SECURITY

Security in Windows 7 : Security Features Previously Introduced in Windows Vista

8/28/2012 1:15:45 AM
This section describes the most visible and tangible Windows Vista security improvements that have not been substantially changed in Windows 7, which are listed in Table 1. Each of these improvements is also included in Windows 7. Architectural and internal improvements—as well as improvements that require additional applications or infrastructure.
Table 1. Security Improvements Previously Introduced In Windows Vista
IMPROVEMENTDESCRIPTION
Windows DefenderAttempts to detect and block unwanted software.
Windows FirewallFilters incoming and outgoing network traffic. New improvements provide greater flexibility and manageability.
Encrypting File SystemEncrypts files and folders other than system files. Improvements provide greater flexibility and manageability.
Credential Manager enhancementsEnable users to perform common credential management security tasks, such as resetting PINs.

1. Windows Defender

Windows Defender is a feature of Windows Vista and Windows 7 that provides protection from spyware and other potentially unwanted software. Windows Defender is signature based, using descriptions that uniquely identify spyware and other potentially unwanted software to detect and remove known applications. Windows Defender regularly retrieves new signatures from Microsoft so that it can identify and remove newly created spyware and other potentially unwanted software. Microsoft does not charge for signature updates.

Additionally, Windows Defender real-time protection monitors critical touchpoints in the operating system for changes usually made by spyware. Real-time protection scans every file as it is opened and also monitors the Startup folder, Run keys in the registry, Windows add-ons, and other areas of the operating system for changes. If an application attempts to make a change to one of the protected areas of the operating system, Windows Defender prompts the user to take appropriate action.

As shown in Figure 1 Windows Defender can also run a scan on demand to detect and remove known spyware. By default, Windows Defender will scan Windows Vista computers daily at 2:00 A.M. for malware infections; however, you can configure this behavior. Although Windows Defender real-time protection attempts to prevent most infections, nightly scanning allows Windows Defender to detect and remove newly discovered malware that might have circumvented the defenses of real-time protection.

Figure 1. Users who suspect malware has infected their computer can run a Windows Defender scan on demand.


The Microsoft SpyNet Community enables Windows Defender to communicate discoveries about new applications and whether users identify applications as malware or legitimate. Depending on how you configure Windows Defender, it can provide feedback to the SpyNet Community about new applications and whether users choose to allow the application to be installed. Feedback from the SpyNet Community helps Microsoft and users distinguish malware from legitimate software, enabling Windows Defender to more accurately identify malware and reduce the number of false alarms. Providing private feedback to the SpyNet Community is optional; however, all users can benefit from the information gathered by the community.

In addition to these features, Windows Defender includes Software Explorer. Software Explorer provides users with control over many different types of applications, including applications that install themselves into the browser and into applications that start automatically. Software Explorer is primarily intended for users who manage their own computers. In enterprise environments, IT departments will typically handle software removal.

2. Windows Firewall

Windows Vista and Windows 7 have an enhanced version of the Windows Firewall that was first included in Windows XP SP2. The Windows Firewall combines the functionality of a bidirectional host firewall and Internet Protocol security (IPsec) into a single, unified utility with a consistent user interface. Unlike a perimeter firewall, the Windows Firewall runs on each computer running Windows Vista or Windows 7 and provides local protection from network attacks that might pass through your perimeter network or originate inside your organization. It also provides computer-to-computer connection security that allows you to require authentication and data protection for all communications.

The Windows Firewall is a stateful firewall, so it inspects and filters all TCP/IP version 4 (IPv4) and TCP/IP version 6 (IPv6) traffic. Unsolicited incoming traffic is dropped unless it is a response to a request by the host (solicited traffic) or it is specifically allowed (that is, it has been added to the exceptions list or is permitted by an inbound rule). Outgoing traffic from interactive applications is allowed by default, but outgoing traffic from services is limited by the firewall to that which is required according to each service's profile in Windows Service Hardening. You can specify traffic to be added to the exceptions list and create inbound and outbound rules according to application name, service name, port number, destination network, domain membership, or other criteria by configuring Windows Firewall with Advanced Security settings.

