BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
While Windows XP remains the world's most widely used client computer operating system, experts project that Windows 7 adoption will have surpassed Windows XP by the end of 2011. Most enterprises bypassed upgrading to Windows Vista in recent years due to concerns about application compatibility and performance. These organizations are now upgrading from XP to Windows 7, and a plan is necessary to ensure enterprises making this changeover are ready for the Windows 7 network security implications that will come with the new operating system.
In this tip, two major changes in Windows 7 are examined that should be considered before an enterprise-wide Windows 7 upgrade project plan can be implemented; incorporating DirectAccess VPN technology and the enhanced Windows Firewall.
Securely extending the network with DirectAccess
One of the most interesting new features in Windows 7 is Microsoft’s DirectAccess technology. While many security professionals compare this IPsec-based tunneling protocol to virtual private networking (VPN), the difference is that DirectAccess takes remote access to the next level by removing the need for user intervention, while traditional VPNs require the user to manually initiate a VPN connection. Furthermore, DirectAccess is “always on” VPN technology that automatically connects back to the home network, tunneling all intranet traffic over a secure encrypted connection.
Implementing DirectAccess requires an organization upgrade its network to the latest technology. It’s imperative to run at least one DirectAccess server, DNS server and domain controller under Windows Server 2008 R2 on the network supporting the VPN. In addition, remote clients must be running either the Ultimate or Enterprise edition of Windows 7.
Upon meeting these criteria, DirectAccess technology provides two major benefits to enhance network security. First, enterprises will benefit from a “no fuss” approach to secure networking. Employees will be connected to the intranet securely from wherever they are, without having to remember to start a VPN connection. Second, enterprises will gain the benefits of enhanced desktop management, especially over systems that are constantly on the road. With this approach, it would no longer be necessary to wait for an employee to return to the office or connect to the VPN in order to push policy updates. Every time a system initiates a DirectAccess connection, it will check in with the domain controller.
Before deploying DirectAccess, it is important to look at the Microsoft Forefront Unified Access Gateway (UAG). UAG includes enhanced network services that ease the implementation of DirectAccess by eliminating the requirement that organizations initially convert a network to IPv6. In fact, all of the enterprises I’ve seen deploy DirectAccess have done so with the support of UAG.
Windows Firewall, take three
If an organization is upgrading from Windows XP and still working with the first generation of Windows Firewall, a fairly rudimentary stopgap product that was introduced in its Windows XP Service Pack 2. When making the switch to Windows 7, it’s apparent that the platform has indeed undergone two major upgrades, even though some organizations never saw the first one.
That first and most significant set of enhancements came with the release of Windows Vista when the Windows Firewall became Windows Firewall with Advanced Security. This release introduced a number of features that enterprise network security administrators were clamoring for. In fact, the absence of these features was one of the major forces that drove enterprises to adopt third-party alternatives to Windows Firewall under Windows XP. The enhanced features released with Windows Vista include:
- Remote management capability;
- Bidirectional packet filtering;
- Separate profiles for instances when the system is joined to the enterprise network, on another private network and on the Internet at large;
- Enhanced rule filtering criteria, including the ability to specify both source and destination addresses.
With Windows 7, Microsoft introduced several new features that further enhanced the usefulness of Windows Firewall in the enterprise. The most significant of these upgrades is the platform's ability to simultaneously deploy multiple profiles on a single system with more than one network connection. Under Windows Vista, the firewall was not effective in these cases because it was only able to enforce a single profile, the most restrictive one applicable, on all network interfaces. Full technical details on the other changes made in the Windows 7 Firewall are available in the related Microsoft Technical Bulletin.
Getting ready for Windows 7
As an organization prepares for the creation of a Windows 7 deployment plan, there are a lot of other issues that need to be considered. Undoubtedly, this process entails preparing for a number of new security technologies on the desktop, including User Account Control, Data Execution Prevention and BitLocker disk encryption. It’s important to be sure that enterprises take the time to consider and deliberately plan the rollout of the new network security features. Both DirectAccess and the enhanced Windows Firewall can play an important role in enterprise network security for years to come, and should be among the first Windows 7 network security features enterprises take advantage of.
About the author:
Mike Chapple, Ph. D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com, and serves as its resident expert on network security for its Ask the Experts panel. He is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.