Windows 7 is Microsoft's most secure desktop operating system. But although it stands up well to common security checks, the new OS also comes with its own set of security issues. These weaknesses are both technical flaws and operational concerns.
Before migrating to Windows 7, consider these six security vulnerabilities that are often ignored or forgotten:
1. If you're not running Windows 7 Ultimate or Enterprise editions, then you don't have access to BitLocker drive-encryption . If this is the case, to protect your systems, you should purchase a drive-encryption product from a third-party vendor like CREDANT, Symantec or WinMagic.
2. You will hit many stumbling blocks if BitLocker is your enterprise drive encryption technology, including the need for manual deployment, lack of audit logging and more. Furthermore, make sure to consider all of your other systems -- Windows XP, Mac OS, Linux, etc. -- as they'll need their own drive encryption.
3. Windows 7 systems that are not properly protected are as easy to break into as Windows systems from 10 years ago. "Hope" is not a good strategy when it comes to having computers lost or stolen.
4. If you've deployed DirectAccess -- Windows 7 and Windows Server 2008 R2's VPN alternative -- then you have to tighten the user restrictions on locking screens. All it takes for someone to gain "direct access" into your network is a careless user leaving his system unattended for a brief moment in a public place. Once a thief walks off with a wide-open laptop, all he has to do is keep the keyboard/mouse active to prevent a screensaver from starting and locking him out. Everything else is fair game.
5. Newer isn't necessarily better or more secure, and the decision to migrate to Windows 7 on this assumption alone will disappoint. More than 20 security updates have been installed to my Windows 7 system this year. While only a few of these threats are easily-exploited with free tools such as Metasploit, the risk remains.
6. Your desktop security standards documentation needs to be upgraded to incorporate the Windows 7 changes. The Center for Internet Security's Microsoft Windows 7 Benchmarks are a good place to start. Just remember to do this before your next security assessment or audit.
Moving to Windows 7 won't suddenly make your life as a network administrator any easier and it won't suddenly reduce business risks. The security issues remain, and if anything, managing a more complex OS makes managing desktop security more complex.
About the author: Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. In the industry for over two decades and having worked for himself the past eight years, Beaver specializes in performing independent security assessments in support of compliance and managing business risks. He has also authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Beaver can be reached at www.principlelogic.com.
This was first published in June 2010