Windows 7 安全增强功能

简介:

Fundamentally Secure Environment

Windows 7 builds upon the strong security lineage of Windows Vista and retains and builds upon the development processes and technologies that have made Windows Vista the most secure version of the Windows client to date. Fundamental security features such as Kernel Patch Protection, Service Hardening, Data Execution Prevention, Address Space Layout Randomization, and Mandatory Integrity Levels continue to provide enhanced protection against malware and attacks. Windows 7 has been designed and developed using the  Microsoft Security Development Lifecycle (SDL), and it is engineered to support Common Criteria requirements to achieve Evaluation Assurance Level 4 certification and meet Federal Information Processing Standard 140-2.
Enhanced Auditing
Windows 7 provides enhanced audit capabilities to make it easier for an organization to meet its regulatory and business compliance requirements. Audit enhancements start with a simplified management approach for audit configurations and end with greater visibility into what occurs in your organization. For example, Windows 7 provides greater insight into understanding exactly why someone has received or been denied access to specific information, as well as visibility into the changes made by specific people or groups.
Streamlined User Account Control
User Account Control (UAC) was introduced in Windows Vista to help legacy applications run with standard user rights and help ISVs adapt their software to work well with standard user rights. Windows 7 continues the investment in UAC with specific changes to enhance the user experience. These changes include reducing the number of operating system applications and tasks that require administrative privileges and providing a flexible consent prompt behavior for users who continue to run with administrative privileges. As a result, standard users can do even more than ever before and all users will see fewer prompts.

AppLocker

Windows 7 re-energizes application control policies with AppLocker, which is a flexible, easy-to-administer mechanism that allows IT to specify exactly what is allowed to run in the desktop infrastructure and gives users the ability to run applications, installation programs, and scripts that they require to be productive. As a result, IT can enforce application standardization within their organization while providing security, operational, and compliance benefits.
AppLocker provides a simple and powerful structure through three rule types: “allow,” “deny,” and “exception.” Allow rules limit the execution of applications to "known good" applications and block everything else. Deny rules take the opposite approach and allow the execution of any application except those on a list of “known bad” applications. While many enterprises will likely use a combination of allow rules and deny rules, the ideal AppLocker deployment would use allow rules with built-in exceptions. Exception rules exclude files from an allow/deny rule that would normally be included. Using exceptions, you can, for example, create a rule to “allow everything in the Windows operating system to run, except the built-in games.” Using allow rules with exceptions provides a robust way to build a “known good list” of applications without having to create an inordinate number of rules.
AppLocker introduces publisher rules that are based upon application digital signatures. Publisher rules make it possible to build rules that survive application updates because you can specify attributes such as the version of an application. For example, an organization can create a rule to “allow all versions higher than 9.0 of the program Acrobat Reader to run if it is signed by the software publisher Adobe.” Now when Adobe updates Acrobat, you can safely push out the application update without having to build another rule for the new version of the application.
AppLocker rules also can be associated with a specific user or group within an organization. This provides granular controls that allow you to support compliance requirements by validating and enforcing which users can run specific applications. For example, you can create a rule to “allow people in the Finance Department to run the Finance line of business applications.” This blocks everyone who is not in your Finance Department from running your finance applications (including administrators), but still provides access for those that have a business need to run the applications.
AppLocker provides a robust experience for IT administrators through new rule creation tools and wizards. Using a step-by-step approach and fully integrated Help, creating new rules, automatically generating rules, and importing / exporting rules is intuitive and maintenance is easy. For example, IT administrators can automatically generate rules using a test reference machine and then import the rules into a production environment for widespread deployment. The IT administrator can also export policy to provide a backup of your production configuration or to provide documentation for compliance purposes.

