S 3.212 Client under Windows 7
Description
This module deals with the Enterprise version of the Microsoft Windows 7 client operating system, or Windows 7 Enterprise for short. When necessary, differences between this version and the Windows 7 Business or Windows Vista Ultimate versions are pointed out.
Windows 7 is the successor product to the Microsoft Windows Vista operating system. The security of a client operating system such as Windows 7 plays an important role in security throughout the entire information system. Weaknesses in the operating system of a client can endanger the security of all IT systems, and therefore of the entire information system.
This module focuses on the use of clients in a domain environment. Important facts applying especially to the use of Windows 7 on stand-alone computers or in a workgroup are pointed out as such.
Microsoft has integrated some changes in Windows 7 that were not available in previous Windows versions to improve the level of security of the client. In addition, Microsoft has refined the security features available in earlier Windows versions and implemented them in Windows 7. This includes, for example, the Security Center in Windows XP with Service Pack 2 and Vista, which was extended to become the Maintenance Center under Windows 7.
Security features specific to Windows 7 are as follows:
- AppLocker for protection against the installation and execution of non-approved software (only available in Windows 7 Enterprise and Ultimate)
- BitLocker To Go for the encryption of removable data media by users without administrator rights
The server-specific security safeguards relevant when operating the clients in a domain environment are described in the server modules, for example S 3.101 General server, S 3.8 Windows server 2003 and S 3.9 Windows server 2008.
Modern IT systems are exposed to a number of threats in daily operation. Successful attacks often exploit certain faulty configurations of individual systems or of several system components, as well as design weaknesses in the system architecture. Clients running a Microsoft operating system are attractive targets for attackers due to their widespread use. This is also indicated by the large number of published security gaps and attacks.
IT systems run under the Windows 7 operating system are exposed to the following typical threats:
Threat scenario
Modern IT systems are exposed to a number of threats in daily operation. Successful attacks often exploit certain faulty configurations of individual systems or of several system components, as well as design weaknesses in the system architecture. Clients running a Microsoft operating system are attractive targets for attackers due to their widespread use. This is also indicated by the large number of published security gaps and attacks.
IT systems run under the Windows 7 operating system are exposed to the following typical threats:
Force Majeure
| T 1.2 | Failure of the IT system |
Organisational Shortcomings
| T 2.7 | Unauthorised use of rights |
| T 2.9 | Poor adjustment to changes in the use of IT |
| T 2.19 | Inadequate key management for encryption |
| T 2.62 | Inappropriate handling of security incidents |
Human Error
| T 3.2 | Negligent destruction of equipment or data |
| T 3.3 | Non-compliance with IT security measures |
| T 3.6 | Hazards posed by cleaning staff or outside staff |
| T 3.8 | Improper use of the IT system |
| T 3.9 | Improper IT system administration |
| T 3.22 | Improper modification of the registry |
| T 3.48 | Incorrect configuration of Windows computers |
| T 3.97 | Violation of confidentiality in spite of BitLocker drive encryption under Windows Vista and higher |
| T 3.98 | Loss of BitLocker-encrypted data |
| T 3.112 | Unauthorised or incorrect use of images when using Windows DISM |
Technical Failure
| T 4.1 | Disruption of power supply |
| T 4.7 | Defective data media |
| T 4.23 | Automatic recognition of removable data media |
| T 4.54 | Loss of protection via the encrypting file system EFS |
| T 4.55 | Data loss relating to password resets in Windows Server 2003/XP and higher |
| T 4.73 | Impaired software functionality due to compatibility problems with Windows Vista and Windows 7 |
Deliberate Acts
| T 5.2 | Manipulation of information or software |
| T 5.4 | Theft |
| T 5.7 | Line tapping |
| T 5.9 | Unauthorised use of IT systems |
| T 5.18 | Systematic trying-out of passwords |
| T 5.23 | Malicious software |
| T 5.52 | Misuse of administrator rights in Windows operating systems |
| T 5.71 | Loss of confidentiality of classified information |
| T 5.79 | Unauthorised acquisition of administrator rights under Windows systems |
| T 5.83 | Compromising cryptographic keys |
| T 5.85 | Loss of integrity of information that should be protected |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
In its basic configuration, Windows 7 already offers several security mechanisms. Other security mechanisms must be implemented by the person responsible first. The Active Directory (AD) can help specify the central configuration and enforce technical security safeguards.
In situations where it is impossible to use the central configuration option offered by AD, technical safeguards need to be specified locally on each client using local security policies. To accomplish this, it is possible to create configuration files centrally and then transmit the configurations to the clients and install them there using suitable mechanisms.
The descriptions of the configurations provided in the following assume a Windows Server 2003/2008 domain structure is being used in the "Windows Server 2003/2008" AD function level.