For traffic that is allowed, the Windows Firewall also allows you to request or require that computers authenticate each other before communicating and to use data integrity and data encryption while exchanging traffic.

In Windows Vista, the Windows Firewall has many new features, including the following:

  • Management integration with IPsec Windows XP and earlier operating systems used two separate interfaces, even though the Windows Firewall and IPsec had a significant amount of feature overlap. Now, as Figure 2 shows, you can manage both using a single interface.

    Figure 2. You can use a single tool to manage both Windows Firewall and IPsec.

  • New user and command-line interfaces Improved interfaces simplify management and enable automated, scripted control over firewall settings.

  • Full IPv6 support If your organization uses IPv6, you can now take advantage of Windows Firewall.

  • Outbound filtering You can filter traffic being sent from a client computer as well as traffic being received by the computer. This enables you to restrict which applications can send traffic and where they can send it. For example, you might filter management alerts so that they can be sent only to your internal network. The outbound filtering feature in the Windows Firewall is not intended to prevent an infected computer from communicating, which is generally not possible (the malware might simply disable the firewall). Rather, outbound filtering allows administrators to assign policies to machines to prohibit known behavior, such as preventing unauthorized peer-to-peer software from communicating.

  • Windows Service Hardening This feature limits the actions a service can take and also limits how the service communicates on the network, reducing the damage caused during a security compromise.

  • Full Group Policy integration This feature enables you to centrally configure the Windows Firewall on all computers in your Active Directory Domain Services (AD DS) domain.

  • Filtering traffic by new properties The Windows Firewall can filter traffic by using the following:

    • AD DS groups (authorized users and authorized computers)

    • Internet Control Message Protocol (ICMP) extensions

    • IP address lists

    • Port lists

    • Service names

    • Authenticated by IPsec

    • Encrypted by IPsec

    • Interface type

  • IP address authentication The Windows Firewall supports IP address authentication with the ability to have two rounds of authentication with different credentials in each, including user credentials if desired.

  • Application-based IPsec policies The Windows Firewall now supports application-based IPsec policies.

  • Simplified IPsec policy This type of policy makes it much easier to deploy Server and Domain Isolation. When configured with a simplified policy, client computers make two connections to a destination: one unprotected connection and one connection with IPsec. The client computer will drop whichever connection does not receive a reply. With a single rule, then, client computers can adapt themselves to communicate with IPsec or in clear-text, whichever the destination supports.


Note:

One of the biggest challenges of protecting computers is that security settings can degrade over time. For example, support desk personnel might change a security setting while troubleshooting a problem and forget to correct it. Even if you enable Automatic Updates, a mobile computer might fail to download updates while disconnected from the network. To help you detect security vulnerabilities, use the Microsoft Baseline Security Analyzer (MBSA), available at http://www.microsoft.com/mbsa. MBSA can audit security settings on multiple computers on your network. MBSA is also a great way to verify security settings on new computers before deploying them.


2.3. Encrypting File System

Encrypting File System (EFS) is a file encryption technology (supported only on NTFS volumes) that protects files from offline attacks, such as hard-disk theft. EFS is entirely transparent to end users because encrypted files behave exactly like unencrypted files. However, if a user does not have the correct decryption key, the file is impossible to open, even if an attacker bypasses the operating system security.

EFS is especially useful for securing sensitive data on portable PCs or on computers that several users share. Both kinds of systems are susceptible to attack by techniques that circumvent the restrictions of ACLs. An attacker can steal a computer, remove the hard disk drives, place the drives in another system, and gain access to the stored files. Files encrypted by EFS, however, appear as unintelligible characters when the attacker does not have the decryption key.

Windows Vista and Windows 7 include the following new features for EFS:

  • Storing both user and recovery keys on smart cards. If smart cards are used for logon, EFS operates in a Single Sign-On mode in which it uses the logon smart card for file encryption without further prompting for the PIN. New wizards guide users through the process of creating and selecting smart card keys, as well as the process of migrating their encryption keys from an old smart card to a new one. The command-line utilities for smart cards have also been enhanced to include these features. Storing encryption keys on smart cards provides especially strong protection for mobile and shared computer scenarios.

