AppLocker is a new feature of Windows 7 that allows you to restrict program execution via Group Policy. It is comparable to—but better than—the Software Restriction Policies of former Windows versions, which are still supported in Windows 7 and Windows Server 2008 R2. Software Restriction Policies are not very popular among admins, because configuring them is time-consuming although it can easily be circumvented. AppLocker promises to address both downsides to Software Restriction Policies. In this article, I will give an overview of the capabilities, and in my next post, I will explain how to use AppLocker.

AppLocker supports three types of rules: Path Rules, File Hash Rules, and Publisher Rules. Path Rules and Hash Rules are already available as part of the Software Restriction Policies.

(more…)

In my last article I gave an overview of AppLocker. In this post I will give you some tips on how to test AppLocker.

You can try AppLocker in a Windows domain environment using Group Policy or you can test it with the Local Security Policy snap-in. If you want to work with Group Policy, then you should install the Remote Server Administration Tools (RSAT) for Windows 7 first and then add the Group Policy Management Tools through the Windows Feature applet. This allows you to define Publisher Rules with the Group Policy Editor under Windows 7. You can also configure Publisher Rules on a Windows Sever 2008 R2 domain controller. But to do this you need a reference file of the application that might be unavailable on the domain controller.

(more…)

The Action Center is a new feature in the Windows 7 Control Panel that could prove useful for system administrators. It is a replacement of Vista’s Security Center and gives an overview of security and maintenance-related status messages.

Before I start reviewing the Action Center, I want to say a word or two about the changes in the Control Panel. At first sight, it looks pretty much the same as in Vista; however, Microsoft moved quite a few applets to different positions. I don’t know whether the new configuration makes more sense than the old one, or if it makes it easier for newbies to find an applet. But one thing is certain: Vista users who just got used to the new Control Panel will start searching again.

(more…)

BitLocker was introduced with Windows Vista and, as far as I know, it was not very popular. This might be because it is available only for Windows Vista Ultimate and Windows Vista Enterprise. But the main reason probably is that it is complicated to set up. I compared BitLocker to TrueCrypt a year ago and concluded that the Open Source tool is the better drive encryption solution. BitLocker in Windows 7, however, has significantly improved. In this article I discuss BitLocker’s system drive encryption, and in my next post I will review BitLocker-to-Go, the new encryption solution for removable storage devices.

BitLocker for Vista was too complicated to set up once the operating system is installed. Users had to shrink the system partition to make space for the BitLocker partition. Microsoft acknowledged that this was too difficult for end users, and too time consuming for administrators, and released the BitLocker Drive Preparation Tool, which is part of the Ultimate Extras and is also available for Windows Vista Enterprise.

(more…)

BitLocker to Go is a new feature in Windows 7 that allows you to encrypt data on removable drives such as USB sticks. I believe that BitLocker to Go will be more popular than BitLocker for fixed-drive encryption, which I reviewed in my last article. Portable drives get lost much easier simply because they are smaller than laptops. Because they often contain important business data, unencrypted memory sticks pose a considerable security risk for any organization.

Of course, flash drive encryption isn’t anything new. Many portable storage devices come with their own encryption software and there are also free tools such as TrueCrypt that support USB stick encryption. However, in corporate environments, BitLocker to Go has some important advantages over these free solutions. In this article, I will discuss BitLocker to Go from the end user’s perspective. In my next post, I will cover the management features.

(more…)

In my last article I discussed the BitLocker to Go features from a user’s perspective. Today I will take a closer look at the features that are of interest from a system administrator’s point of view.

I think it is important to have just one USB stick encryption solution in a corporate environment because it simplifies the work for help desk personnel. If an end user calls because he or she is unable to access the data on an encrypted memory stick, and you don’t even know what encryption software has been used, things can get difficult.

(more…)

DirectAccess is a new feature of Windows 7 and Windows Server 2008 R2. It has the same purpose as VPN, i.e., it allows users to connect securely to the corporate network through the Internet. The main difference is that the connection is established in the background without requiring user interaction. This article is mostly a summary of Microsoft’s white paper Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. I also installed DirectAccess on Windows Server 2008 R2, but since there is no technical documentation yet, I had to postpone more detailed tests until Microsoft provides more information. In my next post I will share some practical experiences.

(more…)

In my last article I listed all important features of DirectAccess. Today I will share some experiences I made when I placed a little with it.

DirectAccess has to be installed as a feature on Windows Server 2008 R2. I wonder why it is a feature and not a role, considering that it is recommended to use DirectAcess on a server that has no other function. I must admit, I still don’t understand the difference between server roles and features.

It is interesting to note that two network interfaces are required, which indicates that DirectAccess has firewall functionality. One network card is usually enough for VPN. DirectAccess also complained that I have no Public Key Infrastructure. After I installed the Certificate Server role on the same machine, the DirectAccess setup was satisfied. The setup wizard then let me configure the user groups that are allowed to use DirectAccess.

(more…)