The Active Network
ActiveWin: Reviews Active Network | New Reviews | Old Reviews | Interviews |Mailing List | Forums


Product: Windows 7
Company: Microsoft
See Pricing  Purchase at
Review By: Andre Da Costa

with Byron Hinson, Robert Stein & Fernando Fhualpa contributing

Enterprise & Security Improvements

Table Of Contents (70 Pages)
1: Introduction & Executive Summary
2: Pricing, Editions & System
Installation, Setup & Upgrading
4: Initial Impressions
5: Daily Usage
6: Connectivity & Networking
7: Windows Internet Explorer 8
8: IE 8 - Developer, Compatibility & Security
9: Accessories (Search, Applets, etc.)

10: Windows Media Player 12 & Media Center
11: Enterprise & Security Improvements
12: Windows Virtual XP Mode
13: Device Stage & Printing
14: Remote Assistance - Easy Connect
15: Customizing Windows 7
16: Maintenance & Power Management
17: Gaming & Desktop Graphics Performance
18: USB Transfer Tests

19: Desktop & Personalization
20: Support Tools
21: System Restore & Recovery Options
22: Tablet PC & Windows Touch
23: Windows Update & Other Enhancements
24: Windows 7 Developer Support
25: Competition
26: Conclusion & Online Resources

In Windows 7, the Group Policy Management Console has been extended to include 25 PowerShell Cmdlets that allow for better integration with Group Policy features and functions. You can open up the ‘black box’ of Group Policy and automate configuration of any registry key with a combination of simple and powerful cmdlets. Command Line support allows you seamlessly create, configure, link and even backup Group Policy objects quickly.

Windows 7 adds improvements to its Drive Encryption Technology (BitLocker) providing better offline data protection. Enhanced by the use of the Trusted Platform Module (TPM), a new feature based on BitLocker technology called ‘BitLocker To Go’ allows drive encryption to be extended to portable storage devices such as Thumb-drives or External USB hard disk with support for file systems such as FAT, FAT32 and exFAT in addition to NTFS for improved compatibility. This allows for better management in cases such as applying restrictions on how these devices are accessed and used. Although BitLocker is still limited to the Ultimate and Enterprise editions of Windows 7, once BitLocker to Go is enabled the device can still be used on any edition of Windows 7 in addition to Windows XP. BitLocker is also easier to install and configure, simply right-click a drive in Computer Explorer and click the ‘Turn on BitLocker’ option on the contextual menu. I noticed though that large devices 2 GBs or more can take a long time to encrypt, so I suggest you don’t do it on a whim. Other improvements include no need for manual portioning or use of third party tools. Windows 7 also creates a hidden partition for BitLocker instead of a new one like Vista. Enterprises can also benefit from the Data Recovery Agent support for all protected disk volumes which allows Enterprises to store recovery data in Active Directory and recover volume data if required.

Better Organization: Control Panel has also received a boost to how items are organized with quicker access to adjusting your computers settings.

Windows Vista’s security improvements were numerous, the Windows Team didn’t stop there either, a new feature of the Windows 7 Kernel is ‘Safe Unlinking’ which can be added to the mantle of other security technologies such as UAC, Address Space Layout Randomization, Data Execution Prevention, Stack Protection, Heap Protection and Structured Exception Handler Overwrite. Safe Unlinking prevents pool over-run attacks, which is a common exploit technique that happens when memory (on the heap) is dynamically allocated by the application at run-time and typically contains program data. The exploitation occurs by corrupting the data in a certain way causing an application to overwrite internal structures such as linked list pointers. Safe Unlinking prevents this by performing a Bug Check as an over-run is detected, which will prevent further memory corruption, crashes and errors.

If its one thing Windows Vista was known for it was security, some would say too much of it actually. Features like Kernel Patch Protection, Service Hardening, DEP, ASLR and the controversial UAC all made up a complete security experience in Windows Vista. Windows 7 is about refining the usability aspects of these fundamental features.

The controversial User Account Control utility is more controlled. Persons familiar with it in Vista resorted to disabling the feature just to get some piece of mind. Windows 7 takes a more passive experience with UAC, you will still see a few, but it’s not triggered for every action taken. UAC also gives the user more information about why does what it does. For instance, an application is shown which part of the system it needs to access or write to. UAC is still annoying, but it’s not in your face. In Action Center a new setting called User Account Control settings provides users the option of controlling how they are notified of potential changes to the system. Similar to Windows Internet Explorers ‘Security level for this zone’ setting, users have a choice between Never and Always Notify.

Never Notify is the most drastic option and is pretty much similar to turning of UAC all together. I don’t think you want to choose this option because UAC still has a place in Windows, just that it needs to be more intelligent. For this there are more flexible options.

The option to only be notified when programs attempt to make changes to the system, but exclude user initiated actions. It kind of defeats the original premise of UAC protecting novice users from themselves, but for those who are novices and experts who find UAC in its current state too intrusive should find this to be the right balance.

Two other options, ‘Always Notify Me’, notifies the user, but does not wait on a response from the user, which the obvious ‘Always notify me and wait for my response’ does.

Overall, I consider this to be progress; users finally have choice on this critical area of the system. Its clear Microsoft has listened and users should feel more confident with changes they make to UAC. In Vista there is this nagging paranoia even for those who willingly turn it off, with Windows 7, its all about choice and confidence. 

In order to help prevent malware from spreading (such as Conflicker) using the AutoRun mechanism, the Windows 7 engineering team made two important changes to this technology:

AutoPlay will no longer support the AutoRun functionality for non-optical removable media. In other words, AutoPlay will still work for CD/DVDs but it will no longer work for USB drives. For example, if an infected USB drive is inserted on a machine then the AutoRun task will not be displayed. This will block the increasing social engineer threat highlighted in the SIR. The dialogs below highlight the difference that users will see after this change. Before the change, the malware is leveraging AutoRun (box in red) to confuse the user. After the change, AutoRun will no longer work, so the AutoPlay options are safe.

Focusing on the synergies that will occur between Windows Server 2008 R2 and Windows 7 on the desktop, AppLocker provides better control for applications. Some of the situations that AppLocker can be used in include, management of packaged and custom applications that a user can have access to, which users should be allowed to install new software and the versions of applications that should be allowed to run for a particular group of users. Administrators are able control how users run all types of applications such as executables, scripts, Windows Installers (MSIs, MSPs) and Dynamic Link Libraries).

Windows Firewall: Multiple Active Firewall Profiles

In Windows Vista and Server 2008, Windows Firewall has three profiles - domain, public, and private - and only one profile can be active at any given point. If a computer is connected to multiple networks at the same time, the "most secure" profiles wins (public then private then domain). The multiple active profiles feature will change the behaviour so that more than one profile can be active at a time when a computer is connected to multiple interfaces.

Windows Installer (MSI) (version 5.0) in Windows 7 enables new scenarios for application setup developers, ISVs and IT Administrators. There is more standard actions support to eliminate the need for writing custom actions such as that for enhanced permissions setting, service configuration and common UI related tasks. Performance related improvements give you the ability to speed up installation of large packages, and better integration with UAC help provide a good overall end user experience. IT Administrators can query for MSI based applications and patches in a Windows 7 mounted offline WIM image via DISM command line tool. Applications can also be installed as per-user and Windows 7 giving you the ability to create & deploy a single dual mode package capable of being installed both in per-user as well as per-machine context. In addition, all MSI 4.5 features (Windows Installer 4.5 Redistributable out of band release) are also included in MSI 5.0 in Windows 7.

 « Windows Media Player 12 & Media Center Windows Virtual XP Mode »


  *   *