Credential Manager Enhancements
Windows Vista and Windows 7 include new tools to enable administrators to better support credential management for roaming users, including the Digital Identity Management Services (DIMS) and a new certificate enrollment process. Among other improvements, users can now reset their own smart card PINs without calling the support center. Additionally, users can now back up and restore credentials stored in the Stored User Names And Passwords key ring.
To improve the security of Task Scheduler, Windows Vista and Windows 7 can use Servicefor- User (S4U) Kerberos extensions to store credentials for scheduled tasks instead of storing the credentials locally, where they might be compromised. This has the added benefit of preventing scheduled tasks from being affected by password expiration policies.
Architectural and Internal Security Improvements
Whenever possible, Windows Vista and Windows 7 security features have been designed to be transparent to end users and to require no administration time. Nonetheless, administrators and developers can benefit from understanding the architectural improvements. This section describes these architectural and internal improvements, as well as improvements that require additional applications or infrastructure. Table below describes these features originally introduced in Windows Vista and also included in Windows 7.
Architectural and Internal Security Improvements in Windows Vista and Windows 7Improvement | Description |
Code Integrity | Detects malicious modifications to kernel files at startup. |
Windows Resource Protection | Prevents potentially dangerous changes to system resources. |
Kernel Patch Protection | Blocks potentially malicious changes that might compromise the integrity of the kernel on 64-bit systems |
Required Driver Signing | Requires drivers to be signed, which improves reliability and makes it more difficult to add malicious drivers. Mandatory on 64-bit systems. |
Windows Service Hardening | Allows system services to access only those resources they normally need to access, reducing the impact of a compromised service. |
Network Access Protection client | When used together with Windows Server 2008, helps to protect your network from clients who do not meet your security requirements. |
Web Services for Management | Reduces risks associated with remote management by supporting encryption and authentication. |
Crypto Next Generation services | Allows the addition of custom cryptographic algorithms to meet government requirements. |
Data Execution Prevention | Reduces the risk of buffer overflow attacks by marking data sections of memory as nonexecutable. |
Address Space Layout Randomization | Reduces the risk of buffer overflow attacks by assigning executable code to random memory locations. |
New Logon Architecture | Simplifies development of custom logon mechanisms. |
Rights Management Services client | Provides support for opening Rights Management Services protected documents when the proper applications are installed and the necessary infrastructure is in place. |
Multiple Local Group Policy Objects | Allows administrators to apply multiple Local Group Policy Objects to a single computer, simplifying security configuration management for workgroup computers. |
In this tutorial:
- Windows 7 Security
- Addressing Specific Security Concerns
- Help Desk Calls Related to Malware
- Protecting Against Bundling and Social Engineering
- Protecting Against Browser Exploit Malware Installations
- Protecting Against Network Worms
- Data Theft
- Security Features Previously Introduced in Windows Vista
- Windows Defender
- Windows Firewall
- Encrypting File System
- Credential Manager Enhancements
- New Security Features of Windows 7