The words Windows and security have not always been compatible. In the past, Microsoft's quest to make its operating system as easy to manage as possible for the "typical" user has often meant sacrificing adequate safeguards against intrusion and infection. Windows XP's notorious vulnerability to network worms stands as a recent example; Microsoft shipped the operating system with a firewall but initially left it turned off by default.
For all its flaws, real and perceived, Vista marked a huge step forward in Windows security. Windows 7 has continued that improvement, adding several new features and enhancing many others -- most obviously the User Account Control system, which proved so obnoxious in Vista that many users turned it off, leaving their systems vulnerable to intrusion in exchange for a less annoying experience. UAC has been revamped in Windows 7 to be less intrusive and more discerning about what constitutes a true threat, and therefore more effective.
Other Windows 7 security features are less apparent, especially those intended for businesses concerned with protecting not just one computer but an entire network. Among the most important new features are DirectAccess, a VPN replacement for computers on Windows networks; the Windows Biometric Framework, which standardizes the way fingerprints are used by scanners and biometric applications; and AppLocker, which improves on previous Windows versions' Software Restriction Policies to limit which software can be run on a machine.
Also key are BitLocker To Go, which extends the full-disk encryption of BitLocker to external hard drives, and a refined procedure for handling multiple firewall profiles so that the level of protection better matches the location from which a user connects to the Internet.
In typical Microsoft fashion, these features have been made available with little fanfare or guidance. Let's take a look at each to see how they can help Windows shops secure their computers and networks.
Note that some of these features are available for all versions of Windows 7, while others require the Enterprise or Ultimate editions. What's more, you won't be able to fully implement some features until you've upgraded all your users to Windows 7, and at least one -- DirectAccess -- has back-end requirements that most companies don't have in place yet. These features will, however, work side by side with older technologies for users who are still on earlier versions of Windows.
So even though you may not be able to take full advantage of all the new security features immediately, the time to start planning for them is now. We'll start with the features that you can use right away and work our way up to those that require planning.
Multiple active firewall profiles
Windows 7 offers a small but incredibly important improvement over Vista in its handling of firewall profiles. Vista allowed users to set up different firewall profiles for public, private and domain connections. A private network might be your home Wi-Fi network; aside from having the right WEP or WPA key, you don't need any credentials to log in, but you trust it more than a public network like a coffee shop hot spot. A domain network requires authentication -- a password, fingerprint, smart card or some combination of factors -- to log in.
Each profile type has its own selection of applications and connections allowed through the firewall. For instance, in a home or small-business network marked Private, you might allow file and printer sharing, while on a network marked Public, you would likely disallow access to your files.
Vista's firewall profiles worked well except when a computer was connected to multiple networks simultaneously, such as an Ethernet and a wireless network. In those cases, the system would default to the most restrictive profile. This could cause problems when, for example, connecting to a corporate VPN through a public Wi-Fi hot spot; Vista would recognize simultaneous connections to both a public and domain network and apply the public profile to both.
All versions of Windows 7 allow computers to keep several firewall profiles active at the same time, maintaining the access and functionality of the more trusted network while blocking access via the less trusted network. Since many remote access functions require less restrictive firewall settings, users can now work securely while remaining protected from threats outside of the corporate network.