Many businesses identify PC security as one of their leading worries, and as we saw in the survey, it’s one of the key reasons enterprises give for updating to Windows 7.
Windows 7 offers a handful of security improvements. Probably the most noticeable for most users is the updated, more user friendly version of User Account Control, or UAC.
If you’re a Vista user, you know that when UAC was first rolled out, some users found it irritating. So much so that, if you do a Google search for User Account Control, one of the most popular links is “disable User Account Control.” Up to 15 different actions created a UAC prompt, trying the patience of some users.
The dreaded User Account Control.
In truth, some of the upset about UAC might have been overdone. But at any rate, clearly UAC has its place as a key safeguard. It limits access to a machine’s configuration options and applications to lower level, standard user privileges unless an administrator grants more. Among other things, this helps block malware. Most importantly, a security mistake by a hurried staffer can’t bring down the entire system.
Microsoft heard the complaints about Vista’s UAC and responded. Windows 7 offers a more relaxed -- some might say more flexible, or “less noisy” ----- version of UAC. It’s now easier to use and control, yet it’s still powerful enough to protect users and your larger network in essential ways. The Windows 7 UAC gives users some options to “notify me only when…”
The Windows 7 User Account Control panels setting box includes a slider to allow you to set UAC at a level that makes sense for your situation. So users can now perform all manner of common configuration options without facing a UAC prompt.
The key point is that UAC cannot be added to Windows XP, even with third party software. Given that most users in most businesses are not tech savvy, operating without this safeguard presents a real gap in security, in an age when hackers grow more skillful every month.
In addition to the improved UAC, other Windows security upgrades include the following key features:
BitLocker to Go
Bitlocker is a full volume encryption solution that protects data on desktops and laptops if the machine is stolen or accessed by unauthorized personnel. First introduced in Vista, BitLocker takes several steps forward in Windows 7. These improvements include better management of enforcement through all interfaces and new Group Policy settings that enable you to update passwords.
Additionally, Microsoft has responded to feedback from users who have said that it’s difficult to partition a drive for a BitLocker installation (particularly when the OS is already installed). In Windows 7 set-up, by default you get a separate active system partition.
Perhaps most compelling is Windows 7’s BitLocker to Go feature, which enables you to configure BitLocker Drive Encryption on USB flash drives and external hard drives.
A new Group Policy setting lets you configure removable drives as Read Only unless they are encrypted with BitLocker To Go. Also important: the data is useable on Windows Vista and XP. BitLocker to Go is undoubtedly a feature that will prove its value because protecting data on removable data drives has been one of the leading headaches of enterprise security.
Windows 7’s Bitlocker
(BitLocker, by the way, is only available in the Ultimate and Enterprise editions of Vista and Windows 7.)
Other security enhancements in Windows 7 include Global SACL and Granular Auditing, which lets you manage auditing for users rather than just objects, and provides more information about AccessCheck failures for file objects. This is the tool I referenced earlier that aids in compliance efforts.
And also, Windows 7 includes a new Windows Biometric Framework (WBF), which allows companies to more easily incorporate biometric authentication devices such as fingerprint readers.
Question: Operating systems and large software application are always full of useful features that people don’t use, in part because they don’t know how to use them. BitLocker to Go seems like a great idea because of the security threat posed by the popular USB drives, but how easy is it for end users to use?
Answer: Using BitLocker to Go is really pretty seamless. Once you have it up and running, it requires little from users. Files remain encrypted only when they are stored in an encrypted drive. Files copied to another drive are decrypted. You can always unlock an encrypted drive with a password.
By the way, if you’re looking for more encryption protection, some of the Dell Optiplex desktop machines come with Dell Data Protection, which encrypts on a per-file basis, and also works on removable hard drives.