Are you looking to learn more about Windows 7, Windows Server 2008 R2, Exchange 2010 and other Microsoft products? Well the New Efficiency Virtual Launch Event is the perfect opportunity to do so.

What will you find there?

• Steve Ballmer’s Keynote Replay
• Over 100 sessions presented by Microsoft. Topics include:
  • Windows 7 Application Compatibility
  • Windows 7 Deployment Technologies
  • Windows XP Mode Overview
  • Saving WAN costs with BranchCache
  • Remote Desktop and Applications with WS08 R2
  • Microsoft Web Platform – What’s New in IIS 7.5
  • Voice Mail with Unified Messaging in Exchange 2010
  • Outlook Web App in Exchange 2010
  • Information Protection Solutions Overview
  • MDOP; Asset Inventory Services
  • and much much more
• Visit Virtual Partner Booths from:
  • Cisco, AMD, Dell, Citrix, Intel, plus many others
• Download full version trials of Windows 7 Enterprise, Server 2008 R2, Exchange Server 2010 and Microsoft Forefront.
• Virtual backpacks to you can download transcripts from every demo, documentation and more.
• Links to hundreds of additional Microsoft resources to help you
• Links to brand new Springboard Series Windows 7 content created just for the virtual launch experience.

The best part? All of this is available to you for free. Just visit www.thenewefficiency.com later today and see what happens when cost savings, productivity and innovation come together.

Our guest blogger is Daniel Nerenberg. He is an MCT,MCSA,MCSE,MCTS,MVP, STEP Member and an independent consultant based in Montreal. He is also the President of the Montreal IT pro user group. Daniel has written and consulted on the topics of Windows deployment, application virtualization, and Windows infrastructure.

Window 7 RTM has been available for just a few weeks now, but already IT Pros everywhere are diving into great new features. One of the more exciting features introduced in Windows 7 is AppLocker. Many of you know about Software Restriction Policies, they allow you to block the execution of a program by file name or hash calculation. You probably also know how it was a race to block applications in our network with these methods. Users could change the name of the file, or applications updates so frequently that you would constantly need to generate new hash files.

AppLocker works under the premise that it’s easier to allow the applications you want, and block the rest. If you’re running a Windows 7 machine you can see AppLocker by typing gpedit.msc into your search bar and pressing enter.

You can define policies based on executables, Windows installers, and scripts. Creating a new policy is simple. Right-click on any of the 3 categories and click Create New Rule.

You can create a policy to allow or deny an executable. You can also select which groups the rule will apply to.

You can choose to create a rule based on a publisher (the program needs to be signed), a program path, or a file hash (usually a good choice if the program isn’t signed).

For this example I chose publisher. The Rule Wizard uses the information stored application signing certificate to learn about the application. You can adjust what level of information you’ll allow for an application.

In the above example the policy will only allow Internet Explorer 8.0.0.0 and above to run on the computer.

You can use the same steps to create exceptions for specific applications. One of the more convenient features is the ability to automatically generate rules. If you right click on any of the 3 categories and click Automatically Generate Rules you can quickly generate a list of rules based on applications that are already install on the computer (saving you a lot of work to get going with AppLocker!).

In this example, we scan your applications in the Program Files directory and create rules for those programs to run. Perfect for creating a baseline set of rules for applications on a gold image or group policy quickly.

So to summarize, AppLocker allows you from a high level (Publisher) to a granular level (Version) to choose what applications you would like to allow users to run (white listing) rather than creating long lists of what applications they cannot use (black listing).

The buzz at RSA around Windows 7 has been tremendous.

Yesterday, in his keynote, Scott Charney (Corporate VP Trustworthy Computing) talked about AppLocker and how it helps ensure that only known, trusted software is run within an organization’s desktop environment. Shortly after the keynote, I ran into Marcelo Birnbach - a Senior Program Manager in the Windows Security Technologies organization and works on AppLocker - on the expo floor. Since he’s an expert, we thought we would ask him for his perspective on AppLocker in Windows 7.

Marcelo Birnbach talks about Windows 7’s AppLocker Feature

And since Marcelo is originally from Argentina, we also asked him to share his thoughts in Spanish.

