Michael Argast, Sophos Head of Global Sales Engineering, and I have finished our two-part podcast on Windows 7. In this segment we discuss AppLocker, BitLocker, BitLocker To Go and UAC.
I also recently recorded a webcast on Windows 7 security with the folks over at the Information Systems Security Association (ISSA). For those of you who are security professionals, I encourage you to attend your local chapter meetings. ISSA has a policy of being an educational organization; companies are not allowed to use the ISSA meetings as a place to pitch their products.
In my webcast I discuss five best practices to protect Windows 7. I introduce all of the security-related technologies Microsoft has added or enhanced, and then explain the five most important options and how you might use them to better protect your PCs. Click "5 Best Practices to Protect Windows 7" to view the webcast. You can also access it from the ISSA website.
Q & A from the webcast
We weren't able to get to all of the questions raised during the webcast, but promised to address them afterwards. Here are the most popular questions and my answers.
Q: Does BitLocker apply to the entire volume or can it be applied per folder/directory?
A: BitLocker technology is a full disk encryption solution and applies to the entire volume. Windows 7 also includes support for EFS (Encrypting File System), which can be used on single objects.
Q: My enterprise is currently testing Windows 2008 R2. Does the Windows 7 firewall contain multiple profiles like it does in Windows 2008 R2?
A: Yes, it does. Windows 7 also detects if you are on your enterprise network and will not make attempts to connect to resources that are not available, potentially leaking credentials and share names.
Q: Can UAC be controlled through Group Policy Objects, so that your users cannot alter the UAC slider?
A: Microsoft has a list of GPOs that control the UAC options available in Windows 7. By default, non-privileged users are unable to change UAC settings.
Q: Will VOIP phones work with the Windows 7 VPN software?
A: It depends on the version of software and which VPN method you choose. Most SIP clients should be compatible with both IPSec and Microsoft DirectAccess.
Q: When using AppLocker, even if a user isn't a local admin, will they still be able to install programs that are approved on a publisher-by-publisher basis?
A: Yes. Microsoft provides a feature called Software Restriction Policies that allow you to do this.
Q: Can AppLocker allow applications that are not digitally signed?
A: Yes, but these applications are allowed only by file checksum or filename. Filenames are obviously not secure, so I would recommend using the checksum method.
Q: Applocker + Sophos - are U3 and Portable Apps accounted for in the authorized/blocked lists?
A: Sophos Application Control provides predefined application identities for U3, portable applications, and other program launchers. For a full list please see our list of controlled applications.
Q: What security issues are inherent with running XP Mode within a Windows 7 environment? Do any of the new Windows 7 enhancements prevent issues with XP Mode?
A: Sophos CTO Richard Jacobs has written several blogs listing his concerns with XP Mode in Windows 7. Nothing has been done explicitly to provide additional protection for the XP Mode virtual machine.
Q: For XP mode, don't we also need to license the apps that are installed on it? For instance, AV software. You would need 2 licenses for one computer, correct?
A: You will need to consult your vendors' EULAs to determine licensing requirements. Sophos Anti-virus, for example, is typically licensed per person, so if a computer is covered for Windows 7, this would also entitle you to run it in XP mode.
Note: Questions have been edited for grammar and spelling.
There were more questions, and I plan to follow up later with another round of Windows 7 Q&A. Thank you to everyone who attended, and feel free to share our podcasts, webcasts, and whitepapers with your friends and colleagues.