  • Encrypting the system page file.

2.4. Credential Manager Enhancements

Windows Vista and Windows 7 include new tools to enable administrators to better support credential management for roaming users, including the Digital Identity Management Services (DIMS) and a new certificate enrollment process. Among other improvements, users can now reset their own smart card PINs without calling the support center. Additionally, users can now back up and restore credentials stored in the Stored User Names And Passwords key ring.

To improve the security of Task Scheduler, Windows Vista and Windows 7 can use Service-for-User (S4U) Kerberos extensions to store credentials for scheduled tasks instead of storing the credentials locally, where they might be compromised. This has the added benefit of preventing scheduled tasks from being affected by password expiration policies.

2.5. Architectural and Internal Security Improvements

Whenever possible, Windows Vista and Windows 7 security features have been designed to be transparent to end users and to require no administration time. Nonetheless, administrators and developers can benefit from understanding the architectural improvements. This section describes these architectural and internal improvements, as well as improvements that require additional applications or infrastructure. Table 2 describes these features originally introduced in Windows Vista and also included in Windows 7.

Table 2. Architectural and Internal Security Improvements in Windows Vista and Windows 7
IMPROVEMENTDESCRIPTION
Code IntegrityDetects malicious modifications to kernel files at startup.
Windows Resource ProtectionPrevents potentially dangerous changes to system resources.
Kernel Patch ProtectionBlocks potentially malicious changes that might compromise the integrity of the kernel on 64-bit systems.
Required Driver SigningRequires drivers to be signed, which improves reliability and makes it more difficult to add malicious drivers. Mandatory on 64-bit systems.
Windows Service HardeningAllows system services to access only those resources they normally need to access, reducing the impact of a compromised service.
Network Access Protection clientWhen used together with Windows Server 2008, helps to protect your network from clients who do not meet your security requirements.
Web Services for ManagementReduces risks associated with remote management by supporting encryption and authentication.
Crypto Next Generation servicesAllows the addition of custom cryptographic algorithms to meet government requirements.
Data Execution PreventionReduces the risk of buffer overflow attacks by marking data sections of memory as nonexecutable.
Address Space Layout RandomizationReduces the risk of buffer overflow attacks by assigning executable code to random memory locations.
New Logon ArchitectureSimplifies development of custom logon mechanisms.
Rights Management Services clientProvides support for opening Rights Management Services protected documents when the proper applications are installed and the necessary infrastructure is in place.
Multiple Local Group Policy ObjectsAllows administrators to apply multiple Local Group Policy Objects to a single computer, simplifying security configuration management for workgroup computers.

The sections that follow describe these features in more detail.

2.5.1. Code Integrity

When Windows starts up, Code Integrity (CI) verifies that system files haven't been maliciously modified and ensures that there are no unsigned drivers running in Kernel Mode. The bootloader checks the integrity of the kernel, the Hardware Abstraction Layer (HAL), and the boot-start drivers. After those files are verified, CI verifies the digital signatures of any binaries that are loaded into the kernel's memory space. Additionally, CI verifies binaries loaded into protected processes and the cryptography dynamic-link libraries (DLLs).

CI works automatically and does not require management.


Note:

CI is an example of a detective countermeasure because it can identify that the computer was compromised after the fact. Although it is always preferable to prevent attacks, detective countermeasures such as CI enable you to limit the damage caused by the attack by detecting the compromise so that you can repair the computer. You should also have a response plan in place to enable you to quickly repair a system that has had critical files compromised.


2.5.2. Windows Resource Protection

Any code that runs in Kernel Mode, including many types of drivers, can potentially corrupt kernel data in ways that surface later. Diagnosing and fixing these bugs can be difficult and time consuming. Corruption of the registry tends to have a disproportionate impact on overall reliability because this corruption can persist across reboots.

