Enterprise Security Benefits of Microsoft Windows 7* Brief - Intel

IT@Intel Briefwww.intel.com/itBackgroundIntel IT is deploying 64-bit Microsoft Windows 7Enterprise across our environment, following athree-month technical evaluation that showedthe OS meets the key requirements of ourbusiness groups.We are deploying the OS on new PCs with2010 Intel Core vPro processors, which providenew security and manageability capabilitiesthat complement Microsoft Windows 7.Information security remains a criticalconcern for Intel IT; we are acutely awareof our responsibility to maintain thesecurity and integrity of Intel’s intellectualproperty as well as employees’ personalinformation. New threats are continuallyevolving, and over time, this has forced usto invest in various security controls andmitigation strategies.Our technical evaluation of Microsoft Windows 7included an extensive security assessment,including an analysis of capabilities designedto address existing threats.Security AssessmentWe began our security assessment withan early analysis of the enterprise securityfeatures of the OS, based on publishedinformation from Microsoft and other sources.We then conducted a detailed, hands-onsecurity assessment, including tests of thesecurity features and settings, as part ofthe Intel IT Microsoft Windows 7 technicalevaluation program.IMPROVED SECURITY FOUNDATIONWe found that the OS was designed withan increased focus on security and includessignificant core capabilities designed toharden the OS against security threats.Microsoft Windows 7 was designed anddeveloped using the Microsoft SecurityDevelopment Lifecycle (SDL) softwaresecurity assurance process, whichsystematically addresses software securityduring development to reduce vulnerabilitiesin the OS. This increased our confidence inthe security of the code.We also identified and enabled keycapabilities designed to block some of themost common types of malware exploits.These capabilities include:• Data Execution Prevention (DEP), whichworks with the Execute Disable (XD) bitin Intel® Core processors to help preventexploits that use buffer overflow.• Address Space Layout Randomization(ASLR), which makes it harder for hackersto target specific memory addresses.• Safe Structured Exception Handling (SEH),designed to block exploits that use theSEH overwrite technique.Microsoft Windows 7 includes a number ofother core security features that can helpprevent problems caused by malware or poorlywritten applications. An example is kernel patchprotection, also known as PatchGuard, in the64-bit OS that we are deploying. This blocksattempted changes to the Microsoft Windows 7kernel. In addition, kernel-mode code integritychecks help block malware attacks by requiringdigitally signed device drivers.SETTINGS AND CONTROLSDuring our testing, we determined that mostMicrosoft Windows 7 Enterprise defaultsettings matched our security requirements.These default settings include the requirementthat applications use strong authentication,based on Kerberos v5*, and encryption forpasswords sent over networks. The defaultsettings provided additional confirmationthat the OS was designed with a focus onenterprise security.In addition, several tools provide more granularcontrols that help us identify security eventsand enforce security policies. An example is theEvent Viewer, which makes it easier to examineand interpret individual security-related andother system events. We can also apply moregranular settings when defining group policyobjects to enforce configurations or grouppolicy preferences for specific groups of users.STREAMLINED MICROSOFT UACMicrosoft UAC improves security awarenessby helping ensure that applications andusers run with standard user privileges.With Microsoft UAC enabled, users areprompted to approve sensitive functionslike installation of software or changes toprotected system areas. This notificationallows users to make informed choices andpotentially prevents malware from installingor making changes to their systems. Weconsider this an important benefit andrequire that all applications function withMicrosoft UAC at its highest settings.In Microsoft Windows 7, Microsoft UAC hasbeen enhanced so that it generates fewerprompts. We believe the increased usabilitywill help raise users’ security awareness.Because prompts occur less frequently,users may be more likely to consider theimplications of each prompt they see ratherthan automatically clicking to approve it.In the future, we would like to see moregranularity and configurability that wouldenable us to further customize Microsoft UACto our specific enterprise security requirements.

