Security: A step backward
In my previous article, I noted how Vista's security enhancements were mostly an amalgamation of fixes and work-arounds that had already been addressed by third parties. UAC was revealed to be nothing more than a standard user account with some built-in elevation utilities -- which many IT shops had already rolled for themselves on XP. And other technologies, like Internet Explorer Protected Mode, Address Space Layout Randomization (ASLR), and the revamped firewall, have been proven to be either incomplete (there are known exploits that bypass both ASLR and IE's sandbox) or redundant.
Windows 7 actually makes the security situation worse since its default UAC implementation is less aggressive than Vista's. Many trusted Windows components get to bypass UAC thanks to the inclusion of an elevation white list for binaries that are authored and digitally signed by Microsoft. This, in turn, has opened up a whole new attack vector, as malicious code can use the auto-elevation mechanism as a backdoor for code injection attacks and other mischief.
Microsoft is aware of this deficiency and has responded by tightening the white list parameters and eliminating one of more glaring exploit loopholes: the ability to silently turn off UAC altogether. However, some loopholes remain, and Microsoft seems loath to address these scenarios for fear of backtracking on its promise to make UAC less cumbersome in Windows 7.
Bottom line: For IT shops to feel truly secure, they need to crank up UAC's aggressiveness, which essentially negates the usability gains achieved by implementing the auto-elevation mechanism in the first place. Basically, we're back to square one, with security under Windows 7 offering no real advantage over Windows Vista or even Windows XP with third-party enhancements.
Manageability: "Great with 2008"
When I evaluated Vista's manageability enhancements, I noted how many of its advantages were tied to Active Directory Group Policies. Extensions to lock down block devices and to allow non-administrators to change the time zone and install printer drivers were welcome improvements, though I noted that many of these issues had been resolved long ago through custom utilities or third-party add-ons. In fact, outside of the new image-based installation model, there was little compelling about Vista from an IT manageability perspective.
Windows 7 carries forward this theme of providing only incremental improvements in overall desktop manageability. There are the new Direct Access and Branch Cache features, but they both require that you implement Windows Server 2008 R2 alongside Windows 7, which many IT shops will be reluctant to do. (Direct Access also requires IPv6 networking.) BitLocker has been improved with Windows 7 -- for example, it now supports removable devices -- but it's still only available to volume license customers or users of the Ultimate Edition SKU. (For more on the Windows 7-Windows Server 2008 R2 combo, see Network World's review, "Microsoft's two operating systems: A win-win.")
One area that did see a significant manageability improvement is Internet Explorer. Version 8 is now better integrated with AD Group Policy mechanisms, allowing you to tap into hundreds of new configuration parameters for enforcing browser security and behavior. But with IE steadily losing ground in the browser popularity contest, it remains to be seen how relevant these extensions really are over the long term.
Bottom line: Windows 7 adds little in the way of compelling new manageability features. The coolest technologies require that you also adopt Windows Server 2008 R2, and that's just not going to happen anytime soon.
Having trouble installing and setting up Win10? You aren’t alone. Here are many of the most common...
Picking an Android phone can be difficult, but we're here to help. These are the top Android phones you...
Confidence in our power over machines also makes us guilty of hoping to bend reality to our code
To root out persistent hackers, sometimes you have to get a little creative
In the next five years, half of the crazy new stuff you've heard about will arrive. The other half will...
Jetbrains' statically typed JVM language also offers several bug fixes and other small changes ...
The Apache Ignite in-memory computing platform not only boosts performance, but also adds SQL queries...