Windows Vista and Windows 7 protect system settings from corruption or inadvertent changes that can cause the system to run incorrectly or to not run at all. Windows Resource Protection (WRP), the follow-up to the Windows File Protection (WFP) feature found in previous Windows platforms, sets tight ACLs on critical system settings, files, and folders to protect them from changes by any source (including administrators) except a trusted installer. This prevents users from accidentally changing critical system settings that can render systems inoperable.

Windows Vista and Windows 7 also prevent poorly written drivers from corrupting the registry. This protection enables the memory-management feature to achieve protection the vast majority of the time, with low overhead. Protected resources include:

  • Executable files, libraries, and other critical files installed by Windows.

  • Critical folders.

  • Essential registry keys installed by Windows.

WRP does not allow you to modify protected resources, even if you provide administrative credentials.

2.5.3. Kernel Patch Protection

64-bit versions of Windows Vista and Windows 7, like the 64-bit versions of Windows XP and Windows Server 2003, support Kernel Patch Protection technology. Kernel Patch Protection prevents unauthorized programs from patching the Windows kernel, giving you greater control over core aspects of the system that can affect overall performance, security, and reliability. Kernel Patch Protection detects changes to critical portions of kernel memory. If a change is made in an unsupported way (for example, a user-mode application does not call the proper operating system functions), Kernel Patch Protection creates a Stop error to halt the operating system. This prevents kernel-mode drivers from extending or replacing other kernel services and prevents third-party software from updating any part of the kernel.

Specifically, to prevent Kernel Patch Protection from generating a Stop error, 64-bit drivers must avoid the following practices:

  • Modifying system service tables

  • Modifying the interrupt descriptor table (IDT)

  • Modifying the global descriptor table (GDT)

  • Using kernel stacks that are not allocated by the kernel

  • Updating any part of the kernel on AMD64-based systems

In practice, these factors are primarily significant to driver developers. No 64-bit driver should ever be released that can cause problems with Kernel Patch Protection, so administrators should never need to manage or troubleshoot Kernel Patch Protection. 


Note:

Kernel Patch Protection, hardware-based Data Execution Prevention (DEP), and required driver signing are the primary reasons that 64-bit systems can be more secure than 32-bit systems.


2.5.4. Required Driver Signing

Drivers typically run as part of the kernel, which gives them almost unprotected access to system resources. As a result, drivers that have bugs or are poorly written, or malware drivers specifically written to abuse these privileges, can significantly affect a computer's reliability and security.

To help reduce the impact of drivers, Microsoft introduced driver signing beginning with Microsoft Windows 2000. Signed drivers have a digital signature that indicates they have been approved by Microsoft and are likely to be free from major weaknesses that might affect system reliability. Administrators can configure Windows 2000 and later operating systems to block all unsigned drivers, which can dramatically decrease the risk of driver-related problems.

However, the large number of unsigned 32-bit drivers has made blocking unsigned drivers impractical for most organizations. As a result, most existing Windows computers allow unsigned drivers to be installed.

With 64-bit versions of Windows Vista and Windows 7, all kernel-mode drivers must be digitally signed. A kernel module that is corrupt or has been subject to tampering will not load. Any driver that is not properly signed cannot enter the kernel space and will fail to load. Although a signed driver is not a guarantee of security, it does help identify and prevent many malicious attacks while allowing Microsoft to help developers improve the overall quality of drivers and reduce the number of driver-related crashes.

Mandatory driver signing also helps improve the reliability of Windows Vista and Windows 7 because many system crashes result from vulnerabilities in kernel-mode drivers. Requiring the authors of these drivers to identify themselves makes it easier for Microsoft to determine the cause of system crashes and work with the responsible vendor to resolve the issue. System administrators also benefit from digitally signed and identified drivers because they get additional visibility into software inventory and install state on client computers. From a compatibility perspective, existing Windows Hardware Quality Labs–certified x64 kernel drivers are considered validly signed in Windows Vista and Windows 7.

2.5.5. Windows Service Hardening

Historically, many Windows network compromises (especially worms) resulted from attackers exploiting vulnerabilities in Windows services. Because many Windows services listen for incoming connections and often have system-level privileges, a vulnerability can allow an attacker to perform administrative tasks on a remote computer.

