Security: A step backward
In my previous article, I noted how Vista's security enhancements were mostly an amalgamation of fixes and work-arounds that had already been addressed by third parties. UAC was revealed to be nothing more than a standard user account with some built-in elevation utilities -- which many IT shops had already rolled for themselves on XP. And other technologies, like Internet Explorer Protected Mode, Address Space Layout Randomization (ASLR), and the revamped firewall, have been proven to be either incomplete (there are known exploits that bypass both ASLR and IE's sandbox) or redundant.
Windows 7 actually makes the security situation worse since its default UAC implementation is less aggressive than Vista's. Many trusted Windows components get to bypass UAC thanks to the inclusion of an elevation white list for binaries that are authored and digitally signed by Microsoft. This, in turn, has opened up a whole new attack vector, as malicious code can use the auto-elevation mechanism as a backdoor for code injection attacks and other mischief.
Microsoft is aware of this deficiency and has responded by tightening the white list parameters and eliminating one of more glaring exploit loopholes: the ability to silently turn off UAC altogether. However, some loopholes remain, and Microsoft seems loath to address these scenarios for fear of backtracking on its promise to make UAC less cumbersome in Windows 7.
Bottom line: For IT shops to feel truly secure, they need to crank up UAC's aggressiveness, which essentially negates the usability gains achieved by implementing the auto-elevation mechanism in the first place. Basically, we're back to square one, with security under Windows 7 offering no real advantage over Windows Vista or even Windows XP with third-party enhancements.
Manageability: "Great with 2008"
When I evaluated Vista's manageability enhancements, I noted how many of its advantages were tied to Active Directory Group Policies. Extensions to lock down block devices and to allow non-administrators to change the time zone and install printer drivers were welcome improvements, though I noted that many of these issues had been resolved long ago through custom utilities or third-party add-ons. In fact, outside of the new image-based installation model, there was little compelling about Vista from an IT manageability perspective.
Windows 7 carries forward this theme of providing only incremental improvements in overall desktop manageability. There are the new Direct Access and Branch Cache features, but they both require that you implement Windows Server 2008 R2 alongside Windows 7, which many IT shops will be reluctant to do. (Direct Access also requires IPv6 networking.) BitLocker has been improved with Windows 7 -- for example, it now supports removable devices -- but it's still only available to volume license customers or users of the Ultimate Edition SKU. (For more on the Windows 7-Windows Server 2008 R2 combo, see Network World's review, "Microsoft's two operating systems: A win-win.")
One area that did see a significant manageability improvement is Internet Explorer. Version 8 is now better integrated with AD Group Policy mechanisms, allowing you to tap into hundreds of new configuration parameters for enforcing browser security and behavior. But with IE steadily losing ground in the browser popularity contest, it remains to be seen how relevant these extensions really are over the long term.
Bottom line: Windows 7 adds little in the way of compelling new manageability features. The coolest technologies require that you also adopt Windows Server 2008 R2, and that's just not going to happen anytime soon.
You may still be better off sticking with Win7 or Win8.1, given the wide range of ongoing Win10...
Early results look promising: the many-hours-long Win7 waits may be behind us
Now that we're down to the wire, many upgraders report that the installer hangs. If this happens to...
Review: We've seen this 'one device for everything' movie before, and it ends just as badly this time
Long before self-driving cars triumph, new and enticing auto-related products will lure you into...
The newest edition of the powerful Python-to-C compilation framework adds speedups harvested from the...
For next year, the language will focus on easier use, better tooling, and improved integration with...