By Dameon D. Welch-Abernathy, CISSP, Check Point employee, also known as PhoneBoy of the PhoneBoy.com Blog
Windows 7 is the first Windows release since Windows 95 I have been impressed with. I've been using it on my kids' computers since the public beta was released in January. It has been an exceptionally stable and fast operating system, moreso than Windows XP and Vista.
As bright and shiny as a new operating system is, one must also carefully consider the security implications of moving to a new operating system. In the early stages of the beta, there were few, if any, choices for antivirus, antimalware, and other security tools. Now, as Windows 7 nears commercial release on October 23rd, Check Point as well as other vendors have security solutions that are ready for the new operating system.
Meanwhile, Windows 7 itself brings some important security features and raises one important concern. They do not eliminate the need for security solutions such as ZoneAlarm Extreme Security 2010, but they are important additions none the less.
User Account Control (UAC)
The idea behind UAC is to run the account as a normal user but only elevate rights to administrator precisely when needed. When administrative rights are needed, a confirmation dialog appears asking you to confirm the action. If you are not an administrator user, you are prompted to enter the username and password of such a user.
This feature premiered in Windows Vista, but was considered annoying as it prompted each time a change that required administrative rights. This prompted people to disable this feature, reducing their overall security. In Windows 7, UAC is enabled, but fewer things require a prompt confirming your action. A four-color shield icon shows next to tasks in the Control Panel and buttons in dialogs where administrative rights are needed to complete the action.
UAC is an important security feature. If an unauthorized or unknown program runs and it attempts to modify the system in some way, the program would not be allowed to modify the system. If the program requests higher privileges, UAC will prompt you, asking for confirmation to run the program. The user can say no, thus thwarting any attempt. However, a malicious program that runs as a normal user can still potentially affect your personal data files, which does not require administrative rights to access.
Internet Explorer 8
Windows 7 ships with Internet Explorer 8, which incorporates some security features. It includes the Protected Mode from Internet Explorer 7 (which only operated in Windows Vista), ActiveX Opt-in (also from Internet Explorer 7, which blocks the automatic installation of ActiveX controls) and a private browsing mode.
Protected Mode is a sandbox for the browser itself. The rights of the browsing process in Protected Mode are even more limited than a normal user, allowing the browser to write only in the Temporary Internet Files directory. It cannot install start-up programs or make any configuration changes without going through a broker process.
IE8 also includes a private browsing mode similar to what is included in Safari, Firefox 3.5, and Google Chrome. Specifically, it prevents ones browser history, temporary Internet files, form data, cookies, and login information from being retained by the browser.
ZoneAlarm ForceField provides more comprehensive protection for both Internet Explorer and Firefox. The entire browser session is sandboxed and can simply be discarded when the web browser closes, providing protection from unauthorized software installations and complete privacy by erasing your cache, cookies, history, and passwords.
Bitlocker
A feature present in the Enterprise and Ultimate edition of Windows 7 is Bitlocker. This encrypts all the data on your hard drive so that if the computer is stolen, the data on the hard drive is protected from prying eyes. While this is primarily aimed at corporate customers, home users will typically not have access to this feature unless they purchase an Enterprise or Ultimate edition of Windows.
ZoneAlarm Extreme Security 2010 makes this feature available to everyone, regardless of the version of Windows you bought, and regardless of whether you are using Windows 7 or are sticking with Windows XP or Vista.
64-Bit Windows
Microsoft decided to make some changes to how Windows works to increase security. Because these changes break programs and drivers that previously worked, Microsoft decided to implement these features only in the 64-bit versions of Windows to give software vendors the opportunity to update their software to work with the new restrictions.
64-bit Windows has been around for a few years, but only recently began showing up in consumer PCs. The main reason: users were starting to bump into the 4 GB RAM limit of 32-bit architectures. 64-bit systems can address substantially more RAM, thus more vendors are shipping systems with 64-bit Windows installed by default.
In 64-bit Windows, all hardware and software drivers must be digitally signed by Microsoft. This makes it more difficult for an unknown or malicious driver to be installed in your system.
Data Execution Prevention is also enabled by default. This takes advantage of a feature present on 64-bit processors, which allows programs to mark data segments as "no execute." This makes it more difficult for buffer overflows to cause malicious code to run.
Finally, 64-bit Windows enables Patch Guard by default. In short, it prevents programs from dynamically patching the kernel in memory. This prevents rootkits and the like from installing themselves in the kernel.
The TCP/IP Stack
The TCP/IP stack in Windows XP evolved directly from the TCP/IP stack present in Windows NT 4.0. It has had more than two decades worth of abuse by the hackers of the world. That doesn't mean it isn't susceptible to security issues, but it's also had the benefit of two decades worth of security patches and other improvements. It is a very mature implementation of TCP/IP.
In Windows Vista, Microsoft rewrote the TCP/IP stack from scratch. Windows 7 uses this newer stack as well. This isn't to say the TCP/IP stack in Windows Vista or Windows 7 is less secure than the one in Windows XP, it is simply less mature. It quite simply hasn't had the benefit of two decades worth of hacker review and security patches.
Summary
Microsoft has made some great strides in making a secure, yet useful operating system. However, the hackers will continue to find ways to bypass whatever security measures the operating system puts in place. Operating systems, by their nature, do not evolve as quickly as threats do.
Fortunately, security software such as ZoneAlarm Extreme Security 2010 can react and evolve quickly to protect you from whatever the hackers of the Internet throw your way.
