The ultimate guide to Windows 7 security

Learn how to put AppLocker, BitLocker to Go, security accounts, and other key Windows 7 security improvements to good use.

By Roger A. Grimes, InfoWorld |  Windows, AppLocker, BitLocker to Go

Improved System Restore. System Restore now includes the user's personal content files. Older versions backed up and protected only the Windows system files. System Restore also allows you to see what files would be restored in each version of the System Restore files. It's not perfect, but it's nice to see what will occur if you were to choose a particular restoration point.

Smooth remote access
. DirectAccess allows remote users to securely access enterprise resources (such as shares, Websites, applications, and so on) without connecting to traditional types of VPNs. DirectAccess establishes bidirectional connectivity with a user's enterprise network every time a user's DirectAccess-enabled portable computer connects to the Internet, even before the user logs on. The advantage here is that users never have to think about connecting to the enterprise network, and IT administrators can manage remote computers even when the computers are not connected to the VPN.

Once DirectAccess is enabled, when a user's computer connects to the Internet, it's as though he or she is on the organization's local network. Group policies work, remote management tools work, and automatic push patching works.

Unfortunately, DirectAccess has fairly involved requirements, including Windows Server 2008 R2 (to act as the RAS server), Windows 7 Enterprise or Ultimate clients, PKI, IPv6, and IPSec. But as companies put the necessary pieces into place, they should look into using DirectAccess as their default VPN technology for Windows 7 and later clients.

Managed Service Accounts
. Service accounts are often highly privileged, but difficult to manage. Best-practice recommendations dictate changing service account passwords frequently, so as to avoid the risk of password attacks. However, Windows service accounts often require two or more coordinated, synchronized password changes in order for the service to continue running without interruption; prior to Windows 7 and Windows Server 2008 R2, service accounts were not easy to manage. If a service account is enabled as a Managed Service Account, Windows will take over the password management and simplify management of Kerberos SPN (Service Principal Names).

Like DirectAccess, Managed Service Accounts have a lot of requirements, including a schema update and mandatory use of PowerShell 2. Still, if service accounts are a hassle in your environment -- and you know they are -- consider enabling this new feature when your infrastructure is prepared.


Originally published on InfoWorld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness