Security Advisor

Top 5 Security Features of Windows 7

Redmond has talked a lot about performance, usability and manageability, but has said less about security. This isn't surprising.

• By Joern Wettern
• 10/01/2009

Microsoft has been busy promoting Windows 7 for quite some time. Redmond has talked a lot about performance, usability and manageability, but has said less about security. This isn't surprising. By improving security with Windows XP Service Pack 2 (SP2) and in Windows Vista, Microsoft significantly enhanced Windows' reputation. There are still lots of new security features in Windows 7, however. Here are my top five.

Multiple Firewall Profiles
The Windows Firewall in Vista had just one big flaw, which Microsoft fixed in Windows 7. Both Vista and Windows 7 dynamically change which network traffic is allowed or blocked based on the location of your computer. Generally this works well, at least until your computer is connected to more than one network at the same time. When this happens, Vista applies the most secure profile to all connections, blocking some essential communications over the trusted network. Windows 7, though, can apply a separate firewall profile to each network connection.

BitLocker To Go
BitLocker To Go gives users a convenient way to encrypt flash drives. It includes data-recovery capabilities and can be managed with Group Policy. Having removable media encryption built right into the OS makes it easier for most organizations to ensure that portable data remains confidential.

Direct Access
Virtual private networks (VPNs) have become an essential part of today's network infrastructure, but users often struggle with them and IT spends a lot of time maintaining VPN infrastructures. Direct Access promises secure connections to corporate networks from anywhere; once it's in place, remote clients can transparently connect to corporate resources without having to deal with a VPN. This feature alone should be reason enough to move all your mobile users to Windows 7.

AppLocker
It seems as though the folks at Microsoft who come up with feature names want to put a lock on everything. However, AppLocker is less about locking than about controlling which users can run which applications. Ordinary users may not be able to install new programs on their computers. They can, however, run many programs without installing them. Getting those programs on a computer is as easy as downloading them from the Internet or copying them from a flash drive. A prime example of this is the Google Chrome browser, which users can run without administrative privileges. Many IT organizations discover this when they realize that users are bypassing settings carefully designed for Internet Explorer. AppLocker addresses this problem and lets IT centrally configure who can run which application. AppLocker checks each program against corporate policies when a user tries to start it. Though it can be difficult to implement in a large organization, IT can get some immediate benefits by rolling AppLocker out to highly managed workstations.

User Account Control
User Account Control (UAC) is one of Vista's most maligned features. Designed to alert IT professionals of anything that requires elevated privileges, it dims the screen and requires an IT pro to approve the desired action. In theory, this in-your-face approach is a great idea, ensuring that nothing runs without IT's approval. In practice, IT pros have to perform approvals for many routine tasks. As a result, many IT people have turned off UAC and thus disabled a truly useful security feature. In Windows 7, you can turn on UAC without it displaying warnings for programs you started. This means no more screen-dimming each time you start the Microsoft Management Console -- but you're still alerted if a Web page tries to change system settings or install unauthorized programs. If you disabled UAC in Vista, do yourself a favor and turn it on again once you've moved to Windows 7.