Security in Windows 7 : Addressing Specific Security Concerns

8/28/2012 1:11:54 AM
Windows 7 includes many new and improved security technologies. Although understanding security technologies often requires more detailed knowledge, the security scenarios that these technologies serve are practical and straightforward. The sections that follow describe how Windows Vista and Windows 7 security features work together to improve security in regard to three major, common concerns: wireless networks, spyware and other kinds of malware, and network worms.

1. Help Desk Calls Related to Malware

Security threats have constantly changed to adapt to each new generation of operating system. In the past several years, the prevalence of malware (a broad term that encompasses viruses, worms, Trojan horses, and rootkits, as well as spyware and other potentially unwanted software) has soared.


Microsoft uses the term spyware and potentially unwanted software to refer to software that is unwanted but not unambiguously harmful.

Viruses, worms, and Trojan horses can spread from computer to computer by exploiting software vulnerabilities, guessing user credentials, or tricking users with social engineering techniques. Spyware and potentially unwanted software spread via these techniques and also by legitimate installations initiated by users. Users can install an application, unaware of the undesired functionality of the program or of a program that is bundled with the application.

Because of the challenges in identifying malware, it might be impossible to eliminate the threat completely. However, Windows Vista and Windows 7 have many new security features to help protect computers from malware.

Many malware infections can be prevented by installing updates on a mobile computer or by adjusting the security configuration. Group Policy, Windows Server Update Services (WSUS), and other management technologies have greatly simplified the task of rapidly distributing updates and security changes. However, these changes take effect only when client computers connect to the internal network. When users travel, mobile computers might go days, weeks, or months without connecting to the internal network. DirectAccess, a new technology introduced with Windows 7 and Windows Server 2008 R2, automatically connects computers to the internal network any time they have an Internet connection. Therefore, DirectAccess can keep Windows 7 mobile client computers up to date more regularly than earlier versions of Windows, giving IT the control they need to mitigate newly discovered vulnerabilities by distributing updates or configuration changes.

Originally introduced with Windows Vista, UAC limits the ability of malware to install by enabling IT professionals to deploy users as standard users rather than as administrators. This helps prevent users from making potentially dangerous changes to their computers without limiting their ability to control other aspects on their computers, such as time zone or power settings. For anyone who does log on as an administrator, UAC makes it more difficult for malware to have a computer-wide impact. Windows 7 includes improvements to UAC by reducing the number of prompts that users experience. Additionally, administrators can adjust consent prompt behavior. By making UAC more usable, Windows 7 reduces the cost of deploying Windows using a protected desktop environment.

Similarly, the Protected Mode of Internet Explorer runs it without the necessary privileges to install software (or even write files outside of the Temporary Internet Files directory), thereby reducing the risk that Internet Explorer can be abused to install malware without the user's consent.

Windows Defender detects many types of spyware and other potentially unwanted software and prompts the user before applications can make potentially malicious changes. In Windows 7, Windows Defender includes significantly improved performance for real-time monitoring. By reducing the performance penalty of real-time monitoring, more IT departments can leave real-time monitoring enabled, thus realizing the security benefits. Additionally, Windows Defender uses the Action Center to notify users of potential problems.

Windows Service Hardening limits the damage attackers can do in the event that they are able to successfully compromise a service, thereby reducing the risk of attackers making permanent changes to the operating system or attacking other computers on the network. Although Windows 7 cannot eliminate malware, these new technologies can significantly reduce the impact of malware.

Windows 7 is designed to block many types of common malware installation techniques. The sections that follow describe how Windows Vista and Windows 7 protect against malware that attempts to install without the user's knowledge through bundling and social engineering, browser exploits, and network worms.

1.1. Protecting Against Bundling and Social Engineering

Two of the most common ways that malware becomes installed on a computer are bundling and social engineering. With bundling, malware is packaged with useful software. Often the user is not aware of the negative aspects of the bundled software. With social engineering, the user is tricked into installing the software. Typically, the user receives a misleading e-mail or browser pop-up containing instructions to open an attachment or visit a Web site.

