Windows 7 Security: What You Need to Know, Part One
Recommendation: Companies should look into using DirectAccess as their default VPN technology for Windows 7 and later clients.
Managed Service Accounts
Service accounts are often highly privileged, but difficult to manage. Best-practice recommendations dictate changing service account passwords frequently, so as to avoid the risk of password attacks. However, Windows service accounts often require two or more coordinated, synchronized password changes in order for the service to continue running without interruption; prior to Windows 7 and Windows Server 2008 R2, service accounts were not easy to manage. If a service account is enabled as a Managed Service Account, Windows will take over the password management and simplify Kerberos SPN (Service Principal Names) management.
Recommendation: Like Direct Access, Managed Service Accounts have a lot of requirements, including a schema update and mandatory PowerShell 2 use. Still, if service accounts are a hassle in your environment -- and you know they are -- consider enabling this new feature when your infrastructure is prepared.
Virtual Service Accounts
Virtual Service Accounts (VSAs) are related to Managed Service Accounts in that Windows takes over the password management. However, VSAs are for local service accounts and don't require a schema update or nearly the amount of effort to configure and use.
When a VSA controls a service, the service accesses the network with the computer's identity (in a domain environment), which is much like what the built-in LocalSystem and Network Service accounts do, except that VSAs allow each service to have its own separate security domain (and subsequent isolation).
Creating a Virtual Service Account is pretty easy. Open the Services console (services.msc) and modify the service's logon account name to be the same as the service's short name, such as ex. NT SERVICE\ ServiceName$. Then restart the service. That's it.
Recommendation: When the infrastructure can support it, consider using Managed and Virtual Service Accounts functionality to manage service account password security.
That wraps up part one of my three-part series on Windows 7 security. Part two will cover some of the more exciting features, such as XP Mode and AppLocker.