 |
|
| ActiveWin: Reviews | Active Network | New Reviews | Old Reviews | Interviews |Mailing List | Forums |
|
|
|
|
|
DirectX |
|
ActiveMac |
|
Downloads |
|
Forums |
|
Interviews |
|
News |
|
MS Games & Hardware |
|
Reviews |
|
Support Center |
|
Windows 2000 |
|
Windows Me |
|
Windows Server 2003 |
|
Windows Vista |
|
Windows XP |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
Apple/Mac |
|
Xbox |
|
News Search |
|
|
|
|
|
|
|
ActiveXBox |
|
Xbox News |
|
Box Shots |
|
Inside The Xbox |
|
Released Titles |
|
Announced Titles |
|
Screenshots/Videos |
|
History Of The Xbox |
|
Links |
|
Forum |
|
FAQ |
|
|
|
|
|
|
|
Windows XP |
|
Introduction |
|
System Requirements |
|
Home Features |
|
Pro Features |
|
Upgrade Checklists |
|
History |
|
FAQ |
|
Links |
|
TopTechTips |
|
|
|
|
|
|
|
FAQ's |
|
Windows Vista |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows Server 2002 |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
Xbox 360 |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 5 |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
ActiveDVD |
|
DVD News |
|
DVD Forum |
|
Glossary |
|
Tips |
|
Articles |
|
Reviews |
|
News Archive |
|
Links |
|
Drivers |
|
|
|
|
|
|
|
Latest Reviews |
|
Xbox/Games |
|
Fallout 3 |
|
|
|
Applications |
|
Windows Server 2008 R2 |
|
Windows 7 |
|
|
|
Hardware |
|
iPod Touch 32GB |
|
|
|
|
|
|
|
Latest Interviews |
|
Steve Ballmer |
|
Jim Allchin |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
News Archive |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
|
Product: Windows 7 |
Enterprise & Security Improvements
In Windows 7, the Group Policy Management Console has been extended to include 25 PowerShell Cmdlets that allow for better integration with Group Policy features and functions. You can open up the ‘black box’ of Group Policy and automate configuration of any registry key with a combination of simple and powerful cmdlets. Command Line support allows you seamlessly create, configure, link and even backup Group Policy objects quickly.
Windows 7 adds improvements to its Drive Encryption Technology (BitLocker) providing better offline data protection. Enhanced by the use of the Trusted Platform Module (TPM), a new feature based on BitLocker technology called ‘BitLocker To Go’ allows drive encryption to be extended to portable storage devices such as Thumb-drives or External USB hard disk with support for file systems such as FAT, FAT32 and exFAT in addition to NTFS for improved compatibility. This allows for better management in cases such as applying restrictions on how these devices are accessed and used. Although BitLocker is still limited to the Ultimate and Enterprise editions of Windows 7, once BitLocker to Go is enabled the device can still be used on any edition of Windows 7 in addition to Windows XP. BitLocker is also easier to install and configure, simply right-click a drive in Computer Explorer and click the ‘Turn on BitLocker’ option on the contextual menu. I noticed though that large devices 2 GBs or more can take a long time to encrypt, so I suggest you don’t do it on a whim. Other improvements include no need for manual portioning or use of third party tools. Windows 7 also creates a hidden partition for BitLocker instead of a new one like Vista. Enterprises can also benefit from the Data Recovery Agent support for all protected disk volumes which allows Enterprises to store recovery data in Active Directory and recover volume data if required.
Better Organization:
Control Panel has also received a boost to how items are organized
with quicker access to adjusting your computers settings.
Windows Vista’s security improvements were numerous, the Windows Team didn’t stop there either, a new feature of the Windows 7 Kernel is ‘Safe Unlinking’ which can be added to the mantle of other security technologies such as UAC, Address Space Layout Randomization, Data Execution Prevention, Stack Protection, Heap Protection and Structured Exception Handler Overwrite. Safe Unlinking prevents pool over-run attacks, which is a common exploit technique that happens when memory (on the heap) is dynamically allocated by the application at run-time and typically contains program data. The exploitation occurs by corrupting the data in a certain way causing an application to overwrite internal structures such as linked list pointers. Safe Unlinking prevents this by performing a Bug Check as an over-run is detected, which will prevent further memory corruption, crashes and errors.
If its one thing Windows Vista was known for it was security, some would say too much of it actually. Features like Kernel Patch Protection, Service Hardening, DEP, ASLR and the controversial UAC all made up a complete security experience in Windows Vista. Windows 7 is about refining the usability aspects of these fundamental features.
The controversial User Account Control utility is more controlled. Persons familiar with it in Vista resorted to disabling the feature just to get some piece of mind. Windows 7 takes a more passive experience with UAC, you will still see a few, but it’s not triggered for every action taken. UAC also gives the user more information about why does what it does. For instance, an application is shown which part of the system it needs to access or write to. UAC is still annoying, but it’s not in your face. In Action Center a new setting called User Account Control settings provides users the option of controlling how they are notified of potential changes to the system. Similar to Windows Internet Explorers ‘Security level for this zone’ setting, users have a choice between Never and Always Notify.
Never Notify is the most drastic option and is pretty much similar to turning of UAC all together. I don’t think you want to choose this option because UAC still has a place in Windows, just that it needs to be more intelligent. For this there are more flexible options.
The option to only be notified when programs attempt to make changes to the system, but exclude user initiated actions. It kind of defeats the original premise of UAC protecting novice users from themselves, but for those who are novices and experts who find UAC in its current state too intrusive should find this to be the right balance.
Two other options, ‘Always Notify Me’, notifies the user, but does not wait on a response from the user, which the obvious ‘Always notify me and wait for my response’ does.
Overall, I consider this to be progress; users finally have choice on this critical area of the system. Its clear Microsoft has listened and users should feel more confident with changes they make to UAC. In Vista there is this nagging paranoia even for those who willingly turn it off, with Windows 7, its all about choice and confidence.
In order to help prevent malware from spreading (such as Conflicker) using the AutoRun mechanism, the Windows 7 engineering team made two important changes to this technology:
AutoPlay will no longer support the AutoRun functionality for non-optical removable media. In other words, AutoPlay will still work for CD/DVDs but it will no longer work for USB drives. For example, if an infected USB drive is inserted on a machine then the AutoRun task will not be displayed. This will block the increasing social engineer threat highlighted in the SIR. The dialogs below highlight the difference that users will see after this change. Before the change, the malware is leveraging AutoRun (box in red) to confuse the user. After the change, AutoRun will no longer work, so the AutoPlay options are safe.