A guide to Windows 7 security

Until now, Windows Vista was the most secure version of the Windows operating system. Windows 7 picks up where Vista left off, and improves on that foundation to provide an even more secure computing experience. Microsoft also incorporated user feedback about Vista to enrich the user experience and to ensure that the security features are intuitive and user-friendly. Here's a look at some of the more significant security enhancements in Windows 7.

Core System Security

As it did with Windows Vista, Microsoft developed Windows 7 according to the Security Development Lifecycle (SDL). It built the new OS from the ground up to be a secure computing environment and retained the key security features that helped protect Vista, such as Kernel Patch Protection, Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Mandatory Integrity Levels. These features provide a strong foundation to guard against malicious software and other attacks. A few key elements are worth noting.

Enhanced UAC

You're probably familiar with UAC, or User Account Control. Introduced with Windows Vista, the feature is meant to help enforce least-privileged access and to improve the total cost of ownership by allowing organizations to deploy the operating system without granting administrator access to users. Though Microsoft's primary intent with UAC was to force software developers to use better coding practices and not expect access to sensitive areas of the operating system, most people have perceived UAC as a security feature.

When users think of UAC, they typically associate it with the access-consent prompts it issues. Though Microsoft has made significant progress since Vista's introduction in reducing the types and number of events that trigger the UAC prompt (or that prevent standard users from executing tasks entirely), UAC has still been the subject of a great deal of negative feedback for Vista.

With Windows 7, Microsoft has again reduced the number of applications and operating system tasks that trigger the prompt. It has also incorporated a more flexible interface for UAC. Under User Accounts in the Control Panel, you can select Change User Account Control Settings to adjust the feature with a slider.

The configuration slider lets you choose from among four levels of UAC protection, ranging from Always Notify (essentially the level of UAC protection that Windows Vista provides) to Never Notify. Obviously, you'll get the most protection with Always Notify. The advantage to setting the slider to Never Notify as opposed to disabling UAC completely is that the prompt is only one aspect of what UAC does. Under the Never Notify setting, though UAC pop-ups will no longer interrupt you, some of UAC's core protections will remain, including Protected Mode Internet Explorer.

Integrated Fingerprint Scanner Support

Many Windows users configure the operating system to log them in without a user name and password--but that's the computer equivalent of leaving the front door of your house wide open with a neon sign flashing "Enter Here." I highly recommend that you assign all user accounts in Windows 7 a relatively strong password or passphrase (that means your dog's name or your favorite basketball team don't count).

Even passwords aren't all they're cracked up to be. Passwords are secure only until they're cracked, and cracking a password is more a matter of when than if, assuming an attacker is sufficiently dedicated. Experts recommend two-factor authentications--in other words, adding another layer of protection on top of the password--for better security. Many computers, laptops in particular, come equipped with built-in biometric security in the form of a fingerprint scanner. With Windows 7, Microsoft provides much smoother integration between the operating system and the fingerprint-scanning hardware.

Windows 7 has better driver support and more reliable fingerprint reading across different hardware platforms. Configuring and using a fingerprint reader with Windows 7 for logging in to the operating system, as well as for authenticating users for other applications and Web sites, is easy. Click on Biometric Devices in the Control Panel to access the console for enrolling and managing fingerprint data and customizing biometric-security settings.

The Biometric Devices console will display any detected biometric devices. If the fingerprint reader is not yet configured, the status will display 'Not Enrolled'. Click on that status to access the console.

You can add scans of one finger or all ten. Adding multiple fingers allows you to continue using the biometric security even if your primary finger is in a bandage, for instance, or if your hand is in a cast. On screen, select the finger you want to add, and then place your finger on the fingerprint reader (or slowly drag your finger across the reader, depending on the type of hardware you have). You will have to scan each finger successfully at least three times to register it in the database, similar to how you have to reenter a password to confirm that you entered it correctly.

Page Break

Protecting Data

Thousands of computers, particularly laptops, are lost or stolen each year. If you don't have appropriate safeguards and security controls in place, unauthorized users who come into possession of your computer can access any sensitive data it contains. The risk of sensitive information being lost or stolen is even greater with the proliferation of tiny USB flash drives and other portable media capable of holding more and more data.