Windows Service Hardening, a feature of Windows Vista and Windows 7, restricts all Windows services from performing abnormal activities in the file system, registry, network, or other resources that can be used to allow malware to install itself or attack other computers. For example, the Remote Procedure Call (RPC) service is restricted to performing network communications on defined ports only, eliminating the possibility of abusing it to, for instance, replace system files or modify the registry (which is what the Blaster worm did). Essentially, Windows Service Hardening enforces the security concept of least privilege on services, granting them only enough permission to perform their required tasks.


Note:

Windows Service Hardening provides an additional layer of protection for services based on the security principle of defense-in-depth. Windows Service Hardening cannot prevent a vulnerable service from being compromised—a task Windows Firewall and Automatic Updates supports. Instead, Windows Service Hardening limits how much damage an attacker can do in the event the attacker is able to identify and exploit a vulnerable service.


Windows Service Hardening reduces the damage potential of a compromised service by:

  • Introducing a per-service security identifier (SID) to uniquely identify services, which subsequently enables access control partitioning through the existing Windows access control model covering all objects and resource managers that use ACLs. Services can now apply explicit ACLs to resources that are private to the service, which prevents other services, as well as the user, from accessing the resource.

  • Moving services from LocalSystem to a lesser-privileged account, such as LocalService or NetworkService, to reduce the privilege level of the service.

  • Stripping unnecessary Windows privileges on a per-service basis—for example, the ability to perform debugging.

  • Applying a write-restricted token to services that access a limited set of files and other resources so that the service cannot update other aspects of the system.

  • Assigning a network firewall policy to services to prevent network access outside the normal bounds of the service program. The firewall policy is linked directly to the per-service SID and cannot be overridden or relaxed by user- or administrator-defined exceptions or rules.

A specific goal of Windows Service Hardening is to avoid introducing management complexity for users and system administrators. Every service included in Windows Vista and Windows 7 has been through a rigorous process to define its Windows Service Hardening profile, which is applied automatically during Windows setup and requires no ongoing administration, maintenance, or interaction from the end user. For these reasons, there is no administrative interface for managing Windows Service Hardening. 


Note:

Third-party software developers can also take advantage of the Windows Service Hardening security benefits by providing profiles for custom services.


2.5.6. Network Access Protection Client

Most networks have perimeter firewalls to help protect the internal network from worms, viruses, and other attackers. However, attackers can penetrate your network through remote access connections (such as a VPN) or by infecting a mobile PC and then spreading to other internal computers after the mobile PC connects to your LAN.

Windows Vista and Windows 7, when connecting to a Windows Server 2008 infrastructure, support Network Access Protection (NAP) to reduce the risk of attackers entering through remote access and LAN connections using the built-in NAP client software of Windows Vista. If a Windows client computer lacks current security updates or antivirus signatures or other-wise fails to meet your requirements for a healthy computer, NAP can block the computer from reaching your internal network.

However, if a computer fails to meet the requirements to join your network, the user doesn't have to remain frustrated. Client computers can be directed to an isolated quarantine network to download the updates, antivirus signatures, or configuration settings required to comply with your health requirements policy. Within minutes, a potentially vulnerable computer can be protected and once again allowed to connect to your network.

NAP is an extensible platform that provides an infrastructure and an application programming interface (API) for health policy enforcement. Independent hardware and software vendors can plug their security solutions into NAP so that IT administrators can choose the security solutions that meet their unique needs. NAP helps to ensure that every machine on the network makes full use of those custom solutions.

Microsoft will also release NAP client support with Windows XP SP3. 

2.5.7. Web Services for Management

Web Services for Management (WS-Management) makes Windows Vista and Windows 7 easier to manage remotely. An industry-standard Web services protocol for protected remote management of hardware and software, WS-Management—along with the proper software tools—allows administrators to run scripts and perform other management tasks remotely. In Windows Vista and Windows 7, communications can be both encrypted and authenticated, limiting security risks. Microsoft management tools, such as Systems Center Configuration Manager 2007, use WS-Management to provide safe and secure management of both hardware and software.

