A Walkthrough Of Windows 7 Security Features
In the PC world, Microsoft’s Windows 7 is already gaining a high satisfaction rate, yet there are many issues arising with the operating system’s new security features. Both IT personnel and users in general are still coping with deltas and configurations applied in Windows 7.
Below is a walkthrough of Windows 7 security deltas and some suggestions to go with it.
UAC (User Account Control)
The update in User Account Control is one of the most remarkable improvements in Windows 7. Default setting has reduced number of prompts for low risk administrative tasks, yet administrators can configure prompt level by the use of a slider bar.
Suggestion: Even though Windows 7 allows admin to modify UAC prompts, it is still recommended to set your domain’s security at the highest level. In doing so, every high-risk administrative tasks will be password protected. So if you want your computer to be secured, enable UAC.
BitLocker Drive Encryption
BitLocker To Go is an extension of fixed data and OS drives. It is an expansion of BitLocker in Windows 7, created to control external devices such as USB flash drives and portable hard drives.
In Windows Vista Service Pack 1, the added support for fixed data drive encryption can only be controlled using command line tools; while in Windows 7, OS volumes, fixed data drives and USB flash drives can be encrypted using Windows Explorer GUI controls. Smart cards were also used to protect data volumes and administrators can back up their BitLocker keys by setting up data recovery agents.
A five character PIN code can be administered using a Trusted Platform Module Security Device.
Moreover, Windows 7 does not require a different system partition for BitLocker. Even if an automatic system partition was created when BitLocker was turned on, it will still not show in Windows Explorer because there is no drive letter. In Windows 7, system partition only requires 100MB of space which is definitely smaller compared to the prerequisite in Windows Vista.
BitLocker To Go Reader is an application used to access Bitlocker encrypted external drives in Windows XP or Windows Vista. With this program, users can check the contents of external drives even if the files were created using Windows 7 BitLocker.
Suggestion: If you still don’t have any data encryption software, then BitLocker is a good option. Remember to save PIN codes in an Active Directory, where you can easily access it when you need to recover some information. Another option is to avail a data recovery software to unlock BitLocker encrypted drives. Enabling BitLocker To Go is a must on every external drives.
Suite B Cryptography Support
Suite B is a set of cryptographic algorithms approved by United States National Security Agency and National Institute of Standards and Technology for software encryption and is intended for public use. Support for Suite B algorithms, namely SHA2, AES, ECDH and ECDSA, was included in Windows Vista and also in Windows 7. In Windows 7, Suite B encryptions can be accessed together with cryptographic protocols such as Transport Layer Technology version 1.2 and Encrypting File System.
Suggestion: Note that Suite B encryptions will not always run together with former Windows Operating Systems aside from Windows Vista and Windows 7. Still, it is better to use Suite B encryption wherever it applies.
The introduction of Direct Access in Windows 7 permits remote users to safely access applications, web sites and enterprise shares even without a virtual private network. Direct Access organizes a bidirectional connection path whenever a user connects to the web. With the use of Direct Access enabled computers, the user does not need to manually connect with his enterprise network because Direct Access automatically logs a user. IT personnel can access their remote computers anywhere, even without a virtual private network.
Direct Access can really be of much use especially when a user is working with an organization. With Direct Access, remote management software application will work, as well as automatic updates patching and group policies.
Even though Direct Access is a useful application, it has many requirements. The following are Windows 7 OS, a RAS server like Windows Server 2008 R2, Public Key Infrastructure, Internet Protocol version 6 and an Internet Protocol Security.
Suggestion: Business firms and organizations should apply Direct Access as their virtual private network for Windows 7 and in later working clients.
Managed Service Accounts
Using Service accounts are beneficial, but hard to operate. In using service accounts, passwords should be frequently changed to prevent possible hacking problems. Windows service accounts necessitate regular password changes to work properly. In the former Windows Operating Systems, service accounts were hard to manage. When Windows Managed Service Account was enabled, it will organize your passwords and make management of Kerberos Service Principal Names less complex.
Suggestion: Managed Service Accounts, like Direct Access, requires many requisites. The following are active directory schema and Windows Powershell 2.0. The use of service accounts are optional, but if you think that managing one is difficult just leave it out of consideration.
Virtual Service Accounts
Virtual Service Accounts are similar to Manage Service Accounts in such a way that Windows was granted permission to manage passwords. However, Virtual Service Accounts are easier to manage and configure and don’t require an active schema to work. Virtual Service Accounts can be applied to local service accounts only.
An enabled VSA will access the network using the computer’s identity. It is similar to Network Service Accounts, aside from having a different security domain.
To create a Virtual Service Account in your computer, access the Services Console and change the services account name with a shorter name similar to the service account. After that, restart the service and you’re done.
Suggestion: If your Operating System supports the service, then consider using it to safeguard your service account