The InfoWorld expert guide to Windows 7 security
How to configure Microsoft's new Windows operating system to beat malware and keep data secure

Windows 7 has been warmly received and swiftly adopted by businesses, with the result that many IT admins are now struggling with the platform's new security features. In addition to changes to User Account Control, BitLocker, and other features inherited from Windows Vista, Windows 7 introduces a slew of new security capabilities that businesses will want to take advantage of.

Windows 7 improves on Vista with a friendlier UAC mechanism, the ability to encrypt removable media as well as hard drive volumes, broader support for strong cryptographic ciphers, hassle-free secure remote access, and sophisticated protection against Trojan malware in the form of AppLocker, to name just a few.

In this guide, I'll run through these and other significant security enhancements in Windows 7, and provide my recommendations for configuring and using them. I'll pay especially close attention to the new AppLocker application-control feature, which may be a Windows shop's most practical and affordable way to combat socially engineered Trojan malware.

Windows 7 has literally hundreds of security changes and additions, far too many to cover in one fell swoop. While this guide focuses on the ones that most organizations will be interested in, keep in mind that plenty of others may deserve your attention. A few the biggies not discussed here are built-in support for smart cards and biometrics, the ability to force the use of Kerberos in a feature called Restrict NTLM, and support for the new DNSSec standards, which are becoming essential to prevent DNS exploitation attacks. Also noteworthy is a new feature called Extended Protection for Authentication, which prevents many sophisticated man-in-the-middle attacks that can strike at some of our most trusted security protocols (such as SSL and TLS).

User Account Control
A Windows Vista feature that users loved to hate, User Account Control has been significantly improved to be both less intrusive and smarter at distinguishing between legitimate and potentially malicious activities in Windows 7. However, depending on whether you are logged on as administrator or a standard user, some installs of Windows 7 may have a default UAC security setting that's one level lower than some experts (including yours truly) recommend. Standard users have UAC security default to the most secure setting, while administrator accounts reside a notch below the highest setting, which is potentially riskier.

Note too that, although UAC provides a much-needed mechanism to prevent the misuse of administrator privileges, it can be bypassed. If you must have high security, users should not log on with an elevated user account until they need it.

Your domain environment should already be at the highest and most secure level ("Always notify"). If it isn't, make it so. That way, users will be prompted to input their passwords to perform high-risk administrative actions. No matter what else, UAC should be enabled.

BitLocker drive encryption
In Windows 7, BitLocker drive encryption technology is extended from OS drives and fixed data drives to include removable storage devices such as portable hard drives and USB flash drives. This new capability is called BitLocker to Go.

In Windows Vista SP1, Microsoft added official support for encrypting fixed data drives, but it could only be done using command-line tools. Now you can encrypt operating system volumes, fixed data drives, and USB flash drives with a simple right-click, via the Windows Explorer GUI. Moreover, you can use smart cards to protect data volumes, and you can set up data recovery agents to automatically back up BitLocker keys. If you're using a Trusted Platform Module (TPM) chip, you can enforce a minimum PIN length; five characters should suffice for most environments.

In Windows 7, there is no need to create separate partitions before turning on BitLocker. The system partition is automatically created and does not have a drive letter, so it is not visible in Windows Explorer and data files will not be written to it inadvertently. The system partition is smaller in Windows 7 than in Windows Vista, requiring only 100MB of space.

With BitLocker to Go, you can encrypt removable drives one at a time or require that all removable media be encrypted by default. Further, encrypted removable media can be decrypted and re-encrypted on any Windows 7 computers -- not just the one it was originally encrypted on.

BitLocker to Go Reader (bitlockertogo.exe) is a pro­gram that works on computers running Windows Vista or Windows XP, allowing you to open and view the content of removable drives that have been encrypted with BitLocker in Windows 7.

You should enable BitLocker (preferably with TPM and another factor) on portable computers if you do not use another data encryption product. Store the BitLocker PINs and recovery information in Active Directory or configure a domain-wide public key called a data recovery agent that will permit an administrator to unlock any drive encrypted with BitLocker. Require BitLocker to Go on all possible removable media drives.

