Although BitLocker can secure data by destroying the key, this may not satisfy some auditors who will want to see evidence of a secure overwrite when the drives are disposed of. The criticism that BitLocker To Go encrypts everything on a device is a bit lame. No, it's not a sophisticated data leakage protection product, but most system administrators will be more than happy that they can provide company-wide protection for data on USB keys. The power of modern PCs means the encryption process isn't going to be that much slower than an expensive DLP product, which only encrypts sensitive data. However, BitLocker To Go still presents a similar problem to DirectAccess in that until every client is migrated to Windows 7, you'll need an alternative encryption method. Also, although a device encrypted using BitLocker To Go can be used on Windows XP and Windows Vista PCs, the data can only be read.
A product like TrueCrypt provides far more flexibility when it comes to cross-platform usage. TrueCrypt is free, but it doesn't integrate with Windows Server policies or offer any advanced networking capabilities. With BitLocker, administrators can set up Windows Group Policy to enforce the use of BitLocker on removable storage devices and also encrypt the hard drives on servers and PCs. PGP Corp.'s Whole Disk Encryption is a fully featured alternative, but it will cost more than an upgrade to Windows 7.
Microsoft Windows will never be all things to all people. Many critics pit Microsoft's security features against best-of-breed, single-purpose products that are only really required by a minority of users in a minority of organizations. If you want or need best of breed for every element of your security infrastructure, then no one vendor is going to suffice. There's nothing wrong with that approach assuming you have the budget, but the multitude of different security controls and devices you will end up deploying will incur additional staff training and administration costs. The ever-increasing popularity of unified threat management (UTMs) products tells me that the real-life experience of many administrators is that this is not necessarily a practical or economical approach.
Making the most of Windows 7 security features has the advantage of tight OS and Group Policy integration along with familiar user interface and commands that make security configuration a whole lot easier than adding a third-party security product into the mix. It also reduces the need for multi-vendor relationships and multi-product knowledge and updates. Windows 7 is not perfect, but that's OK: I'll take a good security product correctly configured over a great one that isn't any day.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.