Windows 7 security enhanced for mobile workers

Microsoft Corp. is hoping the mobile worker will take advantage of easier-to-use enhanced security features in its Windows 7 operating system to access the corporate network and share data on removable devices.

The new operating system, currently in beta and set for a 2010 release, aims to solve real world IT problems regarding portable security in the mobile workforce, and builds upon lessons learnt from its predecessor, Windows Vista, said Paul Cooke, director of Windows client security with the Redmond, Wash.-based software giant.

“Windows 7 retains all the security goodness that we put into Windows Vista and as a result it builds upon those foundations,” said Cooke, “But we’ve also learned a lot in the Windows Vista timeframe.”

Among those lessons is the fact that users were irritated by the “high number” of User Account Control (UAC) prompts in the platform, choosing instead to turn off the functionality – that manages user privileges – resulting in a loss of some security features.

Cooke said that, after a review of the top prompters in Windows Vista, 16 points of prompting were “tweaked, reduce, or removed entirely” meaning that now, users of Windows 7 can, for instance, receive updates to their machine “quickly and easily” without being prompted.

Microsoft expects a 29 per cent decrease in UAC prompts in the new operating system compared to Windows Vista, thereby fulfilling the goal of better security coupled with ease of use.

According to Michael Cherry, research vice-president of operating systems with Kirkland, Wash.-based research firm Directions on Microsoft, the reduction in prompts is a definite value-add, but simplifying the experience can also be a “double-edged sword.”

Cherry’s concern is that most users don’t know how to inspect incident logs to ascertain whether their systems are in danger, thereby making a decreased number of prompts “a tough call.”

Windows 7 enhancements also include new features for the mobile worker including DirectAccess to create “secure bi-directional tunnels” with access authentication and encrypted communication between a mobile machine and the corporate network “whether they’re in the office, at home, or travelling on business half way around the world,” said Cooke.

Describing the ease of use as “no harder to use than just logging in,” Cooke said road warriors will feel encouraged to connect to the corporate network more often than they otherwise would. And, that’s a definite benefit to the IT department who relies on users to frequently connect in order to keep all machines patched and up-to-date.

Another new feature for the mobile worker is BitLocker-to-Go. Based on BitLocker Drive Encryption introduced in Windows Vista, those authentication and data encryption capabilities are now extended to portable media devices like USB drives. “This is important given the fact that more USB devices today are sold in comparison to laptops or PCs in the marketplace,” said Cooke.

In fact, there are more instances of misplaced removable media devices containing confidential data today than there are of misplaced laptops, he said, citing an admission in 2008 by the U.K. Ministry of Defense of about 100 lost USB devices over the past five years that held confidential data. Windows 7 affords an organization the peace of mind that, Cooke said, “if it falls into the wrong hands, it can’t be misused.”

Cherry said the issue with DirectAccess is a requirement that the remote machine must be made a member of the organization’s Active Directory, yet very often, mobile workers will use their home computers to connect to the corporate network. “I think that might be an impediment,” said Cherry. “I may not necessarily want my computer listed in my company’s Active Directory, and likewise my company may not want to clutter their directory with computers they don’t own.”

While Cherry acknowledges DirectAccess is conceptually a great idea, he pointed out that users will have to maintain a different mechanism for machines still running Windows Vista.

As for BitLocker, Cherry said he would have expected that functionality to have drawn a greater number of followers to Windows Vista than it did, especially given the degree of public embarrassment that organizations suffer when their data gets lost.

More on ComputerWorld Canada

End the endpoint security breaches

That said, both DirectAccess and BitLocker-to-Go are beneficial to the mobile worker, said Cherry, in that “anything that makes it easier for remote devices to connect and stay connected, and increases their security is worth looking at.”

A current user of Windows 7 beta is ProServe IT Corp., a Toronto-based IT consultancy, whose employees are on the road 90 per cent of the time and often work on client networks they can’t exactly guarantee are secure. Manager of business solutions Eric Sugar applauds the reduced UAC prompts because ProServe IT’s consultants “are finding they are not fighting with it as much, they don’t have to tweak and adjust everything.”

Being a virtual company means the consultants “are always looking for better ways to access remote data,” said Sugar, and with DirectAccess, they can encrypt and secure communications back to the corporate data centre.

“These features really bring up the game level,” said Sugar.

There are also malware intrusion capabilities in AppLocker, a new feature designed to, according to Cooke, make the “lives of IT professionals easier” by letting them specify which software is allowed to be installed on machines, while also ensuring regulatory compliance with Basel II and PCI (Payment Card Industry) standards. That tends to be a challenge for IT administrators given that “even standard users can bring in software from home, can download software from the internet, can get software sent to them in e-mail,” he said.

Related Download
Virtualization: For Victory Over IT Complexity Sponsor: HPE
Virtualization: For Victory Over IT Complexity
Download this white paper to learn how to effectively deploy virtualization and create your own high-performance infrastructures
Register Now