Easily encrypted page file
Users who cannot use BitLocker but still want to prevent the memory swap page file from being analyzed in an offline sector editing attack no longer need to erase the page file on shutdown. Windows XP and earlier versions had a setting that allowed the page file to be erased on shutdown and rebuilt on each startup. It's a great security feature, but it often caused delayed shut­downs and startups -- sometimes adding as much as 10 minutes to the process.

In Windows 7 (and Vista), you can enable page file encryption. Even better, there is no key management. Windows creates and deletes the encryption keys as needed, so there is no chance the user can "lose" the key or require a recovery. It's crypto security at its best.

Better cryptography
Windows 7 includes all the latest industry-accepted ciphers, including AES (Advanced Encryption Standard), ECC (Elliptical Curve Cryptography), and the SHA-2 hash family. In fact, Windows 7 implements all of the ciphers in Suite B, a group of cryptographic algorithms that are approved by the National Security Agency and National Institute of Standards and Technology for use in general-purpose encryption software.

While Microsoft added support for Suite B cryptographic algorithms (AES, ECDSA, ECDH, SHA2) to Windows Vista, Windows 7 allows Suite B ciphers to be used with Transport Layer Security (referred to as TLS v.1.2) and Encrypting File System (EFS). Suite B ciphers should be used whenever possible. However, it's important to note that Suite B ciphers are not usually compatible with versions of Windows prior to Windows Vista.

By default, all current technologies in Windows will use industry standard ciphers in place of legacy, proprietary ciphers. Those legacy ciphers that still exist are included only for backward-compatibility purposes. Microsoft has shared the new ciphers in detail with the crypto world for analysis and evaluation. Key and hash sizes are increased by default.

EFS (Encrypting File System) has been improved in many ways beyond using more modern ciphers. For one, you can use a smart card to protect your EFS keys. This not only makes EFS keys more secure, but allows them to be portable between computers.

Administrators will be happy to know that they can prevent users from creating self-signed EFS keys. Previously, users could easily turn on EFS, which generated a self-signed EFS digital certificate if a compatible PKI server could not be found. Too often, these users encrypted files but did not back up their self-signed digital certificates, which frequently led to unrecoverable data loss.

With Windows 7, administrators can still allow self-signed EFS keys, while mandating ciphers and minimum key lengths. Windows 7 will prod users to back up their EFS digital certificates to some other removable media or network drive share -- and keep prodding them until they do it. A Microsoft Web page details the EFS changes.

Read more about how to secure your Windows 7 PCs in InfoWorld's free PDF report, "Windows 7 Security Deep Dive," including:

* Safe browsing with IE8
* Multiple active firewall policies
* Managed and virtual service accounts
* Configuring AppLocker
* Running by the rules

Source http://www.infoworld.com/d/security-central/the-infoworld-expert-guide-windows-7-security-896?source=rss_infoworld_top_stories_

Windows 7: Enable Secret Godmode

Microsoft Security Essentials (MSE), Redmond's free consumer security software for PCs, is available for download by the general public

The rollout of the antimalware solution comes after three months of public beta testing, limited to thousands of users. The software offers basic protection against viruses and spyware. The free MSE offering likely will compete with paid security offerings from McAfee and Symantec.

MSE is sometimes described as a replacement for Windows Defender, a free app from Microsoft that just removes spyware. Apparently, the two security apps can exist side by side. MSE disables Windows Defender and users don't have to remove it, according to a

free Windows 7 RTM Enterprise 90-Day Evaluation

Windows 7 is the next release of the Windows client operating system, built on the secure foundation of Windows Vista and Windows Server 2008. Performance, reliability, security, and compatibility are core tenets of this release as we collect your feedback to meet our engineering goals of making Windows 7 the best-performing and most stable Windows operating system to date. All the new innovations in this product are meant to enhance your capability as an IT professional to better provision and manage increasingly mobile PCs, to protect data, and to improve end-user and personal productivity.

