What security features does Windows 7 offer over Windows 2000 or XP?

[MrEgo]

What would be the benefits (in a security sense) of upgrading to Windows 7? Not just for home use, but also in an active directory environment that is running Server 2008 R2 domain controllers.

 

[mechBgon]

I can mention a few for the desktop systems and their users...

1. User applications don't run with Admin-level privileges even if they have Admin account access.

2. 64-bit versions of Win7 have Kernel Patch Protection.

3. ASLR

4. Support for hardware-enforced Data Execution Prevention (not available on Win2000)

5. Support for Structured Exception Handler Overwrite Protection

6. Specific service accounts for e.g. network services, so a compromised service doesn't necessarily pwn the box

7. Internet Explorer 8 has its own Data Execution Prevention, and AFAIK it cannot be used on Win2000.

8. Internet Explorer 8 also has Protected Mode, putting the browser and add-ons in an extra-low-rights cage that can't even get at the user's own profile stuff without help. Neither WinXP nor Win2000 have this option.

9. Win7 has a firewall. WinXP does too, but Win2000 doesn't.

10. Going back to #1, with Win7 it's fairly easy to run as a non-Admin all the time. With WinXP or Win2000, some people get frustrated.

11. Using a non-Admin account paves the way for also deploying Software Restriction Policy, which can be used to effectively blacklist any executable file that was not placed on the system by the Admin. This is a massive security safeguard against exploit payloads, worms on portable devices, scareware Trojans that are made to run in user profiles, etc.

 

[Genx87]

The firewall will filter outbound traffic as well.

 

[MrEgo]

Wow, Mech, thanks a ton for the response! This is great information. I have some questions about some of your responses, if you don't mind:

1. User applications don't run with Admin-level privileges even if they have Admin account access.

Is this referring to UAC?

10. Going back to #1, with Win7 it's fairly easy to run as a non-Admin all the time. With WinXP or Win2000, some people get frustrated.

What is the difference between running a non-admin account in Windows 7 versus Windows XP?

 

[mechBgon]

Wow, Mech, thanks a ton for the response! This is great information. I have some questions about some of your responses, if you don't mind:



Is this referring to UAC?


What is the difference between running a non-admin account in Windows 7 versus Windows XP?

Yeah, UAC makes it a lot easier to perform Admin tasks from a non-Admin account. On Win2000 or WinXP, the user would have to either log onto the system's Admin account, or know how to use RunAs to elevate tasks. And even then, some stuff was still difficult to pull off. I've been using Windows as a non-Admin since Win2000, and it sure is nice not to need sheer stubborn determination and a bag of tricks anymore 🙂

For a non-Admin on Win7, UAC also will virtualize some file-system and Registry areas to help fix compatibility problems with old software that wasn't designed to work as a non-Admin. For example, Microsoft's own Mechwarrior4 games absolutely will NOT run as a non-Admin on WinXP, but they work fine on Win7/Vista.

I forgot to add this to my list, btw... Windows Integrity Control, first featured on Vista and now on 7: two-page article on WIC

 

[MrEgo]

Yeah, UAC makes it a lot easier to perform Admin tasks from a non-Admin account. On Win2000 or WinXP, the user would have to either log onto the system's Admin account, or know how to use RunAs to elevate tasks. And even then, some stuff was still difficult to pull off. I've been using Windows as a non-Admin since Win2000, and it sure is nice not to need sheer stubborn determination and a bag of tricks anymore 🙂

What common tasks would you be referring to?

 

[Mark R]

Is this referring to UAC?

UAC is a part of this. On 2k and XP, when you are (or a program is) logged in as admin, then it has total control over all the admin functions of the OS. E.g. it can install drivers, configure the firewall, etc.

On Vista and 7, even if a user is logged in as admin, programs will be denied access to critical OS functions (unless the program is a core part of the OS). UAC provides a mechanism for programs to override this - if a program needs to access a critical OS component, it can trigger UAC, which will ask the user for confirmation - if the user confirms then the program gets its requested access.

