Microsoft and CESG have worked together on a collaborative project to produce a best practice framework for configuring Windows 7 for its use within UK Government, taking account of the increased threat and risk that a government department faces. This guidance is called the Government Assurance Pack (GAP) for Windows 7.

Examination of Windows 7 has enabled the development of a UK Government specific configuration of Windows 7 combining tailored group policy with Microsoft best-practices. Close working enabled by the Microsoft Government Security Programme (GSP) has allowed CESG and Microsoft to collaborate on this lockdown building on previous work on Windows Vista and Windows XP GAP lockdowns. Feedback from those previous versions has allowed the collaboration to develop a secure configuration using new features and security configurations in Windows 7 that have minimal impact on the user experience.

The GAP provides a common starting point for departments or their system integrators to build a more secure workstation environment. The configuration is primarily aimed at central government departments however its guidance can be adapted to suit the range of threat scenarios faced across UK government. As the GAP uses the configuration of existing capabilities within Windows 7, it is fully supported by Microsoft.

In terms of security then the following Windows 7 features are significant:

  • ·BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise editions of Microsoft's Windows Vista and Windows 7 desktop operating systems. It is designed to protect data by providing encryption for entire volumes.
  • AppLocker enables IT departments to specify both which applications, and minimum/maximum versions, that employees can execute on Enterprise and Ultimate editions of Windows 7
  • Address space randomisation hinders some types of security attacks by making it more difficult for an attacker to predict target addresses
  • Data Execution Prevention (DEP) is a security feature included in Windows 7 that is intended to prevent an application or service from executing code from a non-executable memory region

To obtain the GAP and BitLocker Guidance a UK Government department or agency must ask for it via their CESG contact.  The documentation and configuration packs are only available from CESG to UK Government directly – third parties contracted to implement government systems should obtain the guidance through their sponsoring department or agency. Guidance is also available to CESG Listed Advisor Scheme (CLAS) consultants.

Microsoft can also offer a consulting engagement to support Windows 7 GAP deployments and for more information please email ukps@microsoft.com

Posted by Dan