www.intel.com/it IT@Intel BriefMICROSOFT INTERNET EXPLORER 8*We are migrating to Microsoft InternetExplorer 8, which is included with MicrosoftWindows 7. This adds several importantsecurity capabilities. On Microsoft Windows 7,the browser operates in protected modeby default, running without administrativeprivileges and prompting users if a Web sitetries to install software. This helps protectagainst automated malware downloads.The application also includes other featuresthat help protect Intel and our employeesagainst malicious Web sites:• The SmartScreen Filter helps usersavoid phishing Web sites that attemptto gather their information for maliciouspurposes and alerts them if a site theyare trying to open has been reportedas unsafe.• A cross-site scripting (XSS) filter helpsdetect and disable cross-site scriptingattacks, an increasingly common typeof threat.• InPrivate browsing allows users to surfthe Web without storing informationsuch as cookies and passwords on theirPCs. This potentially provides privacyand security benefits when users areaccessing confidential information.NETWORK LOCATION AWARENESSPCs running Microsoft Windows 7automatically detect the type of networkconnection available; applications such asMicrosoft Internet Explorer 8 and WindowsFirewall can use this information to applydifferent controls depending on the networktype. For example, more-restrictive settingscan be used if users are connected to a publicnetwork rather than the enterprise network.DRIVING DEVELOPMENT OF MORESECURE APPLICATIONSAdoption of Microsoft Windows 7 ishelping to increase the overall security ofour enterprise environment by driving thedevelopment of more-secure applications. Wehave raised our security requirements basedon the security settings and capabilities inMicrosoft Windows 7. For example, we requirethat applications run in standard user moderather than needing administrative privileges.During Microsoft Windows 7 application testing,we tested the ability of commonly used internaland external Web sites to function with thestrong network encryption and authenticationsettings of Microsoft Windows 7. Wedetermined that some of these Web sites didnot function properly; in these cases, Web siteswere required to improve their security postureto meet the higher security settings.We are also investigating the possibilityof making digitally signed applications arequirement for external software suppliersand internal developers.DISABLED FEATURESAlthough the vast majority of MicrosoftWindows 7 default features and settingsmatched our enterprise security requirements,we identified a few that did not. For example,we disabled Microsoft HomeGroup becauseit is designed for home networking and couldbe used to share data outside the corporateenvironment.Deployment on PCs with 2010Intel® Core vPro ProcessorsWe are deploying Microsoft Windows 7 onnew PCs based on 2010 Intel Core vProprocessors, which optimize performance andprovide capabilities that complement thesecurity benefits of Microsoft Windows 7.Intel® Core i5 vPro processors and Intel®Core i7 vPro processors provide hardwareassistedremote manageability and securitycapabilities with Intel® vPro technology thatenable us to better protect PCs down thewire. We are implementing several Intel vProtechnology use cases that take advantageof these capabilities, including remoteconfiguration, remote power management,and remote diagnosis and repair.With remote configuration, our Service Desktechnicians can remotely perform functionssuch as configuring Trusted Platform Modulesecurity hardware and resetting hard driveencryption passphrases. Remote powermanagement allows PCs to be remotelybooted after hours, enabling faster andmore reliable delivery of security patchesand other software updates. We are alsoevaluating a system isolation and recoveryuse case, which would enable us to protectagainst the spread of malware by isolatinginfected PCs at the hardware level.PCs based on 2010 Intel Core i7 vProprocessors also can run up to eightsimultaneous hardware-based threads usingIntel® Hyper-Threading Technology (Intel® HTTechnology), allowing antivirus software andsecurity compliance checks to run unobtrusivelyin the background while employees use otherapplications. Other hardware capabilities includeIntel® Advanced Encryption Standard NewInstructions (Intel® AES-NI). We anticipatethat the whole-disk encryption software weare using to protect data on employees’laptop PCs will take advantage of theseinstructions to accelerate data encryptionand decryption performance.