If you turn UAC off, then you disable the mechanism for non-core OS programs to access critical parts of the OS. These programs usually won't run correctly. So, turning UAC off is not recommended.

What is the difference between running a non-admin account in Windows 7 versus Windows XP?

One thing is that you get UAC. There is a second part to UAC; even if a program is running as a non-admin, UAC allows the user to upgrade that program's OS access to admin level while it is running. On 2k and XP, the program will simply stop with an "access denied" error. On Vista and 7, you get a UAC pop-up which can upgrade the non-admin program to admin-level access so that it runs correctly.

Badly written 2k and XP apps would often save configuration files or temp files to the app's directory in 'Program files' (if the programmer doesn't specify a directory for the files, this is where they go by default). However, on 2k and XP normal users don't have access to modify files in 'Program files'; the directory is read only. These badly written programs would not be able to save their temp/config files and malfunction unless run by the admin user. A common workaround was to change the security settings on the 'program files' directory to 'read/write by everyone'. It worked, but any malicious software or fat-fingered delete, could trash the system.

On Vista and 7, windows detects attempts by programs to save to the 'program files' directory and automatically redirects those files to the user's profile directory. This allows these badly written programs to run without admin access, while still protecting the 'program files' directory from malicious access.

 

[mechBgon]

What common tasks would you be referring to?

Playing Mechwarrior4 :sneaky:

...and also updating stuff such as Adobe Reader, QuickTime, and Java. Those apps need security updates every few months, and installing the updates locally requires Admin-level powers. If you deploy the updated version using your domain's Group Policy, then no worries.

 

[VirtualLarry]

One thing is that you get UAC. There is a second part to UAC; even if a program is running as a non-admin, UAC allows the user to upgrade that program's OS access to admin level while it is running. On 2k and XP, the program will simply stop with an "access denied" error. On Vista and 7, you get a UAC pop-up which can upgrade the non-admin program to admin-level access so that it runs correctly.

This isn't true. In most cases, unless the app was specifically programmed for it, it will just silently deny access.

This happened to me with WinRar (3.9x, I think), trying to unzip something (coretemp, CPU-Z, Prime95, maybe?) into the Program Files directory. Instead of UAC prompting me to do that, it just failed. I had to manually launch WinRAR as Administrator from the Start menu, and then navigate to where I had downloaded the archive, and then unzip from there.

It adds another annoying step, that wasn't there in XP. In XP, you could just double-click the archive, and extract with WinRAR.

 

[VirtualLarry]

2. 64-bit versions of Win7 have Kernel Patch Protection.

Which is useless. See http://forums.anandtech.com/showthread.php?t=2120668

 

[mechBgon]

Which is useless. See http://forums.anandtech.com/showthread.php?t=2120668

The rootkit mentioned in that thread actually doesn't manage to subvert KPP. It does take an end-run around that protection in its own way, but the convolutions they had to resort to should show that KPP is far from "useless" 🙂 Basically, ask yourself where the rootkit got the power to make those modifications in the first place, and if the answer is "well, the system's Admin handed it over by ___________ (running a Trojan, running apps as an Admin and getting pwned by them, etc)" then we're down to the Ten Immutable Laws of Computer Security.

 

[pcslookout]

I been running my older pc that has Windows XP in a limited account. So far I think I found the perfect solution almost! It works close to as well as Windows Vista and Windows 7 UAC with a limited account! Guess you could say it is like a UAC for Windows XP! It does some thing even better than Windows Vista or Windows 7 UAC.

