On the security front, Windows 7 changes are significant. Security is an ever changing landscape, as threats and computer usage evolve rapidly. Windows 7 does a good job addressing the evolving security landscape while building on the work of previous versions of the operating system.
One area where Vista clearly took a lot of heat was User Account Control (UAC). This set of features, which was introduced in Vista, remains largely intact in Windows 7. UAC is the source of the administrative permissions prompts that Apple lampooned in a 2007 television ad entitled “Security”. Interestingly, OS X implements similar administrative prompting, which can be more annoying since the prompting requires entry of an administrative password, where the same feature in Windows does not. The nod goes to OS X however in that Vista prompting seemed more frequent than necessary. In Windows 7, Microsoft set out to change this.
For organizations to take advantage of new and improved security features, such as AppLocker and even Group Policy, the end-user should be a non-administrator. Otherwise, the restrictions are easily circumvented. I'm very much in favor of the changes in the operating system that reduce the number of prompts for standard users, such as file and registry virtualization (in place since Vista) and some Windows 7 reorganization that enables certain tasks to run without administrative permissions (e.g., defragmentation). This will make it easier for companies to deploy standard users when they move to Windows 7.
However, some organizations may opt to keep their end-users running as “administrators,” and certainly many consumer PCs will run in this configuration, if only because it's the default setup. It should be the case, as it was with Vista, that this is mode is as secure as “standard user.”
Windows 7 introduces a new option designed to reduce the amount of prompting. There are four levels, with the lowest being off and the highest being secure. The default is an intermediate level. According to the feature description:
“User Account Control (UAC) helps defend your PC against hackers and malicious software. Any time a program wants to make a major change to your computer, UAC lets you know and asks for permission.
“Introduced in Windows Vista, UAC is now less intrusive and more flexible. Fewer Windows 7 programs and tasks require your consent. If you have administrator privileges on your PC, you can also fine-tune UAC's notification settings in Control Panel.”
The default setting results in a reduction of prompts -- the prompts continue, yet security is eviscerated. Though protecting administrative credentials is clearly a secure measure, Microsoft is trying to have it both ways – arguing that UAC is not a security boundary. The purpose of UAC is to protect against malware. Even if it's not a “security boundary” the message is about defending your PC against “hackers and malicious software.” If it doesn't do that, what's the point of the remaining prompts?
In my opinion the decision to configure users this way by default violates Microsoft's “Secure by Default” principle, which says that, “software should run with the least necessary privilege.” Clearly, the operating system should support a standard user or administrator with UAC fully enabled. The proof-of-concept code to exploit this shortcoming has already been published.
Windows 7 is great stuff, just don't forget to go to the control panel and turn security on.