Windows 7 Enterprise 90-day Trial

Windows 7 Enterprise was designed specifically for IT Professionals, so that you can test your software and hardware on a final version of the product. In addition, it provides the opportunity for you to become more familiar with the key improvements over previous versions of the Windows operating system, and experience firsthand how Windows 7 can make your PC environment more productive, secure, and manageable.

Guidelines on usage:
- Protect your PC and data. Be sure to back up your data and please don’t test Windows 7 on your primary home or business PC.
- You have 10 days to activate the product. If not activated within 10 days, the system will shut down once every hour until activated. Unsure on how to activate? Visit our FAQ.
- The 90-day Trial is the full working version of the Windows 7 Enterprise, the version most of you will be working with in your corporate environment. It will not require a product key (it is embedded with the download).
- The 90-day Trial will shut down once every hour when you have reached the end of the 90-day evaluation period.
- The 90-day Trial is offered for a limited time and in limited quantity. The download will be available through March 31, 2010, while supplies last.
- After the 90-day Trial expires, if you wish to continue to use Windows 7 Enterprise, please note that you will be required to purchase and perform a clean installation of Windows 7, including drivers and applications. Please keep this in mind; Windows 7 Enterprise is not available through retail channels.
- Technical details/updates/questions: Please review our FAQ or visit the Windows 7 support forum.
- Stay informed. You can keep up with general technical information and news by following the Springboard Series blog. Want technical guidance, tips, and tools? Visit the Springboard Series on TechNet.
- Keep your PC updated: Be sure to turn on automatic updates in Windows Update in case we publish updates for the 90-day Trial.
- Microsoft Partners-: Learn more about Windows 7 on the Microsoft Partner Portal.

Minimum System Requirements*:

1 GHz or faster 32-bit (x86) or 64-bit (x64) processor
1 GB of RAM (32-bit) / 2 GB RAM (64-bit)
16 GB available disk space (32-bit) / 20 GB (64-bit)
DirectX 9 graphics processor with WDDM 1.0 or higher driver
DVD-compatible drive
Internet access (fees may apply)
*Note: Some product features of Windows 7, such as the ability to watch and record live TV, BitLocker, or navigation through the use of “touch,” may require advanced or additional hardware. Windows XP Mode requires an additional 1 GB of RAM and 15 GB of available disk space; and a processor capable of hardware virtualization, with Intel VT or AMD-V turned on.

Requirements:

· Processor: 1 GHz 32-bit or 64-bit processor
· Memory: 1 GB of system memory
· Hard drive: 16 GB of available disk space
· Video card: Support for DirectX 9 graphics with 128MB memory (in order to enable Aero theme)
· Drive: DVD-R/W drive
· Internet connection (to download the Beta and get updates)

Limitations:

· 90-day Trial

!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~! ~!~!~!~!~!~!~!~!~!~!~!
Developer: Microsoft
License / Price: Trial / N/A
Size / OS: 2,488.3 MB / Windows 7
!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~! ~!~!~!~!~!~!~!~!~!~!~!

Download:

Windows 7 7600.16385.090713 [Trial]

http://technet.microsoft.com/en-us/evalcenter/cc442495.aspx?ITPID=sprblog

Enjoy

Windows XP Mode RC build for Windows 7 now available

From Brandon LeBlanc of Windows Team Blog:

Quote

Back in April, we introduced the Windows XP Mode beta and after a few months of incorporating your enthusiastic feedback, today we are announcing the availability of the Windows XP Mode Release Candidate.

As you may know, Windows XP Mode is specially designed for small and medium-sized businesses to help ease the migration process to Windows 7 by providing additional compatibility for their older productivity applications. The newly updated Windows XP Mode now works with the RC and RTM versions of the Windows 7 Professional, Ultimate and Enterprise SKUs.

