Windows 7 has enjoyed favorable adoption, yet many IT admins are now struggling with the platform's new security features. I've received plenty of e-mails to that effect with readers asking about the security changes (or deltas) between Windows Vista and Windows 7, as well as for my configuration recommendations.
I typically avoid Microsoft-only columns, as I'm a full-time employee of the company. However, because security is my area of expertise, and given the overwhelming number of requests from readers, I've decided to do a three-part series on Windows 7 security. This week, I'll take a look at some of the aforementioned security deltas, and I'll share my recommendations.
User Account Control
UAC is one of the most notable updated features in Windows 7. It prompts less frequently for low-risk administrative actions by default, but it allows admins to modify the prompt sensitivity using a slider bar.
Recommendation: Your domain environment should already be at the highest and most secure level. If it isn't, make it so. That way, users will be prompted to input their passwords to perform high-risk administrative actions. No matter what else, UAC should be enabled.
In Windows 7, BitLocker Drive Encryption technology is extended from OS drives and fixed data drives to include removable storage devices such as portable hard drives and USB flash drives. This expansion is called BitLocker to Go.
In Windows Vista SP1, Microsoft added official support for encrypting fixed data drives, but it could only be done using command-line tools. Now you can encrypt operating system volumes, fixed data drives, and USB flash drives via the Windows Explorer GUI. Moreover, you can use smart cards to protect data volumes, and you can set up data recovery agents to automatically back up BitLocker keys.
If you're using a Trusted Platform Module (TPM) chip, you can enforce a minimum PIN length; five characters should suffice for most environments.