Maintaining data integrity and system security on the PC is a constant job for IT people. The most often-heard beef about Windows (even XP) is that it’s too fragile and vulnerable to malware and hackers. Some say it’s simply not robust enough. Microsoft hears it, too, from ordinary users and experts alike. So with each new iteration of Windows, Microsoft tries to harden it against onslaught. Thus, Windows 7 has a new batch of data and security enhancements:

System Security Enhancements

• Improved User Account Control (UAC)—In XP, users too often give themselves administrative privileges, which sometimes lets malicious programs run amok. Windows 7 gives everyone low levels of privilege until they need more. This will result in dialog boxes asking you to confirm certain things can run before they’re let loose. It’s not as intrusive as it was with Vista, but it still helps prevent secretive programs from running without your knowledge. Even better, you can adjust the level of confirmations that Windows 7 requests, so that only programs seeking elevated privileges cause alerts, but you’re allowed to install programs, change settings, and so forth (as long as your account possesses the necessary rights, of course). This is a big improvement over Vista, for sure!

• BitLocker to Go—Vista introduced BitLocker, an encrypted and secure form of on-disk storage that only those with the right password can access. In Windows 7, BitLocker to Go extends this capability to USB drives, including USB flash drives (UFDs), so that you can secure some or all of the contents on drives or devices that you take with you on the road. This is a great way to protect against unwanted disclosure resulting from theft or loss of a notebook or a portable storage devices of some kind.

• AppLocker—Windows 7 lets system administrators apply a kind of “whitelist” control to applications on user desktops. In other words, they can create lists of valid applications and use Group Policy objects to apply them to what users can see and launch on their desktops. If an application isn’t on the list, users can’t run it: What better way to keep them out of trouble?

• Multiple active firewall profiles—In the Windows 7 environment, Windows Firewall settings depend on the firewall profile in use. Previous versions of Windows allowed only one firewall profile to be active at any one time. In Windows 7, each network adapter on a PC can apply whichever firewall profile is most appropriate for the type of network to which it connects (which will differ considerably from home, to office, to public/unsecured networks). Thus, if you’re working in an airport coffee shop and using a virtual private network (VPN) connection to access a server at your office, the firewall rules for the office VPN will apply to all traffic to and from that location, and the firewall rules for a public network will apply to all other traffic to and from your PC.

• DirectAccess—This applies only to Windows 7 computers that belong to an Active Directory domain on a Windows Server 2008 R2 server. Within that framework, however, users can connect to office/domain network resources whenever they access the Internet. Connection speed aside, such Internet users have the same experience accessing office/domain network elements that they would if they were locally attached to that network. This technology also lets system administrators manage Windows 7 computers remotely, no matter where they may be at any given moment.

• VPN Reconnect—This facility lets Windows 7 users automatically reestablish VPN connections as soon as they regain Internet access. This lets users turn off or disconnect their machines from the Internet at will, yet re-creates their secure office network connections as soon as they regain Internet access, using secure protocols that require no user interaction to set up and maintain.

Data Security Enhancements

• Back up to network drive—On previous Windows versions, the only drives to which you could back up were those attached directly to your PC, either internally or via eSATA or USB. On Windows 7, any network-accessible drive becomes a valid backup target. For those (like us) with a MediaSmart Server already on their home networks, this is fantastic!

• Manage AutoPlay behavior for CDs/DVDs—Recently, worms and viruses triggered by AutoPlay for CDs and DVDs have surfaced on the Internet, primarily in the form of BitTorrent-based ISO downloads. Burn a DVD from such a download, and you’ll contract a virus as soon as you run the setup or other default executable from that image file. Most antivirus programs, and thus most Windows systems, are defenseless against this kind of attack. Windows 7 lets you block AutoPlay behaviors on optical disks, and sidestep this kind of vulnerability. Bravo, Microsoft!

• Create System Repair Disc—To create a bootable DVD that you can use to repair your system, click Create a System Repair Disc in the left column of the Backup and Restore Center and insert a blank DVD. This option is much easier than finding the installation media for Windows Vista—especially if you bought a machine with Windows 7 preinstalled and didn’t get an install disc! To access the Backup and Recovery center, type backup into the Start menu search box, and select that utility from the search results.

• Improved Volume Shadow Copy—Windows Volume Shadow Copy Service (VSS) is responsible for creating restore points and for making copies of files as they change on your system. On Windows Vista, VSS could sometimes impose onerous burdens on a drive: 15% or more might get allocated to the System Volume Information folder (we had a situation once where 120GB on a 750GB drive went into that folder). For Windows 7, shadow copy space is limited to 5% of total drive space for drives over 64GB in size, and 3GB for drives 64GB and under in size. This helps keep shadow copy storage under control by default.

• Include/exclude specific backup folders—When backing up in Windows 7, you now have the option of including or excluding specific folders from the volumes you elect to back up. This provides much greater control over backup content and activity, and allows you to set up and schedule multiple backup tasks to capture different data for each task.