Security. Ask anyone in the software industry what they think is the most important thing to consider when developing an applications and, invariably, security will be in the top three if not the number one thing (which is really what it should be every time). Of course, it’s no secret that many applications have fallen from the pure path when it comes to security. It seems almost a cliché news item these days where tens of thousands or even millions of records containing personal information walked out of an office building somewhere on a thumb drive, driving-up costs for corporations, governments and individuals and driving-down the public trust that the personal information we entrust to other is actually being secured in any reasonable fashion.
In 2002, the famous Bill Gates security memo changed the way Microsoft approached development of its products. The so-called “Trustworthy Computing” initiative was born and Windows Vista was the first OS release from Microsoft that embraced the security-first mindset. Windows 7 takes the next evolutionary steps by enhancing some of the features of Vista and adding support for new security features. In this post, we’ll look at the two most obvious new security features in Windows 7: BitLocker To Go and User Account Control (UAC).
BitLocker To Go
BitLocker, which debuted on Windows Vista Ultimate and Enterprise, is a hard drive security tool that encrypts all of the data on your computer’s hard drive partition and allows access to it only if you are logged into the machine under the identify of the data’s owner. This utility was designed specifically to prevent sensitive data from being accessed from a lost or stolen laptop, an ever increasing phenomenon with the number of mobile workers burgeoning.
Stolen or misplaced laptops are not the only threat to sensitive data, however. More and more, we hear stories about data walking out the front door of an office building on USB flash drives and other types of portable media. According to the 2008 Computer Security Institute Computer Crime and Security Survey, 42% of respondents reported that their organization experienced theft of laptops or mobile devices.
Windows 7 takes BitLocker to the next level with BitLocker To Go, which extends encryption capabilities to externally connected USB drives while making the original features of BitLocker even easier to use. To access BitLocker or BitLocker To Go, just follow these steps:
1) Attach your external USB drive and open Windows Explorer. Click on the Computer item to look at all internal and attached drives.
2) Right-click on the icon for your attached drive and select Turn on BitLocker…
3) BitLocker will initialize for a few seconds and then present you with the following dialog:
Decide whether you want to use a custom username and password to access the encrypted data or use your SmartCard and click the Next button.
4) On the next dialog box, you will choose how to persist your recovery key should you forget or lose your password to the encrypted drive:
As this information will give someone access to your drive, be sure to store this information in a secure area, both the physical page if you choose to print it, and in your file system. Once you’ve stored your recovery key, click the Next button.
5) On the final dialog window, click the Start Encrypting button to encrypt your USB drive. Depending on the size of the drive, this can take some time. Once the encryption process begins, you should let it finish before removing the drive from your machine. However, if you need to remove it, be sure to click Pause button.
6) Now, remove the drive for your computer and then reattach it. You’ll see the dialog below:
Notice that you’re being prompted to enter your password. For your convenience, you can also indicate that the drive should automatically unlock when connected to your computer. If you need to ever change any of your BitLocker settings for the drive, you can always right-click on the drive icon in Windows Explorer, select Manage BitLocker…, and you’ll get the following dialog which will let you configure the BitLocker settings for the drive, including removing protection.
So there you have it. The same security that BitLocker brought to your internal hard drives in Vista can now be used on portable drives. Cool stuff.
Easily one of the most contentious security features to ever come out of Microsoft, UAC was implemented in Windows Vista as a means of preventing users from inadvertently installing unwanted software on their machines.
I want to make this very clear here and now: There is a lot of passion, both for but mostly against UAC. I have always been a supporter of using UAC as it is the best means Windows provides of keeping unintended software from getting installed on your computer. This post is meant to show some of the ways UAC works in the beta of Windows 7. I will not engage you in a debate over whether UAC should or shouldn’t be or how well you think it works. There are other venues for that conversation and this post isn’t one of them.
That being said, the first thing you’ll notice about UAC in Windows 7 is that the product team seems to have “right-sized” UAC prompts. One of the main complaints from users regarding UAC in Vista was its ubiquity. It seemed that even the most minute system changes required user or even administrative approval. While this certainly had the effect of making users more aware of what was happening on their PCs, it also had a negative impact on their experience.
In Windows 7, the user impact of UAC is significantly improved. By default, Windows 7 UAC will only prompt the user when software on the system tries to modify Windows, but does not prompt when the user makes changes to Windows. In Windows Vista, you had two options as far as UAC was concerned: Leave it on or turn it off. When left with this choice, many users chose to turn it off and completely lost the benefits UAC did provide. In Windows 7, you have significantly more control over this via the UAC Control Panel Applet. To access it:
1) Click on the Windows Start icon in the lower left-hand corner and select Control Panel.
2) Click on the System and Security link and then, under the Action Center section, click Change User Account Control settings.
3) You will now see the dialog below which contains a slider providing you with the ability to modify how UAC works on your machine. The default setting only notifies the user if software attempts to change Windows somehow, but not when you make changes to Windows yourself:
Like wise, you can increase the UAC setting to prompt you when you are about to change Windows settings, by moving the slider to the top “Always notify” setting. Moving the slider down one position from the default will remove the grayed out background that happens when UAC prompts appear, and obviously moving the slide to the lowest position turns off UAC notifications altogether.
The guiding principle I have for everyone regarding UAC in Windows 7 is: “With great power comes great responsibility.” In roughly two months of using exclusively Windows 7, I have found no need to modify my UAC settings. It’s nice to not be prompted about every little system change, but it’s reassuring to know that it’s still monitoring for system changes initiated by applications on my machine.
It’s important to reinforce here the need for developers to write their software for Standard User in Windows 7. There are plenty of best practices documents available online, including this excellent presentation from PDC 2008, for doing this. Developing software with UAC in mind is a good security practice and should be made top of mind with developers writing software for Windows.
There are, obviously, many more security features coming with Windows 7, including improvements in the migration and deployment tools, the AppLocker application I discussed in last week’s post, improvements and better transparency in the System Restore utility and performance enhancements in Windows Defender. I will likely touch on these additional features in future post, but I thought that BitLocker To Go and the changes to UAC were the most compelling to touch on first. Tune in next week when I look at some cool ways to tweak out your experience in the new Windows 7 desktop!