Having just completed a Microsoft certification (MCTS 073-680) I have learned more about Windows 7 (and some about Server 2008 R2) than I have in over a year of using it. To be fair, I do not use Windows 7 as my primary platform, but I do use it in a VM on a fairly regular basis. For the most part I pretty well like Windows 7, at least as far as Windows goes. But that is not the primary point of this post. I would like to point out what I feel are some security-related pros and cons of some new (and some not-so-new) features in Windows 7 and Server 2008.
BranchCache: In a typical main office / branch office setup with a file server in the main office, every time a user in the branch office opens a file from the file server (in the main office) it travels across the WAN link. This is not only a waste of limited bandwidth, but it is slow, leading to things like users copying files to their local machine, grabbing copies of several files onto a thumb drive while in the main office and even (I have seen this), emailing the file to their private (non-work) account. BranchCache helps out here, with only one copy of any file accessed going across the WAN to be cached in the branch office (thus the name). Every time the file is opened after that in the branch office it is opened from the local copy. The only time files are transferred across the WAN again are when they are modified on either end.
- Removes the need for users to come up with “creative” ways to get copies of files from the main office to work on.
- Files are encrypted in transport.
- Only one copy of any file is ever cached at the branch office, and it is kept up-to-date with the version at the main office.
- Requires Server 2008 R2 at the main office, with Active Directory and Certificate Services.
- Using “Hosted” BranchCache (where the cache is held on a server in the branch office) requires Server 2008 R2 with Active Directory and Certificate Services at the branch location as well.
- Using “Distributed” BranchCache (where the cache is held on the peer user machines in the branch office) can lead to more trips across the WAN for the files, since whenever a machine is powered down or unplugged from the network part of the cache goes down with it.
BitLocker: Full-drive encryption. Sweet! But … ?
- With a TPM the entire drive can be encrypted.
- With a TPM, removing the drive and placing it in another machine means it will not boot without the presence of a recovery key.
- Can require a USB key and password to boot.
- Without a TPM the drive cannot be locked to a particular boot environment.
- With a TPM BitLocker can be configured to boot with nothing more required than the TPM itself. If you set it up this way, why bother? The machine will boot and the drive’s contents will be available regardless.
- Only available for Windows 7 Enterprise or Ultimate editions.
Network Access Protection: This is a really good idea, and not limited to Server 2008 R2, but around since Server 2008. NAP allows a server to check connecting clients (either through VPN or DirectAccess) to make sure they are up-to-date with OS patches, have the proper version and patch level for software and anti-virus and are not running anything blocked through Group Policy Application Security settings.
- Computers that do not pass the NAP requirements can be shunted off to a quarantine network where the needed updates can be pushed to the computer before they are allowed to connect to the internal network.
- NAP can enforce Application Security policies, and can keep remote users up-to-date with the patches and application versions used in the internal networks.
- NAP requires that connecting computers have the proper settings in their local Group Policy Object to allow DHCP or IPSec NAP Enforcement, which can make implementation difficult if they are not connected internally first, to get those Group Policy settings pushed to them.
- NAP is likely to make some users unhappy when they cannot simply log on to the VPN and start to work, but instead are forced to wait for updates. This could cause the sort of push-back that makes admins likely to scrap these sorts of setups.
DirectAccess: I am so unsure about this one. The definition from TechNet:
DirectAccess allows remote users to securely access internal network file shares, Web sites, and applications without connecting to a virtual private network (VPN). ... DirectAccess establishes bi-directional connectivity with an internal network every time a DirectAccess-enabled computer connects to the Internet, even before the user logs on. Users never have to think about connecting to the internal network and IT administrators can manage remote computers outside the office, even when the computers are not connected to the VPN.
- DirectAccess connects via ports 80 and 443, meaning that it works from within most firewalls (in hotels, coffee shops, airports, etc).
- Even when connecting via port 80 all DirectAccess communications are encrypted.
- Bi-directional access means that admins in the internal network can access the connected machine as if it was in the internal network to push out Group Policy changes, provide remote assistance, etc.
- DirectAccess connects before the user even logs on. This means that if the machine is on and has internet connectivity it is connected to the internal network.
- Since it does not require the user to take any action to connect (like connecting to a VPN) the user is less likely to be aware that anything they download (like this “really cool Java game”) also has access to the internal network.
A scenario: Company A and Company B both have Windows networks with Server 2008 R2 and traveling users with Windows 7 Enterprise laptops with a TPM. Both companies have set the laptops up with BitLocker full drive encryption and boot protection. Both companies have set the laptops up with DirectAccess. Company A is quite a bit stricter than Company B, however. Company B’s laptops are set to boot automatically without a USB key or password, while Company A requires both. Further, the local Group Policy security settings on Company A’s laptops will log the user off and shut down the computer if the USB key is removed. Company A has gone a step further in implementing NAP to ensure that all their traveling computers are always up-to-date.
While User A (from Company A) and User B (from Company B) are having drinks in an airport lounge their laptops are stolen. Both User A and User B think p@ssw0rd is a good enough password. The thief opens the laptop from Company A and cannot boot it without the USB key which is in User A’s pocket. The Company A laptop is only as useful to the thief as the hardware. The Company B laptop, however, will boot (automatically decrypting the drive) and will also connect to Company B’s internal network. A couple guesses later the thief is logged on as the laptop’s user and connected to Company B’s internal network with all the access that the user would have were they plugged in locally.
There is room to implement a great deal of security in Windows 7, but there is also a lot of room to totally mess it up. As I said earlier, I am not sure that DirectAccess is such a good idea, but I guess it depends on how the rest of the system is configured and how well users are educated.