A series of safeguards must be implemented to securely configure clients running Windows 7, starting with the design of the configuration and continuing through the implementation (installation/configuration) and operation phase. The steps to take to accomplish this as well as the safeguards to consider in each of the steps are listed in the following.
Planning and design
When using Windows 7, it is necessary to select a suitable version first (see S 2.440 Selection of a suitable Windows Vista and Windows 7 version) and to plan its use (see S 2.324 Planning the introduction of Windows XP, Vista and Windows 7). Here, the version depends on whether there will be a completely new application environment or if an existing environment will be migrated to the Windows 7 operating system. A security policy for the use of Windows 7 also needs to be created. It is possible in this case to adapt an existing security policy to cover the features of Windows 7 or to create a new policy specially adapted to the features of Windows 7 (see S 2.325 Planning the Windows XP, Vista and Windows Vista security policies).
In a domain environment, different sets of security settings can be created and maintained with a central administrative tool such as Active Directory. Other security settings can be specified centrally and transmitted to the clients using suitable tools. Safeguard S 2.326 Planning the Windows XP, Vista and Windows 7 group policies contains information and recommendations relating to the configuration of clients under Windows 7.
Windows 7 supports remote administration capabilities for the clients and also offers administrators the ability to access other systems via remote administration using Windows 7. During the planning phase, corresponding specifications must be made to ensure that unauthorised persons cannot log on to the clients via the remote administration. The relevant aspects are described in safeguard S 2.327 Secure remote access under Windows XP, Vista and Windows 7.
If Windows 7 will be used on portable computers, then the corresponding security aspects must be taken into account during the planning phase. The aspects specific to Windows Vista and Windows 7 are stated in safeguard S 2.442 Use of Windows Vista and Windows 7 on mobile systems.
Implementation
In the implementation phase, all safeguards that specifically prepare the system for secure operation are implemented. This especially includes safeguards taken to ensure security during installation and when specifying the basic configuration of the system.
Once the preparatory organisational and planning tasks have been completed, the Windows 7 systems can be installed. The installation must be carried out with great care, see S 4.248 Secure installation of Windows client operating systems. It is necessary to determine in advance during the planning phase which aspects need to be taken into account for the configuration of a Windows 7 system.
To be able to securely execute the software written for older Windows versions under Windows 7, it is necessary to know and securely apply the different technologies (VirtualPC XP mode, for instance) (see S 4.424 Secure use of older software under Windows 7).
Windows 7 offers by default many functions which are primarily intended for private users. This includes, for example, the homegroup for sharing and accessing services in a local network. These services must be restricted in the environment of an organisation (see S 4.423 Using the homegroup function under Windows 7) to ensure the secure operation of a Windows 7 client in the network.
Windows 7 must be enabled prior to permanent use. The reasons for this can be found in S 4.336 Activation of Windows systems from a volume licence contract in Vista or Server 2008 and higher versions.
Operation
Ideally, implementation is tested first on a test installation. After successful testing, Windows 7 can then be installed on the desired clients and regular operation can then begin. The following security aspects must be taken into account in this phase:
- The aspects to be taken into account during the regular operation phase are summarised in safeguard S 4.146 Secure operation of Windows client operating systems.
- One way to maintain the security of a Windows 7 system is to monitor the system and its individual components. The relevant recommendations can be found in S 4.344 Monitoring of Windows Vista, Windows 7 and Windows Server 2008 systems.
- Windows 7 systems, like other IT systems, are subject to security risks. To reduce the probability of a successful attack to an acceptable level, Windows 7 systems must be kept up to date. The corresponding recommendations can be found in S 4.249 Keeping Windows client systems up to date.
- For the central monitoring and configuration of the security settings, maintenance settings and troubleshooting, Windows 7 offers the "Maintenance Center" function. To ensure the secure use of the Maintenance Center, the safeguard S 4.420 Secure use of the Maintenance Center under Windows 7 must be implemented.
- Regular examinations of the currently valid security settings and, in general, of the existing security policies make an important contribution to the security of the Windows 7 systems currently in operation. The aspects to consider in this regard are summarised in S 2.330 Regular checks of the Windows XP, Windows Vista and Windows Vista security policies and their implementation.
- Windows 7 offers several administrative tools whose use is recommended from a security perspective since it is possible with the aid of these tools to avoid security-related configuration errors, among other things. Furthermore, these tools are useful when troubleshooting and when performing audits (see S 4.243 Windows client operating system administration tools).
- It is necessary under certain circumstances to reactivate a running Windows 7 system. Information and recommendations on the reactivation can be found in S 4.343 Reactivation of Windows systems from a volume licence contract in Vista or Server 2008 and higher versions.