Windows Vista and Windows 7 offer significantly improved protection against both bundling and social engineering. With the default settings, malware that attempts to install via bundling or social engineering must circumvent two levels of protection: UAC and Windows Defender.

UAC either prompts the user to confirm the installation of the software (if the user is logged on with an administrative account) or prompts the user for administrative credentials (if the user is logged on with a Standard account). This feature makes users aware that a process is trying to make significant changes and allows them to stop the process. Standard users are required to contact an administrator to continue the installation. 

Windows Defender real-time protection blocks applications that are identified as malicious. Windows Defender also detects and stops changes the malware might attempt to make, such as configuring the malware to run automatically upon a reboot. Windows Defender notifies the user that an application has attempted to make a change and gives the user the opportunity to block or proceed with the installation. 


Windows Defender adds events to the System Event Log. Combined with event subscriptions or a tool such as Microsoft Systems Center Operations Manager (SCOM), you can easily aggregate and analyze Windows Defender events for your organization.

These levels of protection are illustrated in Figure 1.

Figure 1. Windows Vista and Windows 7 use defense-in-depth to protect against bundling and social engineering malware attacks.

With Windows XP and earlier versions of Windows, bundling and social engineering malware installations were likely to succeed because none of these protections was included with the operating system or service packs.


Defense-in-depth is a proven technique of layered protection that reduces the exposure of vulnerabilities. For example, you might design a network with three layers of packet filtering: a packet-filtering router, a hardware firewall, and software firewalls on each of the hosts (such as Internet Connection Firewall). If an attacker manages to bypass one or two of the layers of protection, the hosts are still protected.

The real benefit of defense-in-depth is its ability to protect against human error. Whereas a single layer of defense is sufficient to protect you under normal circumstances, an administrator who disables the defense during troubleshooting, an accidental misconfiguration, or a newly discovered vulnerability can disable that single layer of defense. Defense-in-depth provides protection even when a single vulnerability exists.

Although most new Windows security features are preventive countermeasures that focus on directly mitigating risk by blocking vulnerabilities from being exploited, your defense-in-depth strategy should also include detective and reactive countermeasures. Auditing and third-party intrusion-detection systems can help to analyze an attack after the fact, enabling administrators to block future attacks and possibly identify the attacker. Backups and a disaster recovery plan enable you to react to an attack and limit the potential data lost.

1.2. Protecting Against Browser Exploit Malware Installations

Historically, many malware installations occurred because the user visited a malicious Web site, and the Web site exploited a vulnerability in the Web browser to install the malware. In some cases, users received no warning that software was being installed. In other cases, users were prompted to confirm the installation, but the prompt might have been misleading or incomplete.

Windows 7 provides four layers of protection against this type of malware installation:

  • Automatic Updates, enabled by default, helps keep Internet Explorer and the rest of the operating system up to date with security updates that can fix many security vulnerabilities. Automatic Updates can obtain security updates from either or from an internal WSUS server. 

  • Internet Explorer Protected Mode provides only extremely limited rights to processes launched by Internet Explorer, even if the user is logged on as an administrator. Any process launched from Internet Explorer has access only to the Temporary Internet Files directory. Any file written to that directory cannot be executed.

  • For administrators, UAC prompts the user to confirm before computer-wide configuration changes are made. For standard users, the limited privileges block most permanent per-computer changes unless the user can provide administrative credentials.

  • Windows Defender notifies the user if malware attempts to install itself as a browser helper object, start itself automatically after a reboot, or modify another monitored aspect of the operating system.

These levels of protection are illustrated in Figure 2.

Figure 2. Windows 7 uses defense-in-depth to protect against browser exploit malware installations.

