Businesses are eyeing a transition to Microsoft Windows 7, and with a wealth of security features that are part of it, it's worth figuring out the good and bad about each of them, says Gartner analyst Neil MacDonald, who notes in some cases, third party security products might be the better fit.
The AppLocker feature in Windows 7 offers an application control capability that lets the IT manager set up a list of applications allowed to run, said MacDonald in his presentation at the Gartner Summit & Risk Management Summit 2010 last week. Often called whitelisting, this type of security control offers a possible lock-down technique, but the downside is that applications used within organisations by employees tend to grow, "and the trick is managing the whitelist over time."
"Care and feeding of the whitelist becomes cumbersome over time," MacDonald said, noting that there are several vendors in the application-control market, including Bit9, CoreTrace and McAfee (which acquired SolidCore).
BitLocker, Microsoft's full-disk encryption capability for protecting system files and data, will be another security feature that businesses will want to evaluate in Microsoft Windows 7, MacDonald said. Calling it "good but not great," he noted that on the minus side of BitLocker, it has no self-service key recovery, no Windows single sign-on, and no smart card support for boot drive.
"By licence restriction, it cannot be used where operating system virtualisation is used," MacDonald pointed out. In addition, there's no support for non-Windows machines or Windows Mobile.
"It's another of those good but not great technologies," MacDonald said. "You should be encrypting all mobile devices."
Enterprises might want to look at product alternatives, including McAfee Safeboot, Sophos-acquired Utimaco, Credant Technologies, and PGP and GuardianEdge, both of which Symantec recently announced it was acquiring.
Prices for this type of desktop encryption product have been dropping from $75 to $90 five years ago to today's range of about $10 to $15, he noted. Encryption today is often something "thrown in to get your business from the antivirus vendor," MacDonald said.
Windows 7 BitLocker has not yet been certified under the federal government's FIPS 140 program though it's in process to receive that certification, he pointed out. Other security controls in Windows 7 also have their pros and cons, according to MacDonald.
For instance, the user account control, which limits the ability of either applications or users to make unsanctioned system changes, has been improved to minimise prompts. But on the downside, it won't prevent someone running as a standard user from still installing software, so application control may still be needed.
There are third-party products from vendors that include BeyondTrust, (acquired by Symark International) Avecto, Symantec Altiris and ScriptLogic, as well as Viewfinity, that IT managers may want to evaluate as alternatives.
Another security feature in Windows 7 is what's called DirectAccess, an "always-on VPN client that uses IPv6 underneath to uniquely address a workstation anywhere in the world," MacDonald noted. But supporting this type of IPSec tunnel can be highly problematic for a variety of reasons. "There's a lot of complexity," MacDonald said, particularly if organizations don't have an IPv6 network internally.
The advantage, though, would be it wouldn't be necessary to deploy an additional VPN client as a special agent and it can be viewed as extending encrypted access to the enterprise network in a way that's transparent to the user. While generally positive about what DirectAccess seeks to accomplish, MacDonald said he wouldn't recommend activating it in an initial Windows 7 deployment because of this underlying network complexity that would need to be well understood.
Internet Explorer 8 is included in the OS with Windows 7 and it is a definite positive step in terms of a protected browser, added McDonald, who recommends its use over earlier IE versions. But the firewall in Windows 7 "is not particularly good," he said. "It doesn't support deep packet inspection or IDS." The firewall is often part of a core security package from the antivirus vendors, and if you "use Microsoft as a red herring," you may be able to strike some good deals with vendors.
IT managers opting to deploy Windows 7 may also want to determine if they should go with the "Enterprise" or the "Ultimate" versions, MacDonald suggested. Although the Windows 7 Ultimate version is officially a consumer version, it's considerably less expensive than the Windows 7 Enterprise version, so if the IT manager at a small business can consider manually activating each version, it might be worth going with Ultimate, even if it only has five years of fixes, not 10.