Category Archives: Windows 7

AppLocker

This is the fourth part of a feature comparison series where I look at the differences between Microsoft Windows 7 Professional and Enterprise editions. For the full list of features, see the first post.

In this post I’ll review the usage scenarios and explore the benefits and caveats of AppLocker; hopefully it will help you decide if AppLocker contributes to the case for the extra cost of the Enterprise license.

AppLocker is a policy based security mechnaism that either allows or disallows software from running on a system. You’re right in thinking this sounds a lot like Microsoft’s Software Restriction Policy (SRP) feature. They are very similar, but not the same thing. As with SRP, AppLocker can either block all applications from running except for the ones you whitelist, or allow all except for the ones you blacklist. Like most security solutions, the more secure it is, the more burdensome management can be. AppLocker improves on SRP with new features that make setup and management easier. My favourite is the ability to white- or black-list applications by vendor, so for example I can unlock all Adobe apps with one rule.

Applocker may be better than SRP but this doesn’t mean that you have to get rid of your SRP group policies, as Windows 7 supports both AppLocker and SRP. It does this by ignoring SRP if both AppLocker and SRP settings are applied to the system. This also means that if you have a mixture of Windows 7, XP and or Vista machines then you can use use a mixture of AppLocker and SRP, but it is advisable to thoroughly test the effects of combining these settings in the same group policy.

To conclude, I think AppLocker offers a great way to make your Windows 7 desktops more secure. The biggest obstacle to implementing it may actually be user acceptance, especially in environments where they had free reign over their pre-Windows 7 machines, but that’s not an insurmountable problem. To get started with evaluating Applocker you can download the walkthrough from Microsoft’s website.

Bitlocker and Bitlocker To Go

This is the third part of a feature comparison series where I look at the differences between Microsoft Windows 7 Professional and Enterprise editions. For the full list of features, see the first post.

In this post I’ll review the usage scenarios and explore the benefits and caveats of Bitlocker and Bitlocker To Go; hopefully it will help you decide if Bitlocker contributes to the case for the extra cost of the Enterprise license.

Bitlocker has been a feature of Microsoft’s client operating systems since Windows Vista, but Windows 7 adds some compelling new features, most notable of which is Bitlocker To Go, which enables protection of USB flash drives.

Bitlocker offers data protection in scenarios where loss or theft of storage media is a concern, so it’s ideal for protecting portable storage media, laptops and physically vulnerable desktops. It works by encrypting the entire volume, and only allowing access to the disk after the system has been started by a trusted party. This trust is established during the boot process when the user either keys in a PIN, inserts a USB key or both.

On the plus side, Bitlocker trumps EFS (Microsoft’s file-level encryption technology) as it is transparent to users and does not rely on them remembering to encrypt sensitive data. On the down side, it offers no protection once the system is up and running. Bitlocker can also cause administrators headaches if there is no centralised management of data encryption. Bitlocker has the potential to render important information inaccessible if users enter the incorrect PIN too many times and then can’t remember their recovery password. Fortunately Bitlocker can be managed with a variety of Group Policy settings that allow comprehensive management of Bitlocker, including saving the recovery password information to Active Directory.

Group Policy makes it possible to manage Bitlocker on an enterprise scale but this not guarantee everything will be plain sailing. It is advisable to invest some time and resources in evaluating and testing Bitlocker in your environment. I’d recommend that you only roll out Bitlocker once you have a tried and tested recovery procedure in place and you’ve trained support staff and end users how to use it.

In summary, Bitlocker offers protection against attackers who try to access your sensitive data by booting compromised systems with other operating systems or by installing stolen disks in another system and either booting from or slaving them. When properly managed, it offers an important layer of security to enterprises who’s mobile users travel with sensitive data.

For more information, including a FAQ page and detailed deployment guides, visit the Windows 7  Bitlocker page on TechNet

BranchCache

This is the second part of a feature comparison series where I look at the differences between Microsoft Windows 7 Professional and Enterprise editions. For the full list of features, see the first post.

In this post I’ll review the usage scenarios and explore the benefits and caveats of BranchCache, and hopefully help you decide if it makes a compelling case for the extra cost of the Enterprise license.

As the name suggests, BranchCache enables caching on Windows 7 systems and it is aimed at branch offices. This is not to say it will only work in branches; it will work on any high latency network. BranchCache works with network requests made over SMB, HTTP or BITS, therefore websites, Windows file shares, WSUS and System Centre content can be cached. Once you enable BranchCache, Windows 7 clients will be able to retrieve cached copies of data either from a specified cache location (Hosted mode) or from Windows 7 peers (Distributed mode), rather than over the WAN. This will reduce the time it takes to retrieve files, is transparent to users and will reduce your WAN utilisation.

Since distributed mode is effectively peer-to-peer caching it is ideal for sites where it is not viable to host any servers. In this mode a Windows 7 system will first check with its peers whether a desired file is cached by any of them. If it isn’t, the file will be retrieved as normal and cached by the requesting client. The next time the file is requested by a client the file will be retrieved from the peer(s) where it is cached, but only if the file stored on the content server has not changed since it was cached.  Distributed caching is simple to enable and doesn’t require additional hardware or software investment on the client. The price you pay for all this “free” caching goodness starts with the extra cost of the Enterprise license, and the disk space (5% by default) and processing power that peer-to-peer caching will consume on you Windows 7 clients. but the real cost lies in the fact that all of the file/web/content servers at head office need to be running Windows Server 2008 R2 to play nice with your BranchCache clients. Not a problem if your servers are already up to date, but possibly a deal breaker otherwise.

This brings us to Hosted mode caching. Hosted mode is well suited to environments where resources are accessed via slow networks, but where it isn’t viable to set up and maintain local replicas of your content servers. In this scenario the cached data is held on a designated server. It can be a dedicated server or a server with available disk/processor capacity, but it does have to be a Windows Server 2008 R2 system. As with distributed caching, the servers that store the original content need to be running R2. Client setup is via group policy again and setting up the cache host requires the File Server role to be installed along with its BranchCache sub-component. The caching mechanism is similar also, except that clients refer to the central host instead of referring to peers when looking for cached data.

I would recommend Hosted caching only if Distributed caching does not provide adequate responsiveness or creates too much peer-to-peer workload on Windows 7 clients. Your results will vary so it’s worth monitoring performance in a small test group before and after implementing this feature, but according to an internal case study, “Microsoft IT significantly improved service availability while maintaining network traffic encryption including HTTPS and IPsec and reducing WAN usage and server demand”, and “Using BranchCache, Microsoft IT expects to save money while increasing branch user productivity.”

For a more detailed overview of BranchCache review this TechNet article, or download the Deployment Guide for a step by step walk through.

The next article in this series deals with Bitlocker and Bitlocker To Go.

Microsoft Windows 7 Professional vs. Enterprise Feature Comparison

While preparing for an upcoming course I was surprised that I couldn’t find a concise summary of the difference between Windows 7 Professional and Enterprise editions. Most resources seem obsessed with comparing the Ultimate edition which is only interesting for “must-have-all-the-shiny-toys” enthusiasts.

Judging by the names it seems obvious that one is designed for business and  the other is designed for big business, but which features are you paying extra for and are they worth the expensee?

Looking at Microsoft’s own Windows 7 site and Paul Thurrrot’s great Supersite for Windows,  I was able to determine the following key features that Windows 7 Enterprise has over and above the Professional edition.

Rather than drill down into the detail here I have blogged on the benefits and caveats of each feaure in a seperate article. Click the links below to read on ;