Windows 7 security primer, part four

Roger Grimes wraps up his four-part series with a look at the improved Internet Explorer, smarter firewall, and more

1 2 Page 2
Page 2 of 2

EFS (Encrypting File System) has been improved in many ways beyond just using more modern ciphers. For one, you can use a smart card to protect your EFS keys.  This not only makes them more secure; it allows them to be portable between computers.

Administrators will be happy to know that they can prevent users from creating self-signed EFS keys. Previously, users could easily turn on EFS, which generated a self-signed EFS digital certificate if a compatible PKI server could not be found. Often, these users encrypt files but do not back up their self-signed digital certificates, which frequently leads to unrecoverable data loss. Administrators can even allow self-signed EFS keys, mandating ciphers and minimum key lengths, and Windows 7 will constantly bug the user until they back up their EFS digital certificates to some other removable media or network drive share. A Microsoft Web page details the EFS changes.

Easily encrypted pagefile
Users who cannot utilize BitLocker but still want to prevent the memory swap pagefile from being analyzed in an offline sector editing attack no longer need to erase the pagefile on shutdown. Windows XP and earlier versions had a setting that allowed the pagefile to be erased on shutdown and rebuilt on each startup. Great security feature, but it often caused delayed shutdowns and startups -- sometimes adding as much as 10 minutes to the process. In Windows 7 (and Vista), you can enable pagefile encryption. But even better: There is no key management. Windows creates and deletes the encryption keys as needed and there isn't a chance the user can "lose" the key or require a recovery event. It's crypto security at its best.

Multiple active firewall policies
Prior to Windows 7, when the Windows Firewall was active and there were multiple network interfaces active, only one firewall profile (i.e. Home, Domain, Work, or Public) could be used. This caused problems and created potential security vulnerabilities: for example, when a domain-connected wired computer also connected to a less restricted wireless network. Windows 7 can now detect multiple networks and apply the appropriate profiles at the same time to the right interface.

Improved System Restore
System Restore now includes user's personal content files. Older versions just backed up and  protected the Windows system files. System Restore also allows you to see what files would be restored in each version of the System Restore files. It's not perfect, but it's nice to see what will occur if you were to choose a particular restoration point.

Much, much more
Windows 7 has hundreds of security changes, including support for the new DNSSec standards, which are becoming essential to prevent DNS exploitation attacks; built-in support for smart cards and biometrics; and the ability to force the use of Kerberos in a featured called Restrict NTLM. Also noteworthy: a new feature called Extended Protection for Authentication, which prevents many sophisticated man-in-the-middle attacks that can strike at some of our most trusted security protocols (such as SSL and TLS).

Thus concludes my four-part series on some of the most significant security changes in Windows 7. Next week, we'll return to our regularly scheduled programming.

This story, "Windows 7 security primer, part four," was originally published at Follow the latest developments in security at

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)