Windows 7 builds on the security of the Vista operating system, with a number of improved security features, including a more user-friendly User Account Control (UAC) and the extension of encryption capabilities to USB flash drives and external hard drives, Chris Corio, member of the Microsoft's Windows Security team, wrote in a Microsoft TechNet article.
The UAC component was first introduced in Vista to improve security by running application software with standard user rights until an administrator authorizes an increase in privilege level.
Ninety-two percent of “critical” vulnerabilities in Microsoft products and 69 percent of all published vulnerabilities could avoid exploitation by removing administrator privileges from users' machines, according to a recent study by access control solutions provider BeyondTrust.
The UAC feature in Vista frequently prompted users for permission to do something, sometimes twice for a single task, which resulted in many individuals getting annoyed and, as a result, turning the security feature off.
In Windows 7, the UAC feature has been “streamlined” for a better user experience, Corio said. Fewer applications and tasks require administrative privileges, resulting in fewer prompts for certain actions, including configuring desktop displays and resetting network connections.
“Moving to an operating system that you use as a user, rather than an administrator, is a smart move and is part of a layered security approach,” Randy Abrams, director of technical education at anti-virus vendor ESET, who worked at Microsoft for 12 years, wrote in a recent blog post.
But by default, the Windows 7 UAC feature is not set to the most secure setting and will not notify the user every time system privileges are elevated, thus creating an attack surface that cybercriminals already have begun exploiting, Eric Voskuil, CTO of BeyondTrust, told SCMagazineUS.com on Wednesday.
Voskuil recommended that for best protection, users should elevate the UAC feature from the default setting, “notify me only when programs try to make changes to my computer,” to the “always notify” setting.
In addition to the changes made to UAC, Windows 7 includes a number of other security improvements, including a simplified auditing mechanism and biometrics framework, according to Microsoft. The simplified auditing mechanism could help companies meet compliance regulations, while a revamped biometrics framework could encourage users to take advantage of biometric security options.
Also, there are a number of new features aimed at improving security. A DNSSEC validation feature, for example, could help reduce DNS-related attacks against Windows 7 users, according to Microsoft.
“Windows 7 is the first client operating system to include the necessary pieces to allow the client to verify that it is communicating securely with a DNS server and verify that the server has performed DNSSEC validation on its behalf,” Corio said.A feature called "applocker" that enables administrators to control which applications a user can run may result in better whitelisting capability, Abrams told SCMagazineUS.com on Wednesday in an email. And, the extension of BitLocker Drive Encryption to removable media can help prevent data compromises if a removable device is lost or stolen.