** The real Administrator account is disabled by default
** User Account Control prompts users in the Administrators group for an additional confirmation before every administrative task
** Even the Administrator cannot directly overwrite files in the \Windows and \System32 folders. They have to take ownership first, and add the correct permissions
** Internet Explorer 7 runs in Protected Mode by default, which will stop many “drive-by” download attacks
** Address Space Layout Randomization will randomly place critical Windows functions and applications in 1 of 256 places in memory, making many types of buffer overflows significantly harder to pull off
** BitLocker allows one or more drive volumes to be encrypted, and protected with an encryption key that can be stored locally, on a cryptographic chip on the motherboard, or on a USB key
** LM password hashes are disabled by default (finally!) as are LM and NTLMv1 authentication protocols
** Windows Firewall is enabled by default, protects better at boot-up, is integrated with IPSec, and has outbound blocking
** Firewall rules can be applied to specific users, computers, or groups
** Windows Defender is installed by default
** Password-protected screensaver is installed and made active by default
** Over 800 new group policy settings
** You can set multiple user or group-specific Local Security policies
** Session isolation (i.e. Windows kernel services and user-mode programs run in different Windows sessions) will prevent most “shatter”-style attacks
** Services now have SIDs, which simplifies setting security permissions. All default services have been given least-privilege permissions, and are limited by firewall security domain protection
** Portable media devices (such as USB flash memory, CD-ROMs, etc.) can be controlled with read, write, and execute permissions, both per user and per computer
** Integrity levels have been assigned to all files and objects. A security principal must meet or exceed the target resource’s integrity level in order to modify it; regardless of the NTFS permissions
** There are dozens of new log files, all collected in the expanded Event Viewer. Event triggers can be created on any event, and events can be collected to centralized computers
** Transactional NTFS ensures that NTFS changes will be written completely before being made permanent
** Previous Versions client is installed by default, allowing users to self-recover accidentally deleted or modified files
** System Restore now backs up user’s My Documents folder
** Creator Owners now no longer automatically get Full Control permissions, if you don’t want them to
** Commonly manipulated folder and registry keys are virtualized so that malicious modifications don’t result in system-wide infections
** EFS supports smart cards, can encrypt the page file, and has proactive key archival
** Remote Desktop Protocol (RDP) supports strong authentication with digital certificates
** Internet Explorer 7 has an anti-phishing filter and is more resistant to malicious attacks, spyware, and add-on abuse
** Internet Information Service 7 supports more granular loading of code. IIS is no longer a single monolithic executable
** Two more network domain profiles to plan firewall and IPSec rules around
** IPv6 and IPv4 are turned on by default
** Improved wireless security. Now, GPOs and logon scripts can be accomplished through wireless logons
** Improved SMB (file and printer sharing) protocol. Anonymous null session connections are no longer the great threat they once were