Windows 7 security primer, part four

Welcome to part four of my four-part series of articles discussing significant security improvements and changes found in Windows 7. In part one, I provided an overview of some noteworthy security deltas. In part two, I delved into XP Mode. Part three cracked open AppLocker. This week, I’ll wrap up the series with a look out several additional major security improvements. Once again, I’ll mention here that I’m a full-time employee at Microsoft.

Improved IE You don’t need Windows 7 to run IE 8, although if you’re running an older version of IE, you should upgrade to the latest version as soon as possible. Certainly application and Web site compatibility issues will guide how quickly someone can move to IE 8, but I find many clients who are still clinging to IE 6 and haven’t done compatibility testing in over a year. Often when I goad them into retesting the previously troublesome application with IE 8, it works — and has been working for some time.

[ Also in InfoWorld: Security experts are investigating widespread cyber espionage. | Learn how to secure your systems with Roger Grimes’ Security Adviser blog and Security Central newsletter, both from InfoWorld. ]

Why move to IE 8?  Because it is more secure by default and more secure on Windows 7 than Windows XP. The recent Chinese Google zero-day hacking attack demonstrates this more effectively than anything I could come up with. The Chinese attacks work most effectively on IE 6 and not very well on IE 8. See the relative risk ratings. Microsoft tested some related exploits and found across the board that they were significantly harder to accomplish in IE 8 and even more so in Windows 7. Although some readers may accuse me of just being an IE fanboy, using the latest version of whatever browser you prefer is always good security advice.

Better ciphers Windows 7 includes all the latest industry-accepted ciphers, including AES (Advanced Encryption Standard), ECC (Elliptical Curve Cryptography), and the SHA-2 hash family. In fact, the U.S. government’s entire recommended Suite B cipher series is implemented. Suite B is a group of cryptographic algorithms that is approved by the United States National Security Agency.

By default, all current technologies in Windows will use industry-accepted ciphers. No more legacy proprietary ciphers are used. Those legacy ciphers that still exist are included only for backward-compatability purposes. Microsoft has shared the new ciphers in detail with the crypto world for analysis and evaluation. Key and hash sizes are increased by default.

EFS (Encrypting File System) has been improved in many ways beyond just using more modern ciphers. For one, you can use a smart card to protect your EFS keys.  This not only makes them more secure; it allows them to be portable between computers.

Administrators will be happy to know that they can prevent users from creating self-signed EFS keys. Previously, users could easily turn on EFS, which generated a self-signed EFS digital certificate if a compatible PKI server could not be found. Often, these users encrypt files but do not back up their self-signed digital certificates, which frequently leads to unrecoverable data loss. Administrators can even allow self-signed EFS keys, mandating ciphers and minimum key lengths, and Windows 7 will constantly bug the user until they back up their EFS digital certificates to some other removable media or network drive share. A Microsoft Web page details the EFS changes.

Easily encrypted pagefile Users who cannot utilize BitLocker but still want to prevent the memory swap pagefile from being analyzed in an offline sector editing attack no longer need to erase the pagefile on shutdown. Windows XP and earlier versions had a setting that allowed the pagefile to be erased on shutdown and rebuilt on each startup. Great security feature, but it often caused delayed shutdowns and startups — sometimes adding as much as 10 minutes to the process. In Windows 7 (and Vista), you can enable pagefile encryption. But even better: There is no key management. Windows creates and deletes the encryption keys as needed and there isn’t a chance the user can “lose” the key or require a recovery event. It’s crypto security at its best.

Multiple active firewall policies Prior to Windows 7, when the Windows Firewall was active and there were multiple network interfaces active, only one firewall profile (i.e. Home, Domain, Work, or Public) could be used. This caused problems and created potential security vulnerabilities: for example, when a domain-connected wired computer also connected to a less restricted wireless network. Windows 7 can now detect multiple networks and apply the appropriate profiles at the same time to the right interface.

Improved System Restore System Restore now includes user’s personal content files. Older versions just backed up and  protected the Windows system files. System Restore also allows you to see what files would be restored in each version of the System Restore files. It’s not perfect, but it’s nice to see what will occur if you were to choose a particular restoration point.

Much, much more Windows 7 has hundreds of security changes, including support for the new DNSSec standards, which are becoming essential to prevent DNS exploitation attacks; built-in support for smart cards and biometrics; and the ability to force the use of Kerberos in a featured called Restrict NTLM. Also noteworthy: a new feature called Extended Protection for Authentication, which prevents many sophisticated man-in-the-middle attacks that can strike at some of our most trusted security protocols (such as SSL and TLS).

Thus concludes my four-part series on some of the most significant security changes in Windows 7. Next week, we’ll return to our regularly scheduled programming.

This story, “Windows 7 security primer, part four,” was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com.