Before I get into what has changed from beta to RC, I’d like to take a moment to clarify what Windows XP Mode is designed for, and highlight the point that in many cases Windows XP Mode will not be necessary. Windows 7 has a strong compatibility story with Windows Vista, and many applications that currently run on Windows XP-based or Windows Vista-based PCs should just run natively on Windows 7 – allowing you to take advantage of better performance, better management and better security built into Windows 7. In most cases, we recommend running applications natively in Windows 7. Windows XP Mode provides what we like to call that “last mile” compatibility technology for those cases when a Windows XP productivity application isn’t compatible with Windows 7. Users can run and launch Windows XP productivity applications in Windows XP Mode directly from a Windows 7 desktop. I also strongly recommend that customers install anti-malware and anti-virus software in Windows XP Mode so that Windows XP Mode environment is well protected. For customers that manage several Windows PCs running Windows XP Mode and want to simplify management tasks, we offer Microsoft Enterprise Desktop Virtualization (MED-V) as part of the Microsoft Desktop Optimization Pack.

New Features in Windows XP Mode RC :

• You can now attach USB devices to Windows XP Mode applications directly from the Windows 7 task-bar. This means your USB devices, such as printers and flash drives, are available to applications running in Windows XP Mode, without the need to go into full screen mode.
• You can now access Windows XP Mode applications with a “jump-list”. Right click on the Windows XP Mode applications from the Windows 7 task bar to select and open most recently used files.
• You now have the flexibility of customizing where Windows XP Mode differencing disk files are stored.
• You can now disable drive sharing between Windows XP Mode and Windows 7 if you do not need that feature.
• The initial setup now includes a new user tutorial about how to use Windows XP Mode.

Download: Windows XP Mode Release Candidate http://www.microsoft.com/windows/virtual-pc/download.aspx

Source : Windows Team Blog http://windowsteamblog.com/blogs/windows7/archive/2009/08/04/windows-xp-mode-rc-now-available.aspx

Windows 7 RTM available on MSDN/Technet August 6th

* Independent Software Vendors and Independent Hardware Vendors : Via Microsoft Connect or MSDN on August 6th

* Microsoft Partner Program Gold/Certified Members: Via Microsoft Partner Network (MPN) Portal on August 16th. Remaining languages will be available by October 1st.

* Microsoft Action Pack Subscribers: Available to download starting August 23rd. Remaining languages will be available by October 1st.

* OEMs: Approximately two days after Microsoft officially RTM

* Volume License with Software Assurance: via the Volume License Service Center (VLSC) starting August 7th.

* Technet and MSDN: August 6th

Microsoft also confirmed that they will be delivering a family pack for Windows 7, which will allow installation on up to 3 PCs. At least now we know Windows 7 will RTM before August 6th.

Source:

Posted

Monday, June 29, 2009

Windows 7 pricing and availability has just been announced, along with a couple nice benefits to help put you into Windows 7 at half the price. First, Windows 7 will be rolling out on new PCs starting October 22nd. But starting tomorrow if you buy a new PC from a participating retailer you'll be able to get Windows 7 for little or no cost at all. (See

www.windows.com/upgradeoffer

for more details)
As for pricing, the retail prices for full and upgrade versions of Windows 7 follow:

And if you want to skirt around paying full price - pre-order! From tomorrow until July 11th in the US and Canada (July 5th for Japan) you can pre-order Windows 7 Home and Professional from the

Microsoft Store, Best Buy, or Amazon and get more than 50% off! That means Home Premium version for under $50 and Windows 7 Professional for under $100. Click here

for more pre-order information.

Hi all...As the graphics section is not a section I believe is visited very often, I am wiriting this to inform the XP users here at Wincustomized that I have recently created a new ViStart pack which will emulate the winsows 7 style. You can view it at the following link... https://www.wincustomize.com/skins.aspx?skinid=989&libid=18

For those of you that are not sure how to use it, just leave a comment on the pack and I will see what I can do to help you...[e digicons]:)[/e]

Windows Virtual PC

Support: Configure BIOS

XP Mode only working for processors with Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) technology.
If you are not sure of your configuration, have a look here:

How to confirm your PC can run Windows XP Mode
Although OEMs have been shipping hardware virtualization in PCs for three years, hardware virtualization is not available in all PCs — so even if your PC is new, it may not have hardware virtualization. Additionally, those PCs with hardware virtualization have it turned off by default, so you will need to turn on the hardware virtualization capability before you can use it.

To determine whether your PC works with Windows XP Mode:
Step 1. Does my PC have a CPU with support for hardware virtualization?

