Windows 7 Friday: New Security Features and Options

by dboynton 2/27/2009 4:52:00 PM

windows7 Security. Ask anyone in the software industry what they think is the most important thing to consider when developing an applications and, invariably, security will be in the top three if not the number one thing (which is really what it should be every time). Of course, it’s no secret that many applications have fallen from the pure path when it comes to security. It seems almost a cliché news item these days where tens of thousands or even millions of records containing personal information walked out of an office building somewhere on a thumb drive, driving-up costs for corporations, governments and individuals and driving-down the public trust that the personal information we entrust to other is actually being secured in any reasonable fashion.

In 2002, the famous Bill Gates security memo changed the way Microsoft approached development of its products. The so-called “Trustworthy Computing” initiative was born and Windows Vista was the first OS release from Microsoft that embraced the security-first mindset. Windows 7 takes the next evolutionary steps by enhancing some of the features of Vista and adding support for new security features. In this post, we’ll look at the two most obvious new security features in Windows 7: BitLocker To Go and User Account Control (UAC).

BitLocker To Go
BitLocker, which debuted on Windows Vista Ultimate and Enterprise, is a hard drive security tool that encrypts all of the data on your computer’s hard drive partition and allows access to it only if you are logged into the machine under the identify of the data’s owner. This utility was designed specifically to prevent sensitive data from being accessed from a lost or stolen laptop, an ever increasing phenomenon with the number of mobile workers burgeoning.

Stolen or misplaced laptops are not the only threat to sensitive data, however. More and more, we hear stories about data walking out the front door of an office building on USB flash drives and other types of portable media. According to the 2008 Computer Security Institute Computer Crime and Security Survey, 42% of respondents reported that their organization experienced theft of laptops or mobile devices.

Windows 7 takes BitLocker to the next level with BitLocker To Go, which extends encryption capabilities to externally connected USB drives while making the original features of BitLocker even easier to use. To access BitLocker or BitLocker To Go, just follow these steps:

1) Attach your external USB drive and open Windows Explorer. Click on the Computer item to look at all internal and attached drives.

2)  Right-click on the icon for your attached drive and select Turn on BitLocker…

3) BitLocker will initialize for a few seconds and then present you with the following dialog:

BitLocker1 Decide whether you want to use a custom username and password to access the encrypted data or use your SmartCard and click the Next button.

4) On the next dialog box, you will choose how to persist your recovery key should you forget or lose your password to the encrypted drive:

BitLocker2 As this information will give someone access to your drive, be sure to store this information in a secure area, both the physical page if you choose to print it, and in your file system. Once you’ve stored your recovery key, click the Next button.

5) On the final dialog window, click the Start Encrypting button to encrypt your USB drive. Depending on the size of the drive, this can take some time. Once the encryption process begins, you should let it finish before removing the drive from your machine. However, if you need to remove it, be sure to click Pause button.

BitLocker36) Now, remove the drive for your computer and then reattach it. You’ll see the dialog below:

BitLocker4 Notice that you’re being prompted to enter your password. For your convenience, you can also indicate that the drive should automatically unlock when connected to your computer. If you need to ever change any of your BitLocker settings for the drive, you can always right-click on the drive icon in Windows Explorer, select Manage BitLocker…, and you’ll get the following dialog which will let you configure the BitLocker settings for the drive, including removing protection.


So there you have it. The same security that BitLocker brought to your internal hard drives in Vista can now be used on portable drives. Cool stuff.

UAC Customization
Easily one of the most contentious security features to ever come out of Microsoft, UAC was implemented in Windows Vista as a means of preventing users from inadvertently installing unwanted software on their machines.

I want to make this very clear here and now:  There is a lot of passion, both for but mostly against UAC. I have always been a supporter of using UAC as it is the best means Windows provides of keeping unintended software from getting installed on your computer. This post is meant to show some of the ways UAC works in the beta of Windows 7. I will not engage you in a debate over whether UAC should or shouldn’t be or how well you think it works. There are other venues for that conversation and this post isn’t one of them.

That being said, the first thing you’ll notice about UAC in Windows 7 is that the product team seems to have “right-sized” UAC prompts. One of the main complaints from users regarding UAC in Vista was its ubiquity. It seemed that even the most minute system changes required user or even administrative approval. While this certainly had the effect of making users more aware of what was happening on their PCs, it also had a negative impact on their experience.

In Windows 7, the user impact of UAC is significantly improved. By default, Windows 7 UAC will only prompt the user when software on the system tries to modify Windows, but does not prompt when the user makes changes to Windows. In Windows Vista, you had two options as far as UAC was concerned:  Leave it on or turn it off. When left with this choice, many users chose to turn it off and completely lost the benefits UAC did provide. In Windows 7, you have significantly more control over this via the UAC Control Panel Applet. To access it:

1) Click on the Windows Start icon in the lower left-hand corner and select Control Panel.

2) Click on the System and Security link and then, under the Action Center section, click Change User Account Control settings.

UAC1 3) You will now see the dialog below which contains a slider providing you with the ability to modify how UAC works on your machine. The default setting only notifies the user if software attempts to change Windows somehow, but not when you make changes to Windows yourself:

UAC2 Like wise, you can increase the UAC setting to prompt you when you are about to change Windows settings, by moving the slider to the top “Always notify” setting. Moving the slider down one position from the default will remove the grayed out background that happens when UAC prompts appear, and obviously moving the slide to the lowest position turns off UAC notifications altogether.

