Last week, I wrote about the availability of a free trial of Windows 7 Enterprise RTM from Microsoft. While Windows 7 Enterprise is certainly geared toward the enterprise in terms of pricing and features, the licensing criteria doesn't necessarily exclude mid-sized organizations, either.
I thought it will be useful to walk through a few of the features in Windows 7 Enterprise that SMBs might benefit from.
While I did not have the opportunity to actually try out BitLocker on Windows 7, I did recently enable it on Windows Vista Enterprise and had a good experience with it. For Windows 7, Microsoft assures us that BitLocker has been tweaked to be even easier to enable than before.
For one thing, there is no longer a need to create the requisite hidden partition that is used to load the operating system. In effect, BitLocker can be enabled on all drives running Windows 7 with nothing more than right-click of the mouse.
In addition, CIOs and IT managers can have greater peace of mind as administrators now have the ability to use Active Directory Domain Services integration to act as an escrow for recovery keys. This is useful in instances when a laptop fails to power up, dooming the decryption key stored in the built-in TPM hardware. With the recovery key safely stowed away, though, there is now a guarantee that data on hard disks can be recovered.
BitLocker To Go
Microsoft now supports the encryption of removable drives using BitLocker To Go. As such, flash drives or portable hard disk drives can be protected using a pass phrase with the actual encryption key transparently managed.
Of probably even greater value are how rules pertaining to usage of portable drives can now be defined. For example, encryption could be defined as mandatory before users are allowed to copy files to these drives. For flexibility, it is also possible to allow unprotected storage devices to access portable storage in read-only mode.
The adoption of BitLocker To Go could finally put an end to the common problem of severe data breaches resulting from lost or stolen portable storage devices.
In a nutshell, AppLocker allows system administrators to perform a lock down of a Windows 7 machine by specifying the software applications that is allowed to run. AppLocker is powerful because the rules for defining which applications can execute are managed centrally using Group Policy.
The idea here is similar to the concept of "whitelisting" and is certainly a more comprehensive solution for malware. What Microsoft has done differently here is integrate this powerful feature seamlessly into Active Directory. Properly configured and enforced, this should finally put a stop to the loading of custom Trojans or malware not recognized by antivirus scanners via the use of portable storage devices.
AppLocker also introduces the concept of "publisher rules" for applications that are digitally signed by publishers. In this manner, it is possible to use a single rule to implicitly bar older, vulnerable, versions of an application, while allowing latter ones.
In addition to the above advantages, Windows 7 also offers the inherent licensing rights to run up to four additional copies of the Windows operating systems as virtual machines. While probably not so useful to the lay worker, this is of tremendous value to IT professionals or developers who need to run multiple versions of Windows for testing or debugging purposes.
Does your organization have any plan to acquire Windows 7 Enterprise edition?