Windows 7 RTM Review: Improvements But Security Issues Remain

Applications can be approved in several different ways. For granular application identification, I could base policy on an application’s hash (best for uncertified applications), on an application’s publisher (for signed applications) or on the file system path to the executable – either the file or the folder.

Windows 7 makes it easy to get started because the Group Policy editor includes a couple of simple ways to generate rules. I could create default rules with one click, creating basic rules: allowing everyone to run programs located in the Windows and Program Files directories, and allowing local Administrators to run all files.

This usage scenario makes an interesting companion to UAC and least-privilege computing. If AppLocker means a limited-rights user can run only programs found in permitted folders, and a tight UAC implementation bars users from writing to those folders, then it becomes difficult to use social engineering to trick someone into mistakenly installing bad or unwanted code.

For more granular controls, administrators can automatically generate rules. For example, I could specify a folder (such as Program Files), and a wizard would identify all executable content of the appropriate type, basing the policy either on a hash or on the path. I could further limit the scope of the policy by allowing only digitally signed executables.

These kinds of granular rules are more effective and restrictive, but keep in mind that they will require much more maintenance, as patching or upgrades will necessitate a refresh of policy settings.

One potential problem with AppLocker is that it requires one special service to be running to provide enforcement – the Application Identity service. First of all, administrators must make sure that the service starts automatically, and then they must make sure the service continues running.

Often, security providers provide additional watchdog protections to ensure that a critical security service stays up in the face of attack, but I’m not sure Windows takes those measures. It is not noticeable when the service is not active but AppLocker policies are present.

Disk encryption with BitLocker

Windows 7 adds removable disk encryption capabilities to the most expensive editions – Ultimate and Enterprise. Called BitLocker To Go, the utility builds encryption and key management into the USB drive itself, allowing easy sharing of protected data with other Windows 7 instances.Users need only enter the password they specified when they first encrypted the drive.

BitLocker To Go-protected drives can also be accessed on older versions of Windows, as the utility includes a reader on the USB stick itself. When inserted into an Windows XP- or Vista-based system, the drive shows the reader to the user.

Run the reader, enter the protection password, and you can read the data or copy it locally. When inserted in a Mac, on the other hand, you see dozens of files, but you can’t access the protected content or manipulate the visible files.

Page: 1 2 3 4 5 6 7

Andrew Garcia eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

SpaceX Prepares Tender Offer At $250bn Valuation

SpaceX to begin tender offer in December valuing company at $210bn, as Elon Musk's xAI…

4 days ago

US Releases Security Advice For AI In Critical Infrastructure

US Department of Homeland Security releases advice for development and deployment of AI in critical…

4 days ago

Lenovo Beats Estimates, Raises Projections As PC Sales Recover

World's biggest PC maker Lenovo beats sales predictions, raises forecast for 2025 as AI capabilities,…

4 days ago

China Chip Production Slows Ahead Of New US Sanctions

Chip production slows in China in October ahead of expected export controls, while annual EV…

4 days ago

Which? Seeks £3bn In Apple iCloud Competition Claim

Apple effectively locked 40 million UK users into iCloud and overcharged them, claims £3bn legal…

4 days ago

Amazon Haul Offers ‘Crazy Low Prices’ To Counter Temu, Shein

Amazon launches Haul mobile experience with prices capped at $20 in face of low-cost competition…

4 days ago