Marcelo Birnbach talks about Windows 7’s AppLocker Feature [Spanish Version]

Along with 17,000+ other security- minded professionals, I’m at RSA in San Francisco this week. For those who are not familiar with the RSA Conference, it’s the premier information security conference of the year. It attracts the best and brightest security folks from around the world. In addition, it is a great place to keep up with what’s going on in the information security marketplace. I’m at RSA to not only see what’s going on in the industry, but to also talk about some of the cool new security features in Windows 7.

We’re really excited about Windows 7’s new security features. This next OS is built upon the proven security technologies in Windows Vista and provides a fundamentally secure computing platform. We not only utilized enhanced Security Development Lifecycle (SDL) process during planning, development and testing but we also have worked to make the security features more discoverable, usable and manageable. These enhancements give Windows 7 the expanded security offerings to provide the necessary security controls to help mobile workers access the information they need to be productive, wherever and whenever they need it.

There is a lot of new stuff in Windows 7, but let me highlight some of those things that go into helping the mobile worker…

Multiple Active Firewall Policies

In Windows Vista, firewall policy is based on the “type” of network connection established—such as Home, Work, Public, or Domain (the fourth, hidden type.) This can be a security problem for IT professionals since mobile users will connect to multiple networks while on the road. For example, let’s say I get connected to the Internet through a “Public” network. As a result, the “Public” firewall policy is applied to the computer. Now, if I want to connect to the Microsoft corporate network via my VPN, the IT configured firewall settings for accessing the “Domain” corporate network cannot be applied because the first network type (and thus the firewall settings) had already been set.

Windows 7 gets rid of this IT pain through support for multiple active firewall policies. This enables my PC to obtain and apply domain firewall profile information regardless of other networks that may be active on the PC. Now IT Pros can simplify connectivity and security policies by maintaining a single set of rules for both remote clients and clients that are physically connected to the corporate network and know that the rules are appropriately applied.

DirectAccess

When I travel or am day-extending by working from home, I tend to need a lot of access to the corporate Intranet. As you can imagine, we use SharePoint a lot and a large number of our Line of Business applications are all Web- enabled. The result: I have to use our corporate VPN a lot. Unfortunately, it’s always an interruption for me to stop what I am doing and to fire up my VPN connection.

Windows 7 works in conjunction with Windows Server 2008 R2 to make working outside of the office simpler and less frustrating with DirectAccess. DirectAccess works by automatically establishing a bi-directional connection from client computers to the corporate network. As a result, as a remote user I have seamless, secure access to the corporate network anytime I am connected to the Internet, without having to manually initiate a traditional VPN connection. This helps make me more productive and allows me to focus on my work and not the remote access technology. Now whenever and wherever I travel, I can not only access my corporate email, but also open Intranet sites, shared drives, use line-of-business applications, and have full access to corporate resources that I need to do my job without having to manually create my VPN tunnel.

From a security perspective, DirectAccess is built on a foundation of proven, standards-based technologies like IPv6 and IPSec. IPsec is utilized to authenticate both the computer and user. This allows IT the capability to manage the computer even before I log on. IT can also optionally require me to authenticate with a smart card. IPsec is also utilized to provide encryption for communications across the Internet with encryption algorithms such as AES.

DirectAccess also has a cool benefit for IT Pros as well, since it provides an always on, secure mechanism to remotely manage and update the PCs of their mobile workforce. Whenever my laptop has Internet connectivity it is directly connected to the Microsoft corporate network. This gives IT more opportunity to distribute software updates and policies to me and other mobile workers and helps keep our machines free of malware and other unwanted software.

BranchCache

DirectAccess is great for the mobile worker, but what about the remote worker who works out in a branch office location? I’ve worked in many a branch office and the one thing they all seem to have in common is limited network bandwidth. Accessing large files in a branch office is always a slow, frustrating affair for me. I, like most users, prefer a snappy network and quick downloads. All the waiting that I have to do-- or you have to do -- is just lost productivity that, at the end of the day, can hurt the company’s bottom line.