Like for example when installing a program that requires admn rights, example Secunia PSI, when it asks for access it will make sure to install the start menu shortcut in the current user your installing the program to. Not just the admin account. So you don't have to manually add it after the install. The best part it forces Secunia PSI to always run as the limited user instead of admin! Pretty awesome. It is called SuRun! http://kay-bruns.de/wp/software/surun/ Yeah the site is in German but I don't care it is a great program. Here is the forum for English speaking! http://forum.kay-bruns.de/

It really makes running a limited account in Windows XP a breeze though! It even works for Windows Vista and Windows 7 and that is a plus because it makes sure programs like, Secunia PSI, always run as the limited user. With just Windows Vista or Windows 7 UAC Secunia PSI runs all the time as the admin. Bad. Very bad.

 

[craftech]

It's all relative and the fault lies with Microsoft. Because they insist that the OS and the Browser be integrated instead of separated with every version of Windows, it will always be vulnerable.

John

 

[Absolution75]

This isn't true. In most cases, unless the app was specifically programmed for it, it will just silently deny access.

This happened to me with WinRar (3.9x, I think), trying to unzip something (coretemp, CPU-Z, Prime95, maybe?) into the Program Files directory. Instead of UAC prompting me to do that, it just failed. I had to manually launch WinRAR as Administrator from the Start menu, and then navigate to where I had downloaded the archive, and then unzip from there.

It adds another annoying step, that wasn't there in XP. In XP, you could just double-click the archive, and extract with WinRAR.

It is true. WinRar just isn't/wasn't programmed correctly. When unzipping into a privileged directory, it should automatically request the correct privs and the UAC should pop up.

Don't blame Microsoft for rarlab's failure to file guidelines. Consider lowering your UAC level though. I have mine set to "Don't notify me when I make changes to windows". AKA I only get notices when programs [by them selves] try to make changes. Saved me once on a stupid IE exploit.

 

[Absolution75]

It's all relative and the fault lies with Microsoft. Because they insist that the OS and the Browser be integrated instead of separated with every version of Windows, it will always be vulnerable.

John

That only applies to XP or earlier. Starting with Vista, IE isn't integrated into the OS at all besides being a default application. So it will not always be vulnerable.

The earlier problem your commenting on has more to do with how an IE exploit would give you full access to the system as yes, they were tightly integrated, and also it was run with full admin privs.

 

[pcslookout]

It is true. WinRar just isn't/wasn't programmed correctly. When unzipping into a privileged directory, it should automatically request the correct privs and the UAC should pop up.

Don't blame Microsoft for rarlab's failure to file guidelines. Consider lowering your UAC level though. I have mine set to "Don't notify me when I make changes to windows". AKA I only get notices when programs [by them selves] try to make changes. Saved me once on a stupid IE exploit.

I have mine for set to notify me on both window and program changes running with SuRun! Perfect combination because even though a box may pop up a lot when you change a lot of window settings SuRun makes it easy by having he password already filled in but only as the local limited user account. So basically it is the best of both worlds!

 

[Rangoric]

It's all relative and the fault lies with Microsoft. Because they insist that the OS and the Browser be integrated instead of separated with every version of Windows, it will always be vulnerable.

John

I bet you just hate the Chrome OS then.

 

[pcslookout]

I bet you just hate the Chrome OS then.

The Chrome OS isn't meant to be a Windows replacement.

 

[VirtualLarry]

It is true. WinRar just isn't/wasn't programmed correctly. When unzipping into a privileged directory, it should automatically request the correct privs and the UAC should pop up.

Don't blame Microsoft for rarlab's failure to file guidelines. Consider lowering your UAC level though. I have mine set to "Don't notify me when I make changes to windows". AKA I only get notices when programs [by them selves] try to make changes. Saved me once on a stupid IE exploit.

But that proves my point exactly. The prompt-and-elevate behavior of UAC on Win7 isn't automatic, it has to be written that way in apps. WinRAR wasn't, so it doesn't work for WinRAR.

 

[GaryJohnson]

coretemp, CPU-Z, Prime95

Them three all come in .zip files or .exe installers, and not in .rar files.

You can set a program, for example WinRar, to "always run as administrator" in 7. Once you do that, you'll get a UAC prompt when starting the program and it will be able to do elevated things, like create directories and put files in restricted directories.