Businesses are eyeing a transition to Microsoft Windows 7, and with a wealth of security features that are part of it, it's worth figuring out the good and bad about each of them, says Gartner analyst Neil MacDonald, who notes in some cases, third-party security products might be the better fit
The AppLocker feature in Windows 7 offers an application-control capability that lets the IT manager set up a list of applications allowed to run, said MacDonald in his presentation at the Gartner Summit & Risk Management Summit 2010 last week. Often called whitelisting, this type of security control offers a possible lock-down technique, but the downside is that applications used within organizations by employees tend to grow, "and the trick is managing the whitelist over time."
"Care and feeding of the whitelist becomes cumbersome over time," MacDonald said, noting that there are several vendors in the application-control market, including Bit9, CoreTrace and McAfee (which acquired SolidCore) .
BitLocker, Microsoft's full-disk encryption capability for protecting system files and data, will be another security feature that businesses will want to evaluate in Microsoft Windows 7, MacDonald said. Calling it "good but not great," he noted that on the minus side of BitLocker, it has no self-service key recovery, no Windows single sign-on, and no smart card support for boot drive.
"By license restriction, it cannot be used where operating system virtualization is used," MacDonald pointed out. In addition, there's no support for non-Windows machines or Windows Mobile.
"It's another of those good but not great technologies," MacDonald said. "You should be encrypting all mobile devices."
Enterprises might want to look at product alternatives, including http://www.networkworld.com/news/2007/100907-mcafee-buys-safeboot.html ">McAfee Safeboot, Sophos-acquired Utimaco, Credant Technologies, and PGP and GuardianEdge, both of which Symantec recently announced it was http://www.networkworld.com/news/2010/042910-symantec-pgp-guardianedge.html ">acquiring.
Prices for this type of desktop encryption product have been dropping from $75 to $90 five years ago to today's range of about $10 to $15, he noted. Encryption today is often something "thrown in to get your business from the antivirus vendor," MacDonald said.
Windows 7 BitLocker has not yet been certified under the federal government's FIPS 140 program though it's in process to receive that certification, he pointed out.
Other security controls in Windows 7 also have their pros and cons, according to MacDonald.
For instance, the user-account control, which limits the ability of either applications or users to make unsanctioned system changes, has been improved to minimize prompts. But on the downside, it won't prevent someone running as a standard user from still installing software, so application control may still be needed.