Microsoft continues to tout that Windows 7 and Windows Server 2008 R2 are the most secure versions of Windows ever. There's some hype to that, but there's also a grain or two of truth. After the trials by fire that Microsoft experienced when developing previous versions of Windows -- especially Windows XP -- both the process and the end product reflect a better attitude toward security. By default, the average Windows 7 installation is much more secure than previous versions, even apart from the various technologies used to enhance operational security, such as User Account Control.
However, this doesn't mean that a prospective administrator can skimp on obtaining security certification when working with Windows 7. In fact, if anything, it means the opposite.
Security isn't something you can buy
This phrase paraphrases a quote by security maven Ben Rothke. Security is something you must "get" -- like you get how a puzzle or a joke works, and while it's possible to buy things that can enhance your security, the most security-enhancing thing is the right state of mind.
This remains true for Windows 7. The OS may be more secure by default, but if you don't know basic security concepts -- what an attack surface is, what a point of failure is -- then there's little point in attempting to implement security effectively.
I once had a friend who insisted on setting up every Windows box to automatically log him in at boot time. This is relatively easy to do, and it's a security hole big enough to drive the entire Cirque du Soleil tour bus through. If someone wants access to your system, all they have to do is cycle the power, and in a few minutes, they'll be at your desktop without having to type a password. I'm grateful that this fellow was responsible only for his own system; I don't want to think about what would have happened if he'd been administering systems for some company and had been talked into setting up people's desktops or notebooks.
As someone else once said, experience is a great teacher, but it charges hefty tuition. Better to receive it in the form of someone else's experience. And other people are lining up to learn security best practices: As my colleague Beth Shultz wrote back in November, barely a month after Windows 7 had been released, at least one IT training firm (Global Knowledge) was at capacity for its certification boot camp.
Perspective is priceless
A security certification can also give you perspective on how to use the additional security features in Windows 7. Without that training, it's easy to see these features as superfluous or one-size-fits-all answers instead of tools that can be used to solve specific problems.
One example of such a feature is BitLocker, the disk-level encryption system in the Enterprise and Ultimate editions. Deployed properly, it's a powerful way to secure a system against data theft and intrusion, but deployed improperly, it either grants no security at all or only grants security at the cost of great inconvenience. The training for security certification can help you understand not only how to apply something like BitLocker, but in what environment. This includes things such as how to perform key escrow for BitLocker-encrypted systems and how to encrypt data not stored on the main system drive, since BitLocker doesn't automatically do that for you.
In addition, certification can provide a better idea of how Windows 7 is deployed in a given environment, and not just set up on its own. When combined with Windows Server 2008 (both the original version and the R2 release), Windows 7 is easy to secure because of Group Policy and Active Directory -- but only if you know how to use them. The place to learn about these security features the first time is in certification training -- not by stumbling over them when you're trying to deploy them.
What if you're already in the know?
What if you have a security certification for a previous version of Windows? Is it possible to skip a step and just apply what you've already learned in conjunction with what you pick up from peers and in the field?
The short answer is "yes" -- but it depends on several things.
The first is what your most recent admin experiences have been like. Administrators who have worked directly with Windows Vista and Windows Server 2008 security will have some practical groundwork laid for them. It's much easier to jump from Vista to Windows 7 than it's from Windows XP (or 2000) to Windows 7, especially with regard to the way security works on those systems. The farther you stray from home, so to speak, the better off you'll be getting recertified.
Another qualification to that "yes" is the fact that certification -- especially for something like security, as opposed to a lower-level general Microsoft Certified Systems Engineer (MCSE) -- is meant to reflect your overall understanding of the subject. You might not need to know every wrinkle of Windows security (such as how to administer ForeFront) in your current position, but if something like that is dropped into your lap, you won't have to scramble as much to stay on top. So what you think of as being "in the know" may only be a small piece of a picture that could become exponentially larger overnight.
There's also the chance that your job -- or one you may inherit -- will require you to understand how to comply with regulatory requirements, like ISO/IEC 27000 practices. You don't want to have to scramble to learn such things in the weeks before an actual audit. The larger the outfit you're involved with, the more likely you'll have to dip your toe into some part of that water.
The best thing a security certification can offer you is not just training or a piece of paper, but a state of mind -- an understanding of what security is and how to carefully use any product to maintain it. Windows 7 is just one of many such things you'd study during the course of your training -- which doesn't end after you've picked up your diploma. Your education is always ongoing, and everything you do in the real world is another lesson in how security works.
ABOUT THE AUTHOR:
Serdar Yegulalp has been writing about personal computing and IT for over 15 years for a variety of publications, including (among others) Windows Magazine, InformationWeek, and the TechTarget family of sites.