How Windows 7 stands up to security tests

The operating system (OS) is locked down from the get-go. Windows Firewall is enabled by default, along with Windows Defender and Windows Update. Microsoft has also made it easy to tweak User Account Control settings. They're relatively strong by default, like they were in Vista, but nothing that can't be adjusted by an administrator. The Action Center, available via Control Panel/System and Security, is eager to point out if you don't have any malware protection installed. In fact, it links straight to the Windows 7 security software providers page.

The Action Center also makes it clear that system backups are not configured by default. These things, especially backups, may not seem important in the enterprise on the surface, but they are. The more security assessments I perform the more I realize that many organizations rely on their users to do these "basic" administrative tasks. I caution against allowing users to be responsible for the management of their own systems. It's extremely risky.

With these controls in place, just how does Windows 7 stand up to vulnerability scanning tools? Arguably it's the slimmest set of vulnerability findings for an out-of-the-box OS I've ever seen. I ran the latest versions of the commercial security vulnerability scanners GFI LANguard and QualysGuard against my default Windows 7 installation and, frankly, they didn't turn up much. Just that the NetBIOS names were discoverable. No real concerns there. Even an authenticated scan turned up only a few issues -- none of which I think are critical -- as shown in the following LANguard screenshot:

Figure 1: Using GFI LANguard to perform an authenticated vulnerability scan on Windows 7. (Click on image for enlarged view.)

Interestingly enough, when running MBSA on Windows 7 it returned the message, "This is not a Windows NT/2000/XP/2003 Server or Workstation." This was kind of funny and quite ironic. I assume Microsoft is still working on it. Or, perhaps, they don't want anyone poking around with Windows 7's security just yet.

Ophcrack, the Windows password cracking tool I've discussed before worked fine with Windows 7. Thus, the cries for laptop and mobile drive encryption will continue. No real surprises here.

Granted, this is still the Release Candidate version of Windows 7. And no applications were installed, so the attack surface was minimal. Furthermore, I don't consider this to be a "typical" Windows 7 system where users go in and start playing around sharing out their drives, installing software and so on, increasing the risks. Even with some of the purported zero day hacks and "unfixable" flaws floating around on the Web, all-in-all, Windows 7 seems pretty stout. It'll be interesting to see how exploits evolve for this platform moving forward. As a safe reminder: Never let your guard down as the commonly-exploited Windows flaws will be around for some time to come.

ABOUT THE AUTHOR:

Kevin Beaver Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver /at/ principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Microsoft Windows 7 operating system Windows 7 launches, offers salvation from Vista Converting Windows 7 deployment images to virtual hard drive files Using Windows 7 to configure workstations for optimal power management MDOP for Windows 7 available now An intro to Windows 7's Deployment Image Servicing and Management tool Guide to converting from Windows XP to Windows 7 Manage the desktop image lifecycle to limit work, ensure security Microsoft Desktop Optimization Pack 2009 R2 adds Windows 7 support Has Microsoft corrected Vista annoyances in Windows 7? Protect your computer from direct attacks in Windows 7 Windows desktop security tips Structuring patch management in seven steps Underlying causes of inconsistent patch management Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance Top 5 registry keys for Windows XP Secure Windows XP before a Windows 7 upgrade Nine common password oversights to avoid Microsoft Windows XP Pro Guide to converting from Windows XP to Windows 7 Top 5 registry keys for Windows XP Manage the desktop image lifecycle to limit work, ensure security Secure Windows XP before a Windows 7 upgrade Microsoft's August patches run the gamut Hold on to Windows XP at your peril XP stragglers blame hardware costs, new features Your questions answered: The Windows 7 upgrade quandary Windows Vista users get little pricing relief on Windows 7 Vista shops eye quick path to Windows 7, XP shops likely to resist RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Error messages for Windows XP Pro  (SearchEnterpriseDesktop.com) XP key changer  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.