2.5.8. Crypto Next Generation Services

Cryptography is a critical feature of Windows authentication and authorization services, which use cryptography for encryption, hashing, and digital signatures. Windows Vista and Windows 7 deliver Crypto Next Generation (CNG) services, which are requested by many governments and organizations. CNG allows new algorithms to be added to Windows for use in Secure Sockets Layer/Transport Layer Security (SSL/TLS) and IPsec. Windows Vista and Windows 7 also include a new security processor to enable trust decisions for services, such as rights management.

For organizations that are required to use specific cryptography algorithms and approved libraries, CNG is an absolute requirement.

2.5.9. Data Execution Prevention

One of the most commonly used techniques for exploiting vulnerabilities in software is the buffer overflow attack. A buffer overflow occurs when an application attempts to store too much data in a buffer, and memory not allocated to the buffer is overwritten. An attacker might be able to intentionally induce a buffer overflow by entering more data than the application expects. A particularly crafty attacker can even enter data that instructs the operating system to run the attacker's malicious code with the application's privileges.

One well-known buffer overflow exploit is the CodeRed worm, which exploited a vulnerability in an Index Server Internet Server Application Programming Interface (ISAPI) application shipped as part of an earlier version of Microsoft Internet Information Services (IIS) to run malicious software. The impact of the CodeRed worm was tremendous, and it could have been prevented by the presence of Data Execution Prevention (DEP).

DEP marks sections of memory as containing either data or application code. The operating system will not run code contained in memory marked for data. User input—and data received across a network—should always be stored as data and is therefore not eligible to run as an application.

The 32-bit versions of Windows Vista and Windows 7 include a software implementation of DEP that can prevent memory not marked for execution from running. The 64-bit versions of Windows Vista and Windows 7 work with the 64-bit processor's built-in DEP capabilities to enforce this security at the hardware layer, where it is very difficult for an attacker to circumvent it.


Note:

DEP provides an important layer of security for protection from malicious software. However, it must be used alongside other technologies, such as Windows Defender, to provide sufficient protection to meet business requirements.


As Figure 3 shows, DEP is enabled by default in both 32- and 64-bit versions of Windows Vista and Windows 7. By default, DEP protects only essential Windows programs and services to provide optimal compatibility. For additional security, you can protect all programs and services.

Figure 3. You can enable or disable DEP from the Performance Options dialog box or from Group Policy settings.


2.5.10. Address Space Layout Randomization

Address Space Layout Randomization (ASLR) is another defense capability in Windows Vista and Windows 7 that makes it harder for malicious code to exploit a system function. Whenever a Windows Vista or Windows 7 computer is rebooted, ASLR randomly assigns executable images (.dll and .exe files) included as part of the operating system to one of multiple possible locations in memory. This makes it harder for exploitative code to locate and therefore take advantage of functionality inside the executables.

Windows Vista and Windows 7 also introduce improvements in heap buffer overrun detection that are even more rigorous than those introduced in Windows XP SP2. When signs of heap buffer tampering are detected, the operating system can immediately terminate the affected program, limiting damage that might result from the tampering. This protection technology is enabled for operating system features, including built-in system services, and can also be leveraged by Independent Software Vendors (ISVs) through a single API call.

2.5.11. New Logon Architecture

Logging on to Windows provides access to local resources (including EFS-encrypted files) and, in AD DS environments, protected network resources. Many organizations require more than a user name and password to authenticate users. For example, they might require multifactor authentication using both a password and biometric identification or a one-time password token.

In Windows XP and earlier versions of Windows, implementing custom authentication methods required developers to completely rewrite the Graphical Identification and Authentication (GINA) interface. Often, the effort required did not justify the benefits provided by strong authentication, and the project was abandoned. Additionally, Windows XP supported only a single GINA.

With Windows Vista and Windows 7, developers can now provide custom authentication methods by creating a new credential provider. This requires significantly less development effort, allowing more organizations to offer custom authentication methods.

