Windows 7 Security Features Revealed

Recently Microsoft's Paul Cooke, Program Manager for Windows Live, updated The Windows Security Blog with a lengthy insight to the new Windows 7 operating system, specifically the security features that will benefit the mobile worker. His update stems from hands-on experience at this week's RSA Conference, addressing five security features: Multiple Active Firewall Policies, DirectAccess, BranchCache, BitLocker To Go, and AppLocker. Cooke also hinted in the blog that the update was just the "tip of the iceberg," and for readers to stay tuned for more info on the new security technologies.

"We’re really excited about Windows 7’s new security features," he said. "This next OS is built upon the proven security technologies in Windows Vista and provides a fundamentally secure computing platform. We not only utilized enhanced Security Development Lifecycle (SDL) process during planning, development and testing but we also have worked to make the security features more discoverable, usable and manageable. These enhancements give Windows 7 the expanded security offerings to provide the necessary security controls to help mobile workers access the information they need to be productive, wherever and whenever they need it."

The first segment of his blog, Multiple Active Firewall Policies, describes how mobile users can create security problems when connecting to multiple networks on the road (while also connecting to the company network). Windows 7 eliminates the problem by enabling the PC to obtain and apply domain firewall profile information regardless of other networks that may be active on the PC. IT Pros can maintain a single set of rules for both remote clients and physically connected clients.

The next feature, DirectAccess, automatically establishes a bi-directional connection from mobile client computers to a corporate network. This means that the end-user is not required to connect via a VPN tunnel, but rather through a secured access through the Internet. DirectAccess also uses IPsec to authenticate the computer and user, encrypt the data crossing over the Internet, and can even be used to require employees to authenticate with a smart card. And since DirectAccess is always on, IT pros can distribute software updates and policies at any time.

Cooke also talked about BranchCache, a feature that will speed up network access for the employee working out of the branch office, performing as if they're working straight off the in-office corporate LAN. "BranchCache also helps reduce the utilization of the wide area network, he wrote.  "When BranchCache is enabled, a copy of any data accessed from Intranet Web sites and/or file servers is cached locally within the branch office. When another client on the same network requests the file, the client downloads it from the local cache without downloading the same content across the WAN."

Cooke goes on to talk about BitLocker To Go, an extension to BitLocker in Vista that allows users to encrypt the disk volume of removable storage devices with a password and/or a digital certificate stored on a smart card. The program will also share data with Vista and XP users via a read-on program called BitLocker To Go Reader. Additionally, Cooke said that Windows 7 will give control back to IT pros with AppLocker, a feature that helps them eliminate unknown and unwanted software from their network environment (such as user-installed P2P programs, unnecessary games, unlicensed software, etc). However, AppLocker also allows end-users to install and run approved applications and software updates based upon their business needs.

"AppLocker just might be my favorite security feature in Windows 7, for it not only provides security protections but as an ex-IT Pro I really appreciate the operational and compliance benefits as well," he said.

Look for more Windows 7 updates as the week unfolds. For more details on each feature listed here, check out his official blog.

  • scryer_360

    No no just kidding, there will be real substance to this comment.

    Its all good and well that they have these features here, but what is really going to make or break these is if they actually work. I've seen some security features backfire by opening up new exploits before, so in the end, it all comes down to launch day. I can already see hackers looking for exploits in the Beta, the launch version will be interesting enough.
  • jhansonxi
    Multiple Active Firewall Policies = Simply ties firewall settings to network profiles. So if an attacker wants to make a target's system more vulnerable, they just need to make it think it's on a safe corporate network.
    DirectAccess = Since when is a properly configured VPN client difficult to use?
    BranchCache = How does this compare to a caching proxy or Offline Files? Does this work with databases like Access? Might be useful for branch offices that are using consumer accounts with an ISP that has caps. Of course they could just get a normal business ISP connection.
    BitLocker To Go = Nice but not really new as there are third-party apps that can do the same.
    AppLocker = I guess it could be useful if you don't know how to lock down a desktop. So how does it handle a renamed application executable?
  • kato128
    @jhansonxi: I'm pretty sure DirectAccess is designed to be an always on type thing which will make those pesky remote password change problems go away and with any luck it'll remove the hassle of training users to actually start the vpn connection after login. Remember for us professionals a vpn is easy but a lot of users just can't understand it properly.
  • echdskech
    It's funny how most of these features are already present, some ancient, in "other" OSes. Still I suppose its good to see they're going in the right direction. I just hope these do not affect performance too much or be annoying like UAC.
  • michaelahess
    As long as we don't get the Local Connectivity only message when we plug into a modem the damn OS has never seen before. Infuriating, even with the firewall disabled. I hate Vista's network restriction.

    I don't know how many laptops come back to me cause they can't get on the net off another ap somewhere else in the world, even a netsh reset won't fix the issue all the time, let alone a "repair" attemp, what a joke that is.
  • tim_tj
    What are the other latest features of Windows 7 that makes it more better than the previous versions?
  • tim_tj
  • kato128
    tim_tjWhat are the other latest features of Windows 7 that makes it more better than the previous versions?
    Take your pick:

    Improved CPU scalability (ie u actually get the extra grunt from ur quad core)
    Better security thru revised UAC
    Smaller memory foot print
    Improved boot and reboot speeds
    Revised and more useful interface

    Plus many more I haven't listed and you probably wont notice in every day operation but will in 6 months when your computer doesn't need a rebuild due to viruses etc like all the XP people.
  • kamkal
    as long as win7 is quick

  • mitch074
    It's nice. Is it worth getting excited about? Not really.