BitLocker and BitLocker To Go

Each year, hundreds of thousands of computers without appropriate safeguards are lost, stolen, or decommissioned. However, the loss or theft of data is not just a physical computer issue. USB flash drives, e-mail, leaked documentation, etc. all provide additional avenues through which data can fall into the wrong hands. Windows 7 addresses the continued threat of data leakage with manageability and deployment updates to BitLocker Drive Encryption and the introduction of BitLocker To Go, which provides enhanced protection against data theft and exposure by extending BitLocker support to removable storage devices.
BitLocker Drive Encryption (BitLocker for short) helps prevent a thief who boots another operating system or runs a software hacking tool from breaking Windows 7 file and system protections or performing offline viewing of the files stored on the safeguarded drive. Windows 7 BitLocker shares the same core benefits of Windows Vista BitLocker; however, the core functionality in Windows 7 BitLocker has been enhanced to provide a better experience for IT professionals and end users. For customers who did not deploy Windows Vista with the BitLocker-required two-partition disk configuration, repartitioning the drive to enable BitLocker was more cumbersome than it needed to be. Windows 7 automatically creates the necessary disk partitions during installation to greatly simplify BitLocker deployments. Another change in Windows 7 BitLocker is the ability to right-click on a drive to enable BitLocker protection. 
Windows 7 BitLocker adds Data Recovery Agent (DRA) support for all protected volumes. A big ask from customers, DRA support allows IT to dictate that all BitLocker protected volumes (the operating system, fixed volumes, and the new portable volumes) are encrypted with an appropriate DRA. The DRA is a new key protector that is written to each data volume so that authorized IT administrators will always have access to BitLocker protected volumes.
BitLocker To Go extends BitLocker support to removable storage devices, including USB flash drives and portable disk drives. BitLocker To Go also gives administrators control over how removable storage devices can be utilized within their environment and the strength of protection that they require. Administrators can require data protection for any removable storage device on which users want to write data while still allowing unprotected storage devices to be utilized in a read-only mode.  Policies are also available to require appropriate passwords, smart card, or domain user credentials to utilize a protected removable storage device.
BitLocker To Go can be utilized on its own, without requiring that the system partition be protected with the traditional BitLocker feature. Finally, BitLocker To Go provides read-only support for removable devices on older versions of the Windows operating system, which allows users to more securely share files with those who are still running Windows Vista and Windows XP with the BitLocker To Go Reader.  
Whether traveling with your laptop, sharing large files with a trusted partner, or taking work home, BitLocker and BitLocker To Go help ensure that only authorized users can read the data, even if the media is lost, stolen, or otherwise misused.

Conclusion

Built upon the security foundation of Windows Vista, Windows 7 introduces a number of security enhancements to give users the confidence that Microsoft is continuing to find better ways to safeguard users’ IT investments as well as data. Businesses will benefit from enhancements that help protect company sensitive information, that provide stronger protections against malware, and that help secure access to corporate resources and data. End users can enjoy the benefits of computers and the Internet knowing that Windows 7 is using new technologies and features to safeguard privacy and personal information. Finally, all users will benefit from the flexible security configuration options in Windows 7—options that will help users achieve the unique balance of security and usability to meet their specific needs. 


