Boost Security with 64-bit Windows 7

Latest version offers Kernel Patch Protection and Driver Signature Enforcement.

Mitch Tulloch is a Microsoft Most Valuable Professional and lead author of the Windows 7 Resource Kit from Microsoft Press. You can follow him on Twitter at @MitchTulloch or friend him on Facebook at http://www.facebook.com/mitchtulloch.

With so many privacy breaches happening recently, having a secure computing environment should be a top priority for organizations of any size. Choosing the right desktop operating system and architecture (32- or 64-bit) is therefore a key consideration for ensuring your computing environment is secure.

The primary benefit from deploying the 64-bit version of Windows 7 over the 32-bit version is the ability of 64-bit Windows to address more than 4 gigabytes of RAM. This increased address space allows more programs to run simultaneously on the platform and allows individual programs to use greater amounts of memory.

Currently, however, there are few native 64-bit applications available on the market. And while Microsoft Office 2010 now comes in both 32- and 64-bit flavors, Microsoft actually recommends that most organizations deploy a 32-bit edition of Office 2010 to ensure compatibility with their existing environment of 32-bit ActiveX controls, third-party add-ins and custom solutions developed using previous versions of Office.

So even if you deploy the 64-bit version of Windows 7 in your environment, most applications that users will be using will still be 32-bit programs, and the maximum address space for individual 32-bit programs running on 64-bit Windows is still only 4GB.

While 64-bit editions of Windows 7 have the potential to run larger programs and to run more programs simultaneously, the reality is that few users need such capabilities, and few applications are available as native 64-bit programs. While there might be many reasons to favor the 64-bit version of Windows over the 32-bit version, one top factor is security. The following are five security benefits that the 64-bit version provides.

Fewer Potential Threats

Currently, the vast majority of existing malware in the wild targets 32-bit Windows platforms, especially Windows XP and older versions of Windows plus earlier versions of Internet Explorer. Many of these older platforms are consumer machines that are poorly patched, and they make an easy target for botnet candidates.

Remember, attackers generally go for low-hanging fruit, so it makes sense for them to continue targeting Windows XP and other legacy 32-bit Windows platforms rather than expend time and energy trying to defeat the more powerful security defenses of Windows Vista and later, Internet Explorer 8 and later, or Office 2010.

The counter argument, of course, is that the threat landscape will rapidly change as 64-bit Windows 7 deployments gather momentum and attackers focus their efforts on targeting 64-bit Windows platforms and applications. This reasoning ignores the important fact that the security features built into both 32- and 64-bit versions of Windows 7 are vastly more effective than the security of legacy Windows platforms such as Windows XP.

Even if attackers shift all their efforts toward targeting 64-bit Windows, the effectiveness of their attacks will be diminished both by the stronger defenses in the current version of Windows and by the increased sophistication and commitment of those charged with defending Windows.

Plus, users of 64-bit Windows who are especially paranoid have the option of installing the 64-bit version of Office 2010 on their machines and can even run the 64-bit version of Internet Explorer from their Start menu, though in both cases compatibility issues with Office extensions and active website content may cause some issues.

No Support for 16-bit Programs

The 64-bit version of Windows 7 does not run 16-bit programs such as legacy MS-DOS or Windows 3.x applications. While this may be an inconvenience to some organizations that still rely on having their users run 15- or 20-year-old applications on their computers, it also closes the door on another significant vector of attack – legacy applications that are no longer supported by the manufacturers that created them.

Several of these manufacturers are no longer in business, so any vulnerabilities presented by these old 16-bit applications cannot be patched. If you're still running such applications in your environment, it's time to get rid of them and either find a replacement or develop something in-house.

Kernel Patch Protection

The kernel is the heart of the operating system, and hacking the kernel is the holy grail of malware creators. Once the kernel on your system is compromised, you may as well flatten and rebuild, as it's unlikely you'll be able to undo the damage.

That's why kernel patch protection, or PatchGuard, which was first introduced in Windows Server 2003 Service Pack 1 x64 and Windows XP x64 and is present in all later 64-bit versions of Windows, makes 64-bit Windows platforms more secure than their 32-bit cousins. While PatchGuard won't protect your computer from all viruses, Trojans or rootkits, it will effectively foil any third-party attempts to compromise your kernel by patching it with malicious code.

Driver Signature Enforcement

Driver Signature Enforcement is always turned on for kernel-mode drivers on the 64-bit version of Windows 7. This makes it much more difficult for an attacker to perform a stealth install of a kernel-mode Trojan on a 64-bit Windows system compared with doing this on a 32-bit Windows system. You cannot install unsigned kernel-mode device drivers on 64-bit versions of Windows. Even signed drivers for Windows 7 x64 must be cross-signed using a separate certificate provided by Microsoft if these drivers are boot-critical or must run in kernel mode.

Hardware Data Execution Prevention

Data Execution Prevention (DEP) helps protect a computer by monitoring running programs to make sure they utilize system memory safely. If DEP detects that a program on the computer is trying to use memory incorrectly, it automatically shuts down the program. The 32-bit versions of Windows 7 include a software implementation of DEP, but the 64-bit version utilizes the built-in DEP capabilities of 64-bit AMD and Intel processors to enforce DEP at the hardware layer, where it is very hard for attackers to circumvent.

If you care about security – and you should – then deploy the 64-bit version of Windows 7 across your environment. With hardware DEP and driver-signing enforced, kernel patch protection, removal of support for running legacy 16-bit code, and a diminished threat landscape compared with 32-bit Windows, you can rest easier at night knowing that Windows 7 x64 is watching your back. But always remain vigilant, for malware developers never sleep.