Windows 7 security: An overall improvement?
In Windows 7, the Windows Security Center will be replaced with the Windows Action Center
(Credit: Robert Vamosi/CNET Networks; Microsoft)Since Monday, I have been running a prebeta copy of Windows 7, the next operating system from Microsoft.
At first glance, build 6801 of Windows 7 appears very much like Windows Vista; that's because enhancements to the look and feel part of the operating system typically come late in the development process. Right now, the core programming is being set, and there are already some changes in how Windows 7 will handle computer security.
Gone is the Security Center, introduced in Windows XP SP2. Instead, there will be an "Action Center" that incorporates alerts from 10 existing Windows features: Security Center; Problem, Reports, and Solutions; Windows Defender; Windows Update; Diagnostics; Network Access Protection; Backup and Restore; Recovery; and User Account Control.
Changes to the User Account Control (UAC) may raise an eyebrow or two. While vastly unpopular in Windows Vista, the dialog boxes that pop up whenever a user tries to install new software, among other reasons, served a purpose.
In Windows 7, users can adjust consent prompt behavior using a slider control, if they have administrative privileges. Microsoft says they'll still be protected against malicious software, even if they never see another alert. I'm wondering if that's actually a bad idea: if people never see an alert, they might think nothing bad ever happens to their computer. We lose an element of user education.
Windows 7, which Microsoft unveiled at its PDC 2008 event this week, also introduces something called the Windows Filtering Platform (WFP). The idea is that third parties can take advantage of aspects of the Microsoft Windows Firewall in their own products. Microsoft says "third-party products also can selectively turn parts of the Windows Firewall on or off, enabling you to choose which software firewall you want to use and have it coexist with Windows Firewall."
I mentioned this feature to one major security vendor, which responded by saying it couldn't imagine running its product side by side with Windows Firewall. Also, if Microsoft had a compelling component in its firewall, this vendor said it would just build its own version, not use Microsoft's.
Other security features have been tweaked in the current build of the next Windows operating system. Scrollbars were removed in the configuration settings screen, as has the Software Explorer feature, and real-time protection in Windows 7 has been improved to reduce the impact on overall system performance.
Windows 7 extends BitLocker drive encryption support to removable storage devices, such as flash memory drives and portable hard drives. This means that users can keep sensitive data on all of their USB storage devices.
Biometrics enhancements include easier reader configurations, allowing users to manage the fingerprint data stored on the computer and control how they log on to Windows 7.
And System Restore includes a list of programs that will be removed or added, providing users with more information before they choose which restore point to use. Restore points are also available in backups, providing a larger list to choose from, over a longer period of time.
Returning from Windows Vista are Kernel Patch Protection, Service Hardening, Data Execution Prevention, Address Space Layout Randomization, and Mandatory Integrity Levels.
This information could change, as Microsoft nears the final build. Microsoft still expects to ship Windows 7 "within three years of Windows Vista," which means that it could be available sometime before January 2010.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
- Topics:
-
Security
- Tags:
-
security,
-
Windows 7,
-
User Account Control,
-
Windows Firewall,
-
Security Center,
-
Action Center,
-
Windows Filtering Platform,
-
WFP,
-
PDC2008
- Share:
- Digg
- Del.icio.us
Better of two evils right now. Pick out ANY PC World magazine since Vista debuted, and you'll find instructions on how to disable UAC and leave the PC vulnerable.
I have had that happen twice myself where the UAC popped up instantly as the infection was still in the process of installing! I was able to quarantine it immediately and delete it after if finished. The feeling of relief that nothing bad happened you get when that happenes it worth all the nagging in the world, believe me!
MS users are not educated to begin with.
Nothing in here is really security oriented. The nonsense MS trumpted as secure features for Vista have all been completely compromised. They need to start from scratch.
The "highlight":
"The idea is that third parties can take advantage of aspects of the Microsoft Windows Firewall in their own products. Microsoft says "third-party products also can selectively turn parts of the Windows Firewall on or off, enabling you to choose which software firewall you want to use and have it coexist with Windows Firewall."
