If you tell enough stories, perhaps the moral will show up.

2009-11-21

What Goes into the W7 Workstation

First look into the Security Guide in the Windows 7 Security Compliance Management Toolkit. It's an interesting read and there's a lot of potential goodies. The takeaways for me are:

  • UAC looks good, but when you get down to it, there's less than you want. In particular you still need a really non-admin account for browsing and reading mail and it won't save ordinary users from cockups -- so they still can't be admins. Good. (Mark Russinovich says that the real purpose of UAC is to force developers to make their code work as non-admin. Better.)
  • The policy can all be pushed from group policy. The price of this is that W7 machines will need their own OU tree.
  • There are some sexy, seeeexy audit log options. A whole lot more to set.
  • There's an easier replacement for software restriction, but it relies on signed code.
  • Finer-grained control over devices means we might be able to have one less agent in the build
  • Still not sure about the malware tools. I can't see why I would object to the Malicious Software Removal Tool but the old rule about not mixing AV solutions may apply here. The native tools aren't enterprise capable, so they'll have to go.
  • This may be time for SUS. The solution we have is more capable, but since we only ever push MS hotfixes with it, I might just choose to save the licence fee.
  • They seem to have de-emphasised routine IPSEC since Vista, but I may have misssed the crucial bit.
I need a W7 install to play with.

No comments: