Windows 7 Security Enhancements Jan. Presentologics Follow. Windows 7 Security. Network Security. Network Security Presentation. Network security.
Network Security Threats and Solutions. Web portfolio pdsi. Windows Server Security Enhancements. Related Books Free with a 30 day trial from Scribd. Related Audiobooks Free with a 30 day trial from Scribd. Elizabeth Howell. Windows 7 Security Enhancements 1. All rights reserved. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
UAC was introduced in Windows Vista to help provide customers more control of their system by enabling IT administrators to lock down the system for certain users by running them within standard, non privileged user accounts.
UAC has delivered successfully on this in the Windows Vista timeframe and customers continue to value the ability to create a standard user and be confident an administrator can make the decisions on what software is added to the system and what changes should be allowed. However, we have received substantial feedback about the number of notifications for change. In Windows 7, we have invested in addressing the key customer feedback around UAC, while still maintaining the ability for IT administrators to be confident about a standard user environment.
We have enabled the Windows operations that users do often to be done in a standard user environment with the goal of providing prompt free daily activities. For example, a standard user can now adjust the readability of the screen dpi without having to change it for the entire system. Additionally, we have reduced key duplicate notifications for common activities such as installing applications from IE. We have also made it easier for IT to look at key setting on the system without needing administrative privileges by refactoring many of our control panel applications into read only and write sections.
We believe this default setting has the right balance of establishing an ecosystem where a broad range of ISV software can be run in a standard user environment while providing administrators with control over the experience of configuring Windows. One of the most time-consuming challenges that network administrators we talk to face is ensuring that computers that connect to private networks are up to date and meet health policy requirements.
This complex task is commonly referred to as maintaining computer health. Yet failure to keep computers that connect to the network up to date is one of the most common ways to jeopardize the integrity of a network. While there are no major additions in Windows 7, NAP is a core Windows technology that provides components that can help you enforce compliance with health requirement policies for network access or communication.
During the execution of a process, it will contain several memory locations that do not contain executable code. Attackers use these sections to initiate code injection attacks. After arbitrary code has been inserted, they can carry out attacks such as buffer overflows. Data Execution Prevention is a security technique that is used to prevent the execution of code from such data pages. This is done by marking data pages as non-executable. This makes it harder for code to be run in those memory locations.
When used together, it makes it very difficult for attacks to exploit the application using memory attacks. DEP support, though present in Windows 7, is opt-in, i. DEP can be enabled system wide or on a per application basis. This is configured by the system administrator. Hardware enforced DEP marks all memory locations as non-executable by default unless the location contains executable code explicitly.
This helps prevent attacks that try to insert code from non-executable memory locations. Hardware DEP makes use of processor hardware to mark memory as non-executable, this is done by setting an attribute at the specified memory location.
Software based DEP is less complex than its hardware dependent variant, it also has limited functionality. Software based DEP will run on any type of processor that can run Windows 7.
It can protect only a limited number of system binaries. Software based DEP can help defend against attacks that make use of the exception handling mechanism in Windows 7.
Address space layout randomization is a technique to increase security from common memory based attacks such as buffer overflows and stack smashing. Older versions of Windows essential system processes often used predictable memory locations for their execution. This made it much easier for attackers to find critical components of the process, including the program stack and heap.
These addresses can then be used to launch buffer overflow attacks. To overcome this problem, ASLR was devised. ASLR randomizes several sections of the program, such as the stack, heap, libraries, etc. This makes memory addresses much harder to predict. Windows 7 completely supports ASLR based applications and libraries. This support will be included in all Windows systems from Windows Vista onwards. The SEH overwrite exploit was first demonstrated in Windows XP, since then it has become one of the most popular exploits in the hacker arsenal.
Several exploit frameworks including Metasploit make use of SEH overwrite techniques to execute code remotely. SEH works by subverting the 32 bit exception mechanism provided by the Microsoft operating system.
The exception registration record consists of two records, the next pointer and the exception handler, also called the exception dispatcher. The attacker will try to overwrite the exception dispatcher and force an exception. There are two methods to stop SEH exploits. Note: This article is also available as a PDF download. It makes all user accounts run as standard users, even administrator accounts.
If you need to do something that requires admin privileges, it asks for permission. And asks. This in-your-face aspect of UAC has caused numerous complaints and has led some users to turn it off completely, thus exposing themselves to threats. In Windows 7, UAC is still there, but now you can configure how "vocal" it will be. You can set UAC to:.
I didn't use BitLocker much in Vista. At first, it would encrypt only the operating system drive. That's nice for laptops, but I didn't need it for my desktop because that machine is physically secure. Then Service Pack 1 added the ability to encrypt other drives, and that was nice, but it applied only to fixed hard disks. What I really needed to encrypt were my thumb drives and flash cards and USB drives, since they're removable and portable and more likely to get lost or stolen. For more details about the BitLocker improvements and step by step screenshots of how to encrypt a drive with BitLocker in Windows 7, see this article.
Also note that, as with Vista, BitLocker probably won't be included in the Home editions of Windows 7. A brand new feature in Windows 7 is DirectAccess, which allows remote users to connect securely to their corporate networks over the Internet without using a VPN.
Administrators can apply Group Policy settings and otherwise manage the mobile computers and even update them whenever the mobile machines are connected to the Internet, regardless of whether the user is logged on to the corporate network.
DirectAccess also supports multifactor authentication with smart cards and uses IPv6 over IPsec for encrypting the traffic. Arguably the most secure method of authentication is biometrics, or the use of a fingerprint, retinal scan, DNA, or other unique physiological feature to identify the user.
0コメント