That is a built in security hole, even worse than the laughable SetWindowsHookEx function that gives anyone the ability to trace anything going on. It just proves that despite all their PR, MS simply does not understand security. I am sure backdoor writers are loving it.
You can also jump out of your car while driving on the freeway. That's your choice. It may be a stupid choice, but the auto maker isn't going to get in your way because you intentionally chose that action.
That is a problem with giving people the power of choice- they can willingly and ignorantly choose to do more harm to themselves.
As to the 'built-in security hole'..... the optional firewall makers would be HOWLING if Microsoft didn't have that 'security hole' in there to allow their software to turn off the Windows Firewall.
I'm kinda getting tired of seeing your posts where you automatically say "It's Microsoft's BAD!" No, Microsoft has to take into account that some companies are whiny babies and if they don't allow them to disable some things in Vista and their other operating system..... they will sue them!
That said, most typical users won't know or care (hence, "uneducated"), which is a very valid point.
IMPO, Microsoft is still going about it the wrong way - instead of building a core that inherently trusts nothing, they slathered on a couple of layers of protection, hoping that the layer or two will hold up. Judging by the readily exploitable bugs still found --even in the pre-beta Windows 7-- that's a bad way to go about it.
I kind of hoped that they'd build the thing from scratch, but I'm guessing that isn't likely.
@
And once a process has administrative privileges on a box, no security roadblocks are possible.
So while your statements show you are trying to pass for a security expert, it looks like you are actually a security troll.
If MS doesn't understand security, why is it that their products have fewer holes of any kind than the alternatives by about an order of magnitude?
"Wrong. I am very well educated, have an A+ degree,... "
LOL Did you actually say that? Can I email your response around? This could be better than the "Computer Science III" guy. As penguin pointed out a cert is not the same thing as being educated.
"And to exploit that security hole, you would first have to agree to it with the UAC. So... you choose to open it intentionally."
Wrong . UAC won't protect you here, this is a backdoor of epic proportions. BTW, UAC won't complain if I put a DLL on your system that hooks into every single process that has access to the keyboard and run it via a service. MS delivers the keyboard logging functionality on a silver platter.
" Typical idiotic response from the decider. How dumbo how does it feel to have a call name that insults your political opponents? He,he,he"
How 'dumbo' are you that you couldn't refute anything I wrote?
"All I have to say to you "The_Decider" is your lack of social skills and human understanding brings enormous discredit to any thoughts you may have on the subject. To make a blanket statement like, "MS users are not educated to begin with" speakes volumes about your own education or lack thereof."
Excuse me? MS relies on its users ignorance, it is part of their business model.
I don't have an A+ cert, but all I need is to finish my thesis and go through a defense, and my MS in computer science will be completed. However, that pales to the almighty A+ certificate!
" Wow is all I have to say. The other posters already made all the points on this."
If you think anyone made any valid points you are hopeless. No wonder MS puts massive security holes in their software, their users don't care!
"Huh? All those features you mention as "holes" require administrative privileges to turn on and off, do you realize that? "
Do you realize how easy it is to get elevated privileges on any Windows system? It can be done without your knowledge or consent.
"And once a process has administrative privileges on a box, no security roadblocks are possible."
Wrong
"So while your statements show you are trying to pass for a security expert, it looks like you are actually a security troll."
Wrong again
"If MS doesn't understand security, why is it that their products have fewer holes of any kind than the alternatives by about an order of magnitude?"
Is that a joke? MS has orders of magnitude more exploits than anything they compete with. I see you don;t understand the difference between a hole and an exploitable hole, but no matter, Windows is by far the least secure OS today. It is not even close.
1. A task bar that actually tells you what is going on and which processes are killing your machine. Any program running in the system should have some kind of digital signature, so I can make sure who created that particular program.
2. a true uninstaller. Like Revo Unistaller. No more junk left behind.
Point 2 is it an MS issue or the APP issue? because I totally agree, there are so many app's that just don't properly uninstall.
They help but to rely on it is foolish.