Windows 7 retains Vista's data-protection technologies, such as EFS (Encrypting File System) and support for AD RMS (Active Directory Rights Management Services). In addition to minor updates to those technologies, Windows 7 significantly improves on Vista's BitLocker drive encryption technology, and it adds BitLocker to Go for encrypting data on removable media.

Encrypting Drives With BitLocker

When BitLocker made its debut with Windows Vista, it was capable only of encrypting the primary operating system volume. Windows Vista SP2 (Service Pack 2) extended the functionality to encrypt other volumes, such as additional drives or partitions on the primary hard drive, but it still did not enable users to encrypt data on portable or removable disks. Windows 7 brings BitLocker to Go for protecting data on portable drives while still providing a means for sharing the data with partners, customers, or other parties.

Before you can begin using BitLocker Drive Encryption, your disk volumes have to be configured properly. Windows requires a small, unencrypted partition to contain the core system files it needs to begin the boot process and authenticate the user to access the encrypted volumes. Most people don't consider that when they're setting up the drive partitions initially, so Microsoft has created a tool to move things around and to repartition the drive to prepare it for BitLocker encryption. You can learn more about the BitLocker Drive Preparation Tool and download it from Microsoft's site.

Once your drive is properly partitioned, you can encrypt it with BitLocker. Click on BitLocker Drive Encryption in the Control Panel. The BitLocker console will display all of the available drives and their current state (whether BitLocker is currently protecting them). You will notice that the display separates the drives by whether they are fixed drives to be encrypted with BitLocker or removable drives to be protected with BitLocker to Go.

Click on Turn on BitLocker next to any unencrypted drive to begin the encryption process. The utility will ask you to assign a password for unlocking the encrypted data, or to insert your smartcard if you prefer to for authentication. BitLocker then offers an opportunity for you to save the BitLocker Recovery Key, either as a text file or printed out. You must have the BitLocker Recovery Key to unlock the data if you forget the password or if the authentication fails in any way.

Once the process begins you can go about using Windows as you normally would, and the tool will encrypt the data in the background. After it encrypts the drive, you can click on Manage BitLocker and opt to unlock encrypted drives automatically when you log on to Windows.

Using BitLocker Without a TPM

By default BitLocker requires a Trusted Platform Module (TPM) chip to store the BitLocker encryption keys and facilitate the encryption and decryption of the BitLocker-protected data. Unfortunately, many desktop and laptop computers are not equipped with a TPM chip, but all is not lost.

Microsoft has included the option to use BitLocker Drive Encryption without a compatible TPM, but accessing that option is not necessarily intuitive or easy. To use BitLocker without a TPM chip, follow these steps:

1. Click the Windows logo at the bottom left (the Start button).

2. In the 'Search Programs and Files' field at the bottom of the Start menu, type gpedit.msc and press Enter.

3. Under Computer Configuration, navigate to Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating System Drives.

4. Double-click on the Require additional authentication at startup option.

5. Select the Enabled radio button at the top and check the Allow BitLocker without a compatible TPM check box.

6. Click OK.

Protecting Mobile Data With BitLocker to Go

Windows Vista was able to protect the drives and volumes that are part of the computer, but it could not encrypt data on removable drives. Windows 7 addresses that glaring lack of functionality with BitLocker to Go.

While you can continue working during the encryption process, when you initially encrypt a removable drive you must be sure not to remove it during the encryption process. If you do so before the process is complete, it may damage the data on the drive irreparably. If you must shut down or remove the drive prior to the completion of encryption, use the Pause button to halt the process first.

Using BitLocker to Go, you can protect data on USB thumb drives and other removable media. If you need to share sensitive information with other people, you can give them the encrypted data on the USB thumb drive and choose a password that you can share with them to unlock the contents. For additional protection, you can require a smartcard to unlock the data, and deliver the encrypted drive and the smartcard separately.

BitLocker to Go also gives administrators the ability to control how removable media can be used, as well as to enforce policies for protecting data on removable drives. Through Group Policy, administrators can make unprotected removable storage read-only and require that the system apply BitLocker encryption to any removable storage before users can save data to it.