The guiding principle I have for everyone regarding UAC in Windows 7 is:  “With great power comes great responsibility.” In roughly two months of using exclusively Windows 7, I have found no need to modify my UAC settings. It’s nice to not be prompted about every little system change, but it’s reassuring to know that it’s still monitoring for system changes initiated by applications on my machine.

It’s important to reinforce here the need for developers to write their software for Standard User in Windows 7. There are plenty of best practices documents available online, including this excellent presentation from PDC 2008, for doing this. Developing software with UAC in mind is a good security practice and should be made top of mind with developers writing software for Windows.

There are, obviously, many more security features coming with Windows 7, including improvements in the migration and deployment tools,  the AppLocker application I discussed in last week’s post, improvements and better transparency in the System Restore utility and performance enhancements in Windows Defender. I will likely touch on these additional features in future post, but I thought that BitLocker To Go and the changes to UAC were the most compelling to touch on first. Tune in next week when I look at some cool ways to tweak out your experience in the new Windows 7 desktop!

Currently rated 1.6 by 113 people

  • Currently 1.584072/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5


Digitial Lifestyle | Windows 7

First Hundred Days With Windows Home Server

by dboynton 4/8/2008 11:51:00 AM

windows_home_server Weekends are for fun and relaxation. As I was pulling up some music to listen to via my Xbox 360 last Saturday morning, it occurred to me that I've been running Windows Home Server for quite awhile now. In fact, last Saturday was the 100th day I'd had Home Server running on my home network. So I thought I'd share some of the ups and downs I've had over that time with Home Server.

What I Dig

Hardware Requirements: I have a decent PC that I build about four years ago in my home office. By "decent" I mean that it is adequate for accessing and storing data, being a print server and some gaming. Very solids, but nothing spectacular, but let's face it, it's freaking four years old.

The basic specs are:

  • P4 2.4 GHz
  • 512 MB SD RAM
  • Basic, non-brand name 64MB display card

I had a 20 GB hard drive already installed serving as the system partition and I bought and installed a 220 GB ATA drive (yeah, the system board is too old for SATA) for content. And that's it. Pretty basic.

The OS absolutely screams on this hardware. As it is mainly managing content and backups on your home network, Home Server doesn't need a lot of horsepower to provide reasonable performance. I know that several PC vendors are selling preconfigured machines for Home Server, which is cool, but you can just as easily build yourself a machine for very little money and get comparable performance. Just be sure to get yourself a big and fast drive for storing content. Disc space is cheap and you'll be glad you have the extra room once you start doing backups of the other machines on your network.

Reliability: Home Server just runs and runs and runs. I've only had to shut it down a couple of times and that was because I was heading out of town for a week or so with the family and I usually power everything down if it's not going to be used for an extended period of time. As it's built on top of Windows 2003 Server, the reliability isn't surprising, but welcome just the same.

Remote Management Console: Home Server comes with a client-side application that does a few things. For one, it registers your machine with the Home Server automatically, facilitating automated back-ups primarily. It also provides you with a handy management console application that will let you manage the machines on your home network, configure automated back-ups, setup and manage user accounts on the Home Server, configure shared directories for music, videos, etc. and check the current status of your server drives and your network as a whole.

While those of us who work with servers all the time could do this any number of ways. One of the risks of creating a home server is that non-technical consumers who still struggle to print Word 2007 documents with the new tool ribbon will be completely lost when it comes to server configuration. The Home Server management console makes this very easy and, for those of us who could manage it from the command line, it provides a very efficient means of making necessary changes and then getting out, all without having to log directly into the console. Nice!

What's more, you can configure Home Server to be accessible from outside your home network as well, providing you with access to your files and data ever when you're away from home. Nice nice!

What I Don't Dig So Much

No Support Media Center Extender: This just made me sad. As Media Center ships standard with Vista Home and up now, it seems like bundling some flavor of the Media Center management interface into Home Server would have been a no-brainer. But alas, it is no where to be found. It is easy enough to connect my Xbox to the shared content directories on the Home Server, but I have really come to like the Media Center user interface as it appears in Vista. It was so simple, my six-year-old could cycle through available movies and pick something out. Now I have to do it for her because the files names can be a little cryptic to someone her age.

I guess I'm not looking for full-blown Media Center on Home Server, just the ability for other Media Center PCs and devices to interact with it like Media Center. Is that so much to ask? Honestly, this is my only complaint, but it's a significant one.

Better Off Than a Hundred Days Ago?

My hope when I installed Home Server was that I would get all the benefits I'd come to enjoy from Media Center with the added bonuses of network and backup management in Home Server. As it turns out, the latter set of features are what I've benefited from the most. What would make Home Server a grand slam instead of a double would be to provide me with the means of not only storing my media files, but to manage and access them much the way Media Center does. If this were there, I'd be hard pressed to think of anything else you'd have to do to this product to make it better.

Currently rated 5.0 by 1 people

  • Currently 5/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags: , ,

Digitial Lifestyle

Powered by BlogEngine.NET
Theme by Mads Kristensen

About the author

Denny Boynton Denny Boynton
Microsoft Architect Evangelist by day, wannabe rock 'n roll star by night! Want more? Here's my bio.

E-mail me Send mail

    follow me on Twitter


    <<  August 2016  >>

    View posts in large calendar

    Recent comments



    The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

    © Copyright 2016, Denny Boynton

    Sign in