#2 is a great idea, but how many years has Windows existed without MS being able to implement this properly?
That is impressive, but not in a good way.
Show me the proof that every single security feature has been compromised. Back up what you claim, decider.
Maybe that's a good thing. Vista looked fine.
My biggest problem with Vista was that it made settings that were already mildly hard to get to in XP even harder and more confusing to get to. I work for an ISP and they buried the network connections. Also, another issue I had with Vista was basic command line commands were turned off by default (like ipconfig). That's just annoying.
Seriously? It made more sense before. It's like they have to change everything just for the sake of change except for the stuff that's actually broken. It's like a consistent theme with them or something.
Oh well, as long it runs on 1 ghz and 1 gig of ram like they say it will I'll use it and call it an improvement. But I swear to God if Microsoft just started doing the exact opposite of what they usually do they're product would probably be much better off.
To address another issue. I personally feel that yes Microsoft could be a better job at security. But honestly what software company couldn?t? I mean come on Linux (probably most people?s ?golden os? for the people complaining on here or BSOD) is full of holes as well. And don?t even get me started on the lack of security on MAC OSX I mean come on they are behind just about everyone else. (yes I know they don?t get exploited much but that?s not because they are more secure and what is sad is because of that most apple users feel much more secure then they really are.) Microsoft has to find a balance for it home users who don?t want to be prompted about much of anything and who probably don?t even care about a password or much security they just want to run around and have nothing bug them and the business user for who security is a very important thing. That?s why there are other products made by Microsoft and other venders for the workplace to address theses issues while trying to find a balance at a home user level as well.
And as for building the OS from scratch yeah that would be great but they have enough backwards compatibility problems as it is without doing things. If you step back and take a good look at everything they are doing, the vast amount of software and hardware that they support on their OS (Linux = what?s an exe?) the amount of market penetration, environment, and users that they have to cater to I think they are doing a good job. Could it be better well I would like to think so. But until you take everything into account instead of just focusing on one part of a program I don?t think you can give a 100% educated answer on that.
In summery what I am saying is don?t just harp on security (as very important as it is trust me it may not sound like it but I do care about it a lot!) when you don?t look at functionally and support for different products. We don?t live in a perfect software world and Microsoft isn?t the only one fighting that battle. And for anyone in the open source community that want to say hey we are more secure and have good functionality I laugh and point to the vast libraries of software that windows can run that you won?t touch for decades. And hardware that I have been able to use for years with ease and you are just now being able to run affectively. Try and see the whole picture
P.S. yes I know I will be torn to shreds for some of the things I said in this. But that?s life some people are stuck in a rut they will never get out of. I can only hope that someday they will be able to see more then 2 in. in front of their face.
until they fix that they will have speed problems, I hope beta testers really test it this time, because vista was NOT beta tested properly
We are approaching the 20th anniversary of Windows'NT - the forerunner of all this...and
NT was originally designed - from the base up - with minimal security and only added Discretionary Access Control - DAC ( remember the "Orange Book" and C2 compliance needs for the Feds back then - "C2 by '92") later in development. DAC is OBSOLETE in the global Internet age and such modern systems as "Flexible Mandatory Access Control (FMAC)" - as per "Secure LINUX" and Solaris 10 (Secure Environment) should be the BASE for any public or private enterprise wishing to protect its vital information systems - including keeping up with national and international legislation! Shame - Win7 could have entered the 21st century security environment BUT it looks as if it is still in a 1980s DAC security mode!! ( I wonder what Microsoft's Rashid thinks - after all he developed Mach which led to "Trusted Mach - TMach" - perhaps he has no influence at all on the real MS OS product sets - that's also a shame!)
Anyways, I'd much rather see MS spend their efforts addressing the bugs in Windows instead of all this "security". So many PCs ship with Norton AV these days anyways, I don't quite see the point.
-
by andeyejah
November 7, 2008 4:47 AM PST
- I am please to announce the deciders true identity his name is Philip Hornnet of apple computers living in new york city east77.
-
Reply to this comment
-
See all 37 Comments >>