The new architecture also enables credential providers to be event driven and integrated throughout the user experience. For example, the same code used to implement a fingerprint authentication scheme at the Windows logon screen can be used to prompt the user for a fingerprint when accessing a particular corporate resource. The same prompt also can be used by applications that use the new credential user interface API.

Additionally, the Windows logon user interface can use multiple credential providers simultaneously, providing greater flexibility for environments that might have different authentication requirements for different users.

2.5.12. Rights Management Services

Windows Rights Management Services (RMS) is an information-protection technology that works with RMS-enabled applications to help safeguard digital information from unauthorized use both inside and outside your private network. RMS provides persistent usage policies (also known as usage rights and conditions) that remain with a file no matter where it goes. RMS persistently protects any binary format of data, so the usage rights remain with the information—even in transport—rather than merely residing on an organization's network.

RMS works by encrypting documents and then providing decryption keys only to authorized users with an approved RMS client. To be approved, the RMS client must enforce the usage rights assigned to a document. For example, if the document owner has specified that the contents of the document should not be copied, forwarded, or printed, the RMS client will not allow the user to take these actions.

In Windows Vista and Windows 7, RMS is now integrated with the XPS format. XPS is an open, cross-platform document format that helps customers effortlessly create, share, print, archive, and protect rich digital documents. With a print driver that outputs XPS, any application can produce XPS documents that can be protected with RMS. This basic functionality significantly broadens the range of information that can be protected by RMS.

The 2007 Microsoft Office system provides even deeper integration with RMS through new developments in Microsoft SharePoint. SharePoint administrators can set access policies for the SharePoint document libraries on a per-user basis that will be inherited by RMS policies. This means that users who have "view-only" rights to access the content will have that "view-only" access (no print, copy, or paste) enforced by RMS, even when the document has been removed from the SharePoint site. Enterprise customers can set usage policies that are enforced not only when the document is at rest, but also when the information is outside the direct control of the enterprise.

Although the RMS features are built into Windows Vista and Windows 7, they can be used only with a rights management infrastructure and an application that supports RMS, such as Microsoft Office. The RMS client can also be installed on Windows 2000 and later operating systems.

2.5.13. Multiple Local Group Policy Objects
As an administrator, you can now apply multiple Local Group Policy Objects to a single computer. This simplifies configuration management because you can create separate Group Policy Objects for different roles and apply them individually, just as you can with AD DS Group Policy Objects. For example, you might have a Group Policy Object for computers that are members of the Marketing group and a separate Group Policy Object for mobile computers. If you need to configure a mobile computer for a member of the Marketing group, you can simply apply both local Group Policy Objects rather than creating a single Local Group Policy Object that combines all of the settings.
Other  
  •  Security in Windows 7 : Addressing Specific Security Concerns
  •  Linksys EA4500 Router Review
  •  Administering COM+ Security (part 2) - Assessing and Assigning Role Scope, Managing COM+ Security
  •  Administering COM+ Security (part 1) - Viewing the COM+ Catalogue, Populating COM+ Application Roles
  •  Implementing Security in Windows 7 : Protect an Account with a Password
  •  Implementing Security in Windows 7 : Check Action Center for Security Problems
  •  Implementing Security in Windows 7 : Understanding Windows 7 Security
  •  Programming COM+ Security (part 3) - Compiling and Installing the COM+ Application
  •  Programming COM+ Security (part 2) - Creating the Serviced Component, Specifying the COM+ Application Type
  •  Programming COM+ Security (part 1) - Creating the Serviced Component, Specifying the COM+ Application Type
  •  
    Top 10
    Review : Sigma 24mm f/1.4 DG HSM Art
    Review : Canon EF11-24mm f/4L USM
    Review : Creative Sound Blaster Roar 2
    Review : Philips Fidelio M2L
    Review : Alienware 17 - Dell's Alienware laptops
    Review Smartwatch : Wellograph
    Review : Xiaomi Redmi 2
    Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
    Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
    3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    VIDEO TUTORIAL
    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8