The question organizations are vying to answer is: "Now that Microsoft has released Windows 7, should enterprises listen and deploy it?" As a solutions provider, what key elements of Windows 7 deserve your focused attention? What important knowledge base will give you a commanding advantage in helping customers navigate the new platform?
Although Windows 7 has the same fundamental architecture as Vista, the new operating system has some security refinements that solution providers should take notice of in helping customers transition to Windows 7. Some are specific to the Windows 7 client, while others are enabled in combination with Windows Server 2008 RC2 on the back end. Among the more noteworthy features are data protection, deployment/manageability, and end-user protections. This tip will take a look at some of the Windows 7 security updates, and how solution providers can capitalize on the opportunities they present.
BitLocker in Windows 7
One of the Windows 7 security updates is a revamped version of BitLocker, the encryption utility introduced in Vista. Still dependent upon two partitions and a hardware-based (BIOS) Trusted Platform Module (TPM), the enhancements around protecting removable media and Group Policy management make BitLocker a more viable enterprise encryption offering.
Not implemented in Vista, Windows 7 extends encryption to removable USB drives through "BitLocker "To Go." This improved feature will be valuable to customers, especially those dealing with various compliance regulations. If you service banking, healthcare or the military, BitLocker "To Go" should be a core compentency of technical teams in assisting customers to extend and enforce encryption on mobile storage devices. Encryption of sensitive and/or proprietary information on mobile devices is a critical link in data leak prevention (DLP).
"BitLocker "To Go" is far from a comprehensive mobile device DLP solution. If an organization seeks assistance to migrate to Windows 7, leveraging and configuring the native mobile device encryption should be a point of service and "in scope." Helping a customer fully realize their migration investment and increase their regulatory readiness posture is a huge win-win.
Microsoft Desktop Optimization Pack (MDOP) in Windows 7
In Windows 7, desktop and application management are addressed with the next evolution of Microsoft's framework called Microsoft Desktop Optimization Pack (MDOP). It should be noted that this framework is, in part, dependent upon Windows Server 2008 RC2 as a component of your Active Directory structure. MDOP is a compilation of utilities, the core set being App-V (Application Virtualization), MED-V (Microsoft Enterprise Desktop Virtualization), DEM (Desktop Error Monitoring), AGPM (Advanced Group Policy Management), and DaRT (Diagnostics and Recovery Toolkit).
App-V and MED-V are Microsoft's one-two punch for virtualization and solving legacy application incompatibilities. App-V and MED-V provide granular controls over virtual machine (VM) management and deployment. The policy and usage permissions authenticate users prior to VM access, provision VMs to users or groups and can expire the use of VMs by date or time. Mastering these utilities will become a discipline all in itself and represents a significant opportunity for service providers to partner with organizations to assist in the design, testing, administration and maintenance associated with adding these application tools to their inventory.
Just because they run in virtual environments doesn't exempt these utilities from well-known operating system and application security vulnerabilities. Both App-V and MED-V environments must be built with the same security best practices and controls as their physical counterparts.
Often a side effect of rapid point-and-click deployment, many of today's VM environments are riddled with security gaps from outdated OS image configuration and deployment to insecure VM console permissions and management. Are VM images kept current with patches? Is VM console administration tightly held or can anyone 'live copy' a production server containing customer or employee data and take it home on a USB hard drive?
A thorough understanding of the App-V and MED-V security controls will set your service offering apart. Deploy insecure VMs and now you've magnified your exposure with every virtual launch. VMs need to be secured at deployment, and continually patched to ensure the highest possible level of security. Patching is simplified with App-V and MED-V, as there is now only a single virtual operating system or application typically installed across hundreds or thousands of computers.
AGPM is an Active Directory administrative toolbox, with tools for reporting and auditing, repairing/archiving live GPOs, email subscription-based GPO changes, and change tracking and approval. Another improved feature of AGPM is the computer and user-based security and environment control GPOs, which are now centrally extended to workstations and servers. DEM and DaRT round out the MDOP tools with error reporting and diagnostics.
As is evident by the depth of MDOP features, Windows 7 and Active Directory require a suite of tools and technical skill sets beyond managing just users, computers and a handful of group policies. A forward-looking service provider will bring to bear the expertise and practical deployment configurations backed by a comprehensive knowledge transfer in the key administrate functions associated with the growing complexity and extensive features of Active Directory.
Internet Explorer 8 security features
Despite decades of technical advancements to better protect operating systems, applications and the data they process, the singular highest risk across any industry is --– you guessed it --– people! In the competitive nature of technologies services, there's no clear leader in providing a "user education infrastructure," yet IE 8 information balloons and dialog boxes have become a useful conduit to better inform users around actual or potential threats when navigating the Internet. This "education in the moment" used to be characterized as a "nag screen," but with more savvy and stealth attacks on the rise, even these trickles of awareness will empower users and reduce risk. Barring more acute "security aware" users, the aforementioned tools, enhancements and controls all support increased ease of use while protecting users from themselves.
Another feature that helps protect against user security errors is the new Web browser itself. More specifically, Internet Explorer 8 introduces the SmartScreen Filter, which is designed to combat phishing and malware sites. SmartScreen blocks sites known to distribute malware and attack corporate computers or hijack confidential information. This feature also augments user education by channeling end -users into safer online browsing habits and helping them avoid falling victim to sophisticated and evolving online threats.
Organizations and solution providers that are heavily invested in the Windows platform take note --– Microsoft has laid down the Windows 7/Windows Server 2008 gauntlet. The message is clear: Tthe Windows architecture isn't just a service line of Active Directory integrated products. It has evolved into a robust and complex grid of interconnected and meshed tools, applications, protections, and policy enforcement all with the aim of achieving seamless ease of use for users while at the same time protecting them from themselves. Innovative solution providers that can partner with organizations to fully expose the more robust application delivery and management technologies available with Windows 7, while still softening the sting of a more complex AD infrastructure, will possess a considerable advantage.
About the author
TK Gregg Braunton, CISSP, GSEC, C|EH, MCP serves as an Information Security Officer. He possesses fifteen years experience working in the information technology field with expertise in user awareness education, security compliance, forensics and technical and policy based security controls across various technologies and platforms.
This was first published in January 2010