I’m working on a bunch of articles and reviews for eWeek about application whitelisting. I’ve got my ideas about when it is appropriate and when it isn’t. When it is, when users don’t suffer because their workstations are locked down, then it is great. When it isn’t, then users will hate you for ruining their PC.
I decided that as a baseline I should find out what Microsoft gives away for free with Server 2008 and Windows 7. I can use AppLocker and Active Directory/Group Policy Objects to set up whitelisting rules for my testbed.
I found some good resources:
Microsoft TechNet AppLocker Step-by-Step Guide
And an OK planning guide.
Today I downloaded and installed Windows Server 2008 Enterprise R2 and Windows 7.
It’s not the most exciting day yet I feel tomorrow holds great promise.
I can’t wait to check out more group policy stuff, especially AppLocker and BitLocker.
I’ve been a fan of Windows since version 3.1. After playing with LOGO and Mac systems as a grade-schooler and then trying to work in BASIC (sans hard drive, no less), I met my first Windows 3.1 machine late in high school and suddenly everything made sense. Here were screens that showed me my files, let me visually navigate to find areas I’d always known existed but couldn’t intuit, gave me access to settings I hadn’t even hoped for yet. It was tremendously exciting.
As if that weren’t enough, along came the Internet just a few years later. If I couldn’t figure out something on my Windows PC, someone on the Internet could help—usually by having posted the solution before I’d thought of the question. Answers without human contact!
Yadda yadda viruses yadda spam yadda yadda computers so easy your dogboy cousin can ruin everything in a single bound later and Microsoft has now contorted the OS around the average user, who quite needs to be saved from himself. In many cases, this is a-OK with me. Keep my dad from deleting his C: drive, you betcha.
But I beg Microsoft—I dare Microsoft—to explain to me the modifications in Vista, and perpetuated in Windows 7, that keep me from opening an Word document and an Excel spreadsheet at the same time.
Try it: Go to Explorer and select two files of different types, then press Enter. Or right-click and look for the “Open” choice. No dice—and no hacks, as far as I can find. XP did it. Windows 2000, 98, even Me did it. Er, I think. In Vista it doesn’t matter if you’re a standard user or an administrator, or even if you have super-secret Adminitrator privileges. You can’t be trusted to open more than one type of file at a time. Microsoft said. A Microsoft forum moderator came up with some code that was supposed to work; it let you enter some code and point the context menu’s Send To at it. In theory you could select multiple files, right-click, choose Send To, then the shortcut to your code—an annoyingly large number of steps but at least they didn’t involve opening a file, switching back to Explorer, opening another file, switching back, etc. In theory, that is—it didn’t work.
The reasoning, by the way, is that opening too many files (2) of too many different types (2) at once can strain system resources. (While you can open two files of the same extension simultaneously, you cannot open a .doc and a .rtf at the same time, assuming they both open in the same application.) By the time Vista was released to tbe public, 1GB of RAM was the minimum most users would tolerate in a new machine. The budget home Dell desktop had 2 gigs. Your average home user couldn’t have strained his system resources if he’d tried.
I won’t go into the Explorer view settings issues in Vista. They’re a plague, and fixes don’t stick. If you change one folder view to Tile from Detail, expect random file view changes in every other folder. But you know, that’s cosmetic. Very, very annoying but cosmetic. How about the status bar, which likewise doesn’t always stick, which never displays a folder file size total, and which rarely if ever displays a selected file size total. Who is this helping? My most fevered imaginings come up blank. But nearly every day, when I load up a USB drive with various everyday files, I’d really, really like to know how close it is to full.
While I was happy enough with Vista, plenty of other people weren’t. I rather assumed Microsoft would rectify these terrible, awful, unfixable problems in reevaluating the code for Windows 7. I certainly made them aware of my dissatisfaction, as I’m sure others did. What could the developers have been thinking? These were stupid, stupid decisions.
NUREMBERG, Germany, November 17/PRNewswire/ — NCP engineering GmbH in Nuremberg announces the release of the first universal IPsec VPN Client Suite for Windows 7. This software not only supports all 32 and 64 Bit Microsoft operating systems but also includes comprehensive performance features for easy and economical Remote Access such as: VPN Path Finder technology, optimisation for 64 bit systems and support for the latest drivers as well as WLAN roaming. The compatibility with VPN Gateways of all renowned manufacturers is also of utmost importance.
The NCP Secure Entry Client meets, in its latest version 9.2, the constantly growing needs of VPN Clients for 64 Bit Windows systems and complies with the main requirements of companies to only have to use one universal IPsec VPN Client in heterogeneous IT landscapes. The consistent operation and user interface reduces helpdesk costs and training costs. A highlight of the new version is the “NCP VPN Path Finder Technology”. This performance feature allows users to also establish IPsec data connections behind firewalls which have a port configuration that usually makes it impossible to establish IPsec communication (e.g. in hotels or public hotspots). Therefore, there are no longer any issues to comprehensively implement an IPsec based security policy.
Further improvements in version 9.2 are: support for the newest Intel Wi-Fi driver and mobile broadband, the 64 bit optimization, WLAN roaming and “tip of the day”. The 64 bit optimization increases data throughput by about 20%, WLAN roaming automatically chooses the strongest available access point with the same SSID and the “tip of the day” shows the user examples of the wide range of potential uses of the NCP VPN Client. Handling for user and administrator is also improved. Examples for these improvements are e.g. the optimized WLAN GUI and field intensity, profile exports and the revised 3G/UMTS configuration
The NCP Secure Entry Client offers, as the VPN Client Suite, coordinated communication and safety related performance features for universal Remote Access. The VPN Client offers, as a Client Suite, an intuitive, graphical user interface; its own dialler, a dynamic personal firewall and the integrated support of a large number of mobile connect cards. Teleworkers hence really get a true “one-click-solution”. Comfort functions include budget manager, WISPr-support, automatic media type recognition, import of profiles of “foreign” VPN gateways and OTP mobile support reduce support costs and operating costs.
Companies can download a 30 day unlimited trial of the Client’s version at http://www.ncp-e.com/en/downloads/software.html