1.3. Protecting Against Network Worms

Bundling, social engineering, and browser exploits all rely on the user to initiate a connection to a site that hosts malware, but worms can infect a computer without any interaction from the user. Network worms spread by sending network communications across a network to exploit a vulnerability in remote computers and install the worm. After it is installed, the worm continues looking for new computers to infect.

If the worm attacks a Windows Vista or Windows 7 computer, Windows offers four levels of protection:

  • Windows Firewall blocks all incoming traffic that has not been explicitly permitted (plus a few exceptions for core networking functionality in the domain and private profiles). This feature blocks the majority of all current worm attacks.

  • If the worm attacks an updated vulnerability in a Microsoft feature, Automatic Updates—which is enabled by default—might have already addressed the security vulnerability.

  • If the worm exploits a vulnerability in a service that uses Windows Service Hardening and attempts to take an action that the service profile does not allow (such as saving a file or adding the worm to the startup group), Windows will block the worm.

  • If the worm exploits a vulnerability in a user application, limited privileges enabled by UAC block system-wide configuration changes.

These levels of protection are illustrated in Figure 3.

Figure 3. Windows Vista and Windows 7 use defense-in-depth to protect against network worms.

The original release of Windows XP lacked all of these levels of protection. With Windows XP Service Pack 2 (SP2), Windows Firewall and Automatic Updates are enabled, but the other levels of protection offered by Windows Vista and Windows 7 are unavailable.

2. Data Theft

As mobile computers, network connectivity, and removable media have become more common, so has data theft. Many businesses and government organizations store extremely valuable data on their computers, and the cost of having the data fall into the wrong hands can be devastating.

Today, many organizations mitigate the risk of data theft by limiting access to data. For example, applications might not allow confidential files to be stored on mobile computers. Or, users simply might not be allowed to remove computers from the office. These limitations do successfully reduce the risk, but they also reduce employee productivity by not allowing the staff to benefit from mobile computing.

Windows Vista and Windows 7 provide data protection technologies designed to meet stricter security requirements while still allowing users to work with confidential data in a variety of locations. Consider the following common data theft scenarios and how Windows mitigates the risks of each.

2.1. Physical Theft of a Mobile Computer or a Hard Disk, or Recovering Data from a Recycled or Discarded Hard Disk

Operating systems can provide active protection for the data stored on your hard disk only while the operating system is running. In other words, file access control lists (ACLs), such as those provided by the New Technology File System (NTFS), cannot protect data if an attacker can physically access a computer or hard disk. In recent years, there have been many cases of stolen mobile computers whose confidential data was extracted from the hard disk. Data is often recovered from computers that are recycled (by assigning an existing computer to a new user) or discarded (at the end of a computer's life), even if the hard disk has been formatted.

Windows Vista and Windows 7 reduce the risk of this type of data theft by allowing administrators to encrypt files stored on the disk. As with Windows XP, Windows Vista and Windows 7 support Encrypting File System (EFS). EFS enables administrators and users to selectively encrypt files or to mark an entire folder to encrypt all files it contains. In addition to the capabilities offered by Windows XP, Windows Vista and Windows 7 enable you to configure EFS using Group Policy settings so that you can centrally protect an entire domain without requiring users to understand encryption.

EFS cannot protect Windows system files, however. Protecting Windows from offline attack (booting from removable media to access the file system directly or moving the hard disk to a different computer) helps ensure the integrity of the operating system even if a computer is stolen. BitLocker Drive Encryption in Windows Vista provides encryption for the entire system volume—thus protecting not only the operating system but also any data stored on the same volume (drive letter). In Windows 7, administrators can use BitLocker to protect both system and non-system volumes (as well as removable media, described in the next section). BitLocker can work transparently with supported hardware, or it can require multifactor authentication by requiring users to enter a password before allowing the volume to be decrypted. Depending on your security requirements, you can use BitLocker with existing computer hardware by storing the decryption keys on removable media or even by having users type a personal identification number (PIN) or password before Windows boots. 

