Although Windows 7 doesn't have the number of new, highly visible security features that were added to the Windows arsenal with Windows Vista, it has improved upon several of those features . Some—such as User Account Control, Windows Defender, and Windows Firewall—sport new, simpler interfaces and new capabilities. In addition, Windows 7 also has numerous under-the-hood improvements and security features for computers on large networks that are of interest primarily to software developers and information technology professionals—and hackers, who now have many additional challenges and obstacles to face Among the key security improvements are these:
• Windows Firewall Windows Firewall is substantially changed from the version in Windows XP. As in Windows Vista, it is a two-way firewall, monitoring outbound traffic as well as inbound, and it fully supports Internet Protocol version 6 (IPv6). In Windows 7, Windows Firewall adds multiple access firewall profiles, a feature that provides appropriate protection for each connected network when you're connected to more than one at a time—an increasingly common situation . With an advanced configuration console for Windows Firewall, administrators have granular control over firewall rules and other settings.
• User Account Control (UAC) UAC reduces the inherent danger of using an administrator account for everyday tasks by requesting your consent when an application needs to do something with systemwide effect. Furthermore, architectural changes wrought by UAC make it practical for most people to use a standard account for daily computing. In Windows 7, UAC is far less intrusive than in Windows Vista because fewer tasks trigger UAC prompts, and new configuration options make it easier to control UAC so that it doesn't control you.
• Windows Defender Windows Defender, an antispyware program, continuously monitors system settings to prevent the installation of known spyware and to alert you to the presence of spyware-like activity. The new interface in the Windows 7 version has fewer confusing options—which is appropriate for a program that normally runs silently in the background.
• Internet Explorer Internet Explorer runs in Protected Mode, which lessens the likelihood of installing malicious code . Effectively, it runs isolated in a "sandbox" with reduced privileges, able to write data only in locked-down temporary folders unless you grant permission to act outside the protected area. Other security improvements to Internet Explorer include restrictions on ActiveX controls, a SmartScreen phishing filter, and InPrivate Filtering and InPrivate Browsing to prevent information about your browsing habits from being tracked. (For more information, see "Security and Privacy Options" on page 220 )
• Windows Biometric Service The Windows Biometric Service provides support for fingerprint biometric devices so that you can use a fingerprint reader to log on to your computer and to enter administrative credentials in response to UAC elevation prompts
• Data encryption BitLocker Drive Encryption (available only in Enterprise and Ultimate editions) encrypts entire hard drives—making the data they contain completely inaccessible to a thief who makes off with a computer. In Windows 7, BitLocker To Go can also be used to protect removable storage drives, such as portable hard drives and USB flash drives .
If you're coming to Windows 7 from Windows XP, you might be unaware of these additional security features and enhancements that are part of Windows Vista, and now Windows 7:
• Parental Controls Parental Controls provide tools to help parents guide their kids' use of the internet, games, and other programs i-H
• Data redirection While running under a standard user's account, an application that attempts to write to a protected system folder (such as %ProgramFiles% or %SystemRoot%) gets transparently redirected to a virtual file store within the user's profile. Similarly, if an application attempts to write to systemwide areas of the registry (such as the HKEY_LOCAL_MACHINE hive), it gets redirected to virtual keys within the user's section of the registry. Applications that attempt to read from these protected file and registry locations look first to the virtual stores . File and registry virtualization allows standard users to run older applications—including many of those that required administrator access under Windows XP—while at the same time preventing malicious applications from writing to areas that could bring down the entire system .
• Buffer overrun protection Address Space Layout Randomization (ASLR) is one of several underlying technologies that defend against buffer overrun exploits . With ASLR, each time you boot Windows, system code is loaded into different locations in memory. This seemingly simple change stymies a class of well-known attacks in which exploit code attempts to call a system function from a known memory address. ASLR and numerous other esoteric programming changes are one result of Microsoft's adoption of the Security Development Life Cycle, a process that minimizes security bugs in program code
• Additional security on 64-bit computers With the 64-bit versions of Windows, only digitally signed device drivers can be installed . This feature, called PatchGuard, ensures that kernel-level code is from a known source and has not been altered, as a means to prevent the installation of rootkits and any other code that tries to alter the underlying operating system .
• Restrictions on removable drives Through the use of Group Policy, administrators can control the use of removable storage devices, such as USB flash drives and external hard drives . These restrictions can help prevent the theft of sensitive or proprietary data. In addition, they can be used to seal an entry point for viruses and other malware brought in from home. In addition, AutoRun is disabled for removable storage devices such as USB flash drives, lessening the chance that an attacker can fool you into running a hostile program by simply clicking on an entry in the AutoPlay list.
Was this article helpful?