For Intel processors:

1 Download, install and run the Intel Processor Identification Utility. http://www.intel.com/support/processors/tools/piu/

2 Navigate to the CPU Technologies tab and read the value in the "Intel Virtualization Technology" field.

A If the value is No then your CPU does not support hardware virtualization.

B If the value is Yes then the CPU supports hardware virtualization. Go on to step 2 below

For AMD processors:
AMD Virtualization Compatibility Check Utility. http://support.amd.com/us/Pages/dynamicDetails.aspx?ListID=c5cd2c08-1432-4756-aafa-4d9dc646342f&ItemID=172

Step 2. Does my PC BIOS support hardware virtualization, and is it turned on?

Instructions to turn on hardware virtualization in your PC BIOS are specific to OEM models. It is important that after changing your BIOS settings the PC is completely shut down at the power switch before restarting so that the new BIOS settings can take place.

Examples for some models of some computer manufacturer’s BIOS settings are below:

Sample instructions for your PC

Dell systems

Depress the F12 key when boot menu text appears at startup

Select BIOS setup and depress the Enter key

Using the mouse, expand the Virtualization Support menu item by clicking on the plus to the left of Virtualization Support and select Virtualization

Check the Enable Intel Virtualization Technology checkbox

Click Apply

Click Exit

Shut down and restart your computer

HP systems

Depress Esc key when prompted at startup

Depress the F10 key to Configure BIOS

Scroll to System Configuration using the arrow keys

Select Virtualization Technology and depress the Enter key

Select Enabled and depress the Enter key

Depress the F10 key to save and exit

Select Yes and depress the Enter key

Shut down and restart your computer

Lenovo ThinkPad systems

Depress the blue ThinkVantage key when prompted at startup

Depress the F1 key to enter the BIOS setup utility

Using the arrow keys, scroll to Config and depress the Enter key

Scroll to CPU and depress the Enter key

Scroll to Intel ® Virtualization Technology and depress the Enter key

Select Enabled and depress the Enter key

Depress Enter key to continue

Depress F10 key to save and exit

Select Yes and depress the Enter key

Shut down and restart your computer

Please note the instructions above may not work in all cases and consulting with your computer manufacturer may be necessary.

Source http://www.microsoft.com/windows/virtual-pc/support/configure-bios.aspx

Windows 7, Secret Feature revealed....
 
 Paul Thurrott and Rafael Rivera have just unveiled a new feature of Windows 7 today that they have been forced to keep a lid on for quite some time. Introducing Windows XP Mode (XPM) for Windows 7!

Over a month ago, we were briefed about a secret Microsoft technology that we were told would be announced alongside the Windows 7 Release Candidate (RC) and would ship in final form simultaneously with the final version of Windows 7. This technology, dubbed Windows XP Mode (XPM, formerly Virtual Windows XP or Virtual XP, VXP), dramatically changes the compatibility story for Windows 7 and, we believe, has serious implications for Windows development going forward. Here's what's happening.

XPM is built on the next generation Microsoft Virtual PC 7 product line, which requires processor-based virtualization support (Intel and AMD) to be present and enabled on the underlying PC, much like Hyper-V, Microsoft's server-side virtualization platform. However, XPM is not Hyper-V for the client. It is instead a host-based virtualization solution like Virtual PC; the hardware assistance requirement suggests this will be the logical conclusion of this product line from a technological standpoint. That is, we fully expect future client versions of Windows to include a Hyper-V-based hypervisor.

XP Mode consists of the Virtual PC-based virtual environment and a fully licensed copy of Windows XP with Service Pack 3 (SP3). It will be made available, for free, to users of Windows 7 Professional, Enterprise, and Ultimate editions via a download from the Microsoft web site. (That is, it will not be included in the box with Windows 7, but is considered an out-of-band update, like Windows Live Essentials.)

More news - HERE - http://community.winsupersite.com/blogs/paul/archive/2009/04/24/secret-no-more-revealing-virtual-windows-xp-for-windows-7.aspx
Screenshots - HERE - http://www.winsupersite.com/win7/xp_mode_pre_shots.asp