本文转自 tao61 博客,原文链接:   http://blog.51cto.com/tao61/145100         如需转载请自行联系原作者
相关文章
|
9天前
|
存储 安全 网络安全
Windows Server 本地安全策略
由于广泛使用及历史上存在的漏洞,Windows服务器成为黑客和恶意行为者的主要攻击目标。这些系统通常存储敏感数据并支持关键服务,因此组织需优先缓解风险,保障业务的完整性和连续性。常见的威胁包括勒索软件、拒绝服务攻击、内部威胁、恶意软件感染等。本地安全策略是Windows操作系统中用于管理计算机本地安全性设置的工具,主要包括用户账户策略、安全选项、安全设置等。实施强大的安全措施,如定期补丁更新、网络分段、入侵检测系统、数据加密等,对于加固Windows服务器至关重要。
|
30天前
|
人工智能 JavaScript 网络安全
ToB项目身份认证AD集成(三完):利用ldap.js实现与windows AD对接实现用户搜索、认证、密码修改等功能 - 以及针对中文转义问题的补丁方法
本文详细介绍了如何使用 `ldapjs` 库在 Node.js 中实现与 Windows AD 的交互,包括用户搜索、身份验证、密码修改和重置等功能。通过创建 `LdapService` 类,提供了与 AD 服务器通信的完整解决方案,同时解决了中文字段在 LDAP 操作中被转义的问题。
|
1月前
|
缓存 安全 网络协议
Windows 安全基础——NetBIOS篇
Windows 安全基础——NetBIOS篇
|
2月前
|
Linux Android开发 iOS开发
Windows平台RTSP|RTMP播放器如何实现实时录像功能
Windows平台RTSP、RTMP播放器实时录像接口设计,实际上,除了Windows平台,我们Linux、Android、iOS平台也是一样的设计,单纯的录像模块,如果做的全面,也不是一两个接口可以搞定的
|
4月前
|
云安全 安全 网络安全
Windows安全:构建稳固的防线,守护数字世界
随着数据保护法规的不断加强,Windows系统需要更好地满足法规遵从和合规性要求。未来,Windows系统将更加注重用户隐私保护和数据安全合规性方面的功能提升
154 54
|
3月前
|
存储 开发者 C#
WPF与邮件发送:教你如何在Windows Presentation Foundation应用中无缝集成电子邮件功能——从界面设计到代码实现,全面解析邮件发送的每一个细节密武器!
【8月更文挑战第31天】本文探讨了如何在Windows Presentation Foundation(WPF)应用中集成电子邮件发送功能,详细介绍了从创建WPF项目到设计用户界面的全过程,并通过具体示例代码展示了如何使用`System.Net.Mail`命名空间中的`SmtpClient`和`MailMessage`类来实现邮件发送逻辑。文章还强调了安全性和错误处理的重要性,提供了实用的异常捕获代码片段,旨在帮助WPF开发者更好地掌握邮件发送技术,提升应用程序的功能性与用户体验。
59 0
|
3月前
|
API C# Shell
WPF与Windows Shell完美融合:深入解析文件系统操作技巧——从基本文件管理到高级Shell功能调用,全面掌握WPF中的文件处理艺术
【8月更文挑战第31天】Windows Presentation Foundation (WPF) 是 .NET Framework 的关键组件,用于构建 Windows 桌面应用程序。WPF 提供了丰富的功能来创建美观且功能强大的用户界面。本文通过问题解答的形式,探讨了如何在 WPF 应用中集成 Windows Shell 功能,并通过具体示例代码展示了文件系统的操作方法,包括列出目录下的所有文件、创建和删除文件、移动和复制文件以及打开文件夹或文件等。
76 0
|
3月前
|
C# Windows 监控
WPF应用跨界成长秘籍:深度揭秘如何与Windows服务完美交互,扩展功能无界限!
【8月更文挑战第31天】WPF(Windows Presentation Foundation)是 .NET 框架下的图形界面技术,具有丰富的界面设计和灵活的客户端功能。在某些场景下,WPF 应用需与 Windows 服务交互以实现后台任务处理、系统监控等功能。本文探讨了两者交互的方法,并通过示例代码展示了如何扩展 WPF 应用的功能。首先介绍了 Windows 服务的基础知识,然后阐述了创建 Windows 服务、设计通信接口及 WPF 客户端调用服务的具体步骤。通过合理的交互设计,WPF 应用可获得更强的后台处理能力和系统级操作权限,提升应用的整体性能。
106 0
|
3月前
|
Kubernetes Cloud Native 开发者
探索云原生技术:Kubernetes入门与实践探索Windows操作系统的隐藏功能
【8月更文挑战第31天】在数字化转型的浪潮中,云原生技术成为企业提升敏捷性、效率和可靠性的关键。本文将带你了解云原生的核心组件之一——Kubernetes(K8s),通过浅显易懂的语言和实际代码示例,引导你步入这一强大工具的世界。无论你是初学者还是有经验的开发者,本篇都将为你打开一扇通向高效资源管理与自动化部署的大门。
|
3月前
|
安全 数据安全/隐私保护 Windows
Windows安全策略
Windows安全策略
55 0