2.2. Copying Confidential Files to Removable Media

Organizations with strict security requirements often limit access to confidential data to computers on the local network and then do not allow those computers to be removed from the facility. Historically, these organizations would remove floppy drives from the computers to prevent users from saving confidential files. Recently, however, there has been a huge increase in the types of removable media available. Specifically, mobile phones, PDAs, portable audio players, and USB drives often have several gigabytes of storage capacity. Because they are small and extremely common, they might be overlooked even if a facility has security staff available to search employees entering or leaving a building.

Windows Vista and Windows 7 enable you to use Group Policy settings to limit the risk of removable media. Using the Group Policy settings in Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions, administrators can:

  • Allow installation of entire classes of devices (such as printers) using the Allow Installation Of Devices Using Drivers That Match These Device Setup Classes setting.

  • Disallow all unsupported or unauthorized devices using the Prevent Installation Of Devices That Match Any Of These Device IDs setting.

  • Disallow any kind of removable storage device using the Prevent Installation Of Removable Devices setting.

  • Override these policies if necessary for troubleshooting or management purposes using the Allow Administrators To Override Device Installation Policy setting.

While Windows Vista focused on providing administrators with the control they needed to prevent users from saving files to removable media, Windows 7 includes technology to protect files when they are copied to removable media: BitLocker To Go. BitLocker To Go provides volume-level encryption for removable media. To decrypt the contents of removable media, a user must type a password or insert a smart card. Without the password or smart card, the contents of the BitLocker To Go–encrypted media are almost impossible to access.

2.3. Accidentally Printing, Copying, or Forwarding Confidential Documents

Often, users need to share confidential documents to collaborate efficiently. For example, a user might e-mail a document to another user for review. However, when the document is copied from your protected shared folder or intranet, you lose control of the document. Users might accidentally copy, forward, or print the document, where it can be found by a user who shouldn't have access.

There's no perfect solution to protect electronic documents from copying. However, the Windows Rights Management Services (RMS) client, built into Windows Vista and Windows 7, enables computers to open RMS-encrypted documents and enforce the restrictions applied to the document. With an RMS infrastructure and an application that supports RMS, such as Microsoft Office, you can:

  • Allow a user to view a document but not save a copy of it, print it, or forward it.

  • Restrict users from copying and pasting text within a document.

  • Make it very difficult to open the document using a client that does not enforce RMS protection.

Windows 7 provides built-in support for using RMS to protect XML Paper Specification (XPS) documents. To use RMS, you need an RMS infrastructure and supported applications in addition to Windows Vista or Windows 7. 
  •  Linksys EA4500 Router Review
  •  Administering COM+ Security (part 2) - Assessing and Assigning Role Scope, Managing COM+ Security
  •  Administering COM+ Security (part 1) - Viewing the COM+ Catalogue, Populating COM+ Application Roles
  •  Implementing Security in Windows 7 : Protect an Account with a Password
  •  Implementing Security in Windows 7 : Check Action Center for Security Problems
  •  Implementing Security in Windows 7 : Understanding Windows 7 Security
  •  Programming COM+ Security (part 3) - Compiling and Installing the COM+ Application
  •  Programming COM+ Security (part 2) - Creating the Serviced Component, Specifying the COM+ Application Type
  •  Programming COM+ Security (part 1) - Creating the Serviced Component, Specifying the COM+ Application Type
  •  COM+ Security : COM+ Security Explained
    Top 10
    Review : Sigma 24mm f/1.4 DG HSM Art
    Review : Canon EF11-24mm f/4L USM
    Review : Creative Sound Blaster Roar 2
    Review : Philips Fidelio M2L
    Review : Alienware 17 - Dell's Alienware laptops
    Review Smartwatch : Wellograph
    Review : Xiaomi Redmi 2
    Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
    Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
    3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8