More Work to Be Done
As far as Microsoft has come with security, its not perfect. No operating system ever will be. Still, it can't hurt to try so here is a look at some of the areas that Windows 7 is lacking and perhaps some ideas for Microsoft to work on for Windows 8.
1. Windows Firewall. The Windows Firewall is an area where Microsoft has come a long (long) way from its original attempt at incorporating personal firewall protection into the operating system. One of the primary complaints about earlier versions was that it only restricted inbound traffic and did not provide any mechanism for blocking or filtering traffic outbound from the Windows PC. Microsoft has addressed that.
nCircle's Tyler Reguly says "As a personal choice, I won’t use third-party firewall software. I find them to be too resource-intensive and too much of a pain. So, I would love it if the Windows Firewall was more powerful."
I should note, though, that perhaps there is a correlation between "more powerful" and "resource-intensive". Perhaps the reason third-party personal firewalls eat up more resources is related to the more comprehensive protection they provide.
This may be an area where Microsoft simply needs to strike the right balance between security and performance.
2. Hidden File Extensions. Microsoft continues to hide known file extensions by default. In other words, rather than displaying a full file name like 'pcworld.docx', Windows will only display 'pcworld'.
The idea is to make things more simple or user-friendly. We don't want to confuse the end-user with frivolous details like 'docx', or 'xls', or 'mp3'.
Chet Wisniewski points out, though, that hiding the file names is a security concern as well. He says that hiding file extensions "makes it much easier for email Trojans to use double extensions to trick users into launching their payload. Files named FinancialStatement.doc.exe will appear to the user as FinancialStatement.doc with an EXE icon."
3. XP Mode Virtualization. Windows XP Mode virtualization can be a savior for situations where there are legacy hardware devices or software applications that won't work under Windows 7. The system can still be upgraded to Windows 7, but the incompatible hardware or software can be run in a virtual Windows XP environment.
The operative concern here, though, is that it is a complete Windows XP environment that is not protected in any way by the Windows 7 security controls. Wisniewski explains "Windows XP Mode introduces another layer of complexity for securing a Windows desktop. Because a total virtual machine (VM) is running on your PC that requires you to run a full security suite within that VM and manage that appropriately."
Wisniewski also notes that "By default Windows auto-maps drives from your XP virtual machine to your Windows 7 machine. This could be a major malware vector if not properly protected."
The ever-popular UAC (User Account Control) gets an honorable mention as a pro and a con. Although it has been both presented and perceived as a security control, UAC is more about enforcing sound software development practices. Security is sort of a fringe benefit.
Tyler Reguly likes the changes Microsoft has made for UAC with Windows 7. "The decreased interruptions will mean more people will leave UAC on, this is definitely a benefit. It ends up being more functionality, less security, but can still be seen as an improvement in security overall."
Chet Wisniewski counters by pointing out that UAC is not really a security function in the first place, but also comments that " Microsoft does need to continue to use UAC to encourage developers to follow proper privilege separation models, because this can help Microsoft make a more secure Windows, but it should not be positioned as a feature to the end-user."