- In Windows 7, BitLocker To Go can also be used to encrypt removable data media in addition to the hard drive encryption introduced under Windows Vista (see S 4.337 Use of BitLocker drive encryption). The security-relevant aspects on how to use this application are described in safeguard S 4.422 Use of BitLocker To Go in Windows 7 and higher.
Disposal
The user data stored locally on clients that will be removed from a department or disposed of must be deleted. This also applies to defective data media that will be replaced. If the data on the data media cannot be reliably deleted for some reason, then the data media must be destroyed using a suitable method. Corresponding recommendations can be found in S 1.15 Deleting and destroying data.
It must be taken into account that access to archived data must be possible during the required retention period even if the IT system that originally recorded the data has been disposed of.
Contingency Planning
Contingency planning also plays an important role in addition to protecting the IT systems during live operation. Information on contingency planning can be found in S 6.76 Creation of a contingency plan for failure of Windows systems. Recommendations for data backups can be found in S 6.78 Data backup under Windows clients.
Safeguard bundle
The bundle of security safeguards for the "Windows 7 client" module is presented in the following:
Planning and design
| S 2.324 | (A) | Planning the introduction of Windows XP, Vista and Windows 7 |
| S 2.325 | (A) | Planning the Windows XP, Vista and Windows 7 security policies |
| S 2.326 | (A) | Planning the Windows XP, Vista and Windows 7 group policies |
| S 2.327 | (B) | Secure remote access under Windows XP, Windows Vista and Windows 7 |
| S 2.440 | (A) | Selection of a suitable Windows Vista and Windows 7 version |
| S 2.441 | (A) | Checking software for compatibility with Windows Vista and Windows 7 |
| S 2.442 | (B) | Use of Windows Vista and Windows 7 on mobile systems |
| S 4.147 | (Z) | Secure use of EFS under Windows |
| S 4.243 | (Z) | Windows client operating system administration tools |
| S 4.244 | (A) | Secure configuration of Windows client operating systems |
| S 4.245 | (A) | Basic settings for Windows Group Policy Objects |
| S 4.246 | (A) | Configuration of the system services under Windows XP, Vista and Windows 7 |
| S 4.247 | (A) | Restrictive assignment of authorisations under Windows Vista and Windows 7 |
| S 4.336 | (A) | Activation of Windows systems from a volume licence contract in Vista or Server 2008 and higher versions |
| S 4.337 | (Z) | Use of BitLocker drive encryption |
| S 4.338 | (A) | Use of Windows Vista and Windows 7 File and Registry Virtualization |
| S 4.339 | (B) | Prevention of unauthorised use of removable media in Windows Vista and Windows 7 |
| S 4.340 | (A) | Use of Windows User Account Control UAC in Windows Vista and higher |
| S 4.341 | (A) | Integrity protection in Windows Vista and higher versions |
| S 4.342 | (Z) | Activation of the Last Access time stamp under Windows Vista and higher |
| S 4.425 | (B) | Using the Safe and Cardspace functions in Windows 7 |
| S 5.123 | (B) | Securing network communication in Windows |
Implementation
| S 2.32 | (Z) | Establishment of a restricted user environment |
| S 3.28 | (A) | User training on Windows client operating system security mechanisms |
| S 4.48 | (A) | Password protection under Windows systems |
| S 4.49 | (A) | Protection of the boot procedure for a Windows system |
| S 4.75 | (A) | Protection of the registry under Windows systems |
| S 4.149 | (A) | File and share authorisations in Windows |
| S 4.248 | (A) | Secure installation of Windows client operating systems |
| S 4.419 | (Z) | Application control in Windows 7 and higher by means of AppLocker |
| S 4.421 | (C) | Securing Windows PowerShell |
| S 4.423 | (B) | Use of the homegroup function under Windows 7 |
| S 4.424 | (Z) | Secure use of older software under Windows 7 |
| S 5.89 | (A) | Configuration of the Secure Channel under Windows |
| S 5.90 | (Z) | Use of IPSec under Windows |
Operation
| S 2.330 | (B) | Regular checks of the Windows XP, Windows Vista and Windows 7 security policies and their implementation |
| S 4.56 | (C) | Secure deletion under Windows operating systems |
| S 4.146 | (A) | Secure operation of Windows client operating systems |
| S 4.249 | (A) | Keeping Windows client systems up to date |
| S 4.343 | (Z) | Reactivation of Windows systems from a volume licence contract in Vista or Server 2008 and higher versions |
| S 4.344 | (B) | Monitoring of Windows Vista, Windows 7 and Windows Server 2008 systems |
| S 4.420 | (A) | Secure use of the Maintenance Center under Windows 7 |
| S 4.422 | (Z) | Use of BitLocker To Go in Windows 7 and higher |
Contingency Planning
| S 6.76 | (C) | Creation of a contingency plan for failure of a Windows network |
| S 6.78 | (A) | Data backup under Windows clients |