The Ultimate Guide to Windows 7 Security
Naturally, application and Website compatibility issues will guide how quickly Windows shops can move to the new browser -- but run some tests. I have no shortage of clients who are still clinging to IE 6 and haven't conducted any compatibility testing in over a year. Often when I goad them into retesting their troublesome application with IE 8, it works.
Multiple active firewall policies . Prior to Windows 7, when a user had multiple network interfaces active, only one Windows Firewall profile (i.e. Home, Domain, Work, or Public) could be used. This created potential security vulnerabilities, such as when a computer was both wired to the local network domain and connected to a less restricted wireless network. Windows 7 can now detect multiple networks and apply the appropriate firewall profile to the right interface.
Improved System Restore. System Restore now includes the user's personal content files. Older versions backed up and protected only the Windows system files. System Restore also allows you to see what files would be restored in each version of the System Restore files. It's not perfect, but it's nice to see what will occur if you were to choose a particular restoration point.
Smooth remote access . DirectAccess allows remote users to securely access enterprise resources (such as shares, Websites, applications, and so on) without connecting to traditional types of VPNs. DirectAccess establishes bidirectional connectivity with a user's enterprise network every time a user's DirectAccess-enabled portable computer connects to the Internet, even before the user logs on. The advantage here is that users never have to think about connecting to the enterprise network, and IT administrators can manage remote computers even when the computers are not connected to the VPN.
Once DirectAccess is enabled, when a user's computer connects to the Internet, it's as though he or she is on the organization's local network. Group policies work, remote management tools work, and automatic push patching works.
Unfortunately, DirectAccess has fairly involved requirements, including Windows Server 2008 R2 (to act as the RAS server), Windows 7 Enterprise or Ultimate clients, PKI, IPv6, and IPSec. But as companies put the necessary pieces into place, they should look into using DirectAccess as their default VPN technology for Windows 7 and later clients.
Managed Service Accounts . Service accounts are often highly privileged, but difficult to manage. Best-practice recommendations dictate changing service account passwords frequently, so as to avoid the risk of password attacks. However, Windows service accounts often require two or more coordinated, synchronized password changes in order for the service to continue running without interruption; prior to Windows 7 and Windows Server 2008 R2, service accounts were not easy to manage. If a service account is enabled as a Managed Service Account, Windows will take over the password management and simplify management of Kerberos SPN (Service Principal Names).
Like DirectAccess, Managed Service Accounts have a lot of requirements, including a schema update and mandatory use of PowerShell 2. Still, if service accounts are a hassle in your environment -- and you know they are -- consider enabling this new feature when your infrastructure is prepared.