Windows 7 incorporates BranchCache, another technology that works in conjunction with Windows Server 2008 R2, which helps make network responsiveness of applications and data housed within your data center feel snappy. This gives users in remote, branch offices the experience of working as if they were on the local area network (LAN) of the server they are accessing.

BranchCache also helps reduce the utilization of the wide area network (WAN). When BranchCache is enabled, a copy of any data accessed from Intranet Web sites and/or file servers is cached locally within the branch office. When another client on the same network requests the file, the client downloads it from the local cache without downloading the same content across the WAN.

The key thing for me is that it makes access to static data quick and it is all done without decreasing the security of that data. Access controls are enforced on cached files in the same way they are on original files.

BitLocker To Go

While here at RSA, it is inevitable that I will need to share data with one of my trusted partners or customers. My primary method of transferring data is to use one of the half dozen or so USB sticks I carry around in my backpack. Over time, these USB sticks end up with all sorts of different data and documents on them. As a security guy, I worry about what would happen if I lost one of these USB sticks. What if I have some confidential or customer data on one of them?

Windows 7 helps address the continued threat of data leakage with introduction of BitLocker To Go: an extension to BitLocker in Windows Vista that allows me to encrypt the disk volume of removable storage devices with a password and/or a digital certificate stored on a smart card.

BitLocker To Go was designed to facilitate the secure sharing of data on removable storage devices and was designed to work on any standard removable storage device. No special, proprietary hardware is required. So now, whether you are traveling with your laptop, sharing large files with a trusted partner, or taking work home, you can feel secure that your data is safe. Both traditional BitLocker and BitLocker To Go protected devices help ensure that only authorized users can read the data, even if the media is lost, stolen, or misused.

One last thing worth mentioning -- I can use BitLocker To Go to share data with a Windows user who is running Windows Vista or Windows XP through the BitLocker To Go Reader. This application is installed by default on removable storage volumes and allows read-only access on older versions of Windows while still allowing you to help protect your USB sticks.

AppLocker

While I feel good about protecting my data with BitLocker in case it is lost or stolen, data can still be lost due to malware or other unwanted software. When I talk to customers about keeping malware off of their systems, we always end up talking about desktop lockdown and the first topic of desktop lockdown is always removing administrative access from a majority of users. This is a great first step for any organization to take; however, workers today bring software from home, download applications from the Internet (intentional and unintentional), and access new programs through email. Many of these applications don’t need system- wide, administrative access to install or run. The result is a higher incidence of malware infections, more help desk calls, and difficulty in ensuring that only approved, licensed software is installed and utilized.

Windows 7 has a new application control solution in AppLocker. AppLocker gives control back to IT administrators and helps them eliminate unknown and unwanted software in their environment. AppLocker can be configured through Group Policy and can help manage those applications that run on corporate PCs, helping keep your organization’s data safe and your enterprise PCs manageable. AppLocker works by intercepting kernel calls that try to create new processes or load libraries and making sure that the code in question has been allowed to execute.

AppLocker just might be my favorite security feature in Windows 7, for it not only provides security protections but as an ex-IT Pro I really appreciate the operational and compliance benefits as well. Things like:

• Keeping unlicensed, vulnerable software from running in the desktop environment, including stopping workers from running applications that needlessly use consumer network bandwidth or otherwise impact the enterprise computing environment.
• Easing enterprise software deployments and maintenance through effective desktop configuration management.
• AppLocker allows users to install and run approved applications and software updates based upon their business needs.
• Helping ensure a company’s desktop environment is in compliance with corporate policies and industry regulations such as PCI DSS, Sarbanes-Oxley, HIPAA, Basel II, and others.

More to Come

This is just a small part of what’s in Windows 7 from a security perspective, and just the tip of the iceberg for the features I’ve described. Stay tuned for more information on what’s going on at RSA and more information on the cool new security technologies in Windows.

RSA is here again, and presents a great opportunity to discuss the security in Windows 7: specifically how certain features in the OS address key security-related enterprise scenarios. In today’s economic times, businesses and their shareholders need to know that when they make an investment in a product, they are doing so responsibly and securely, and the investment is sound. Windows 7 is this sound investment: it includes features that allow workers to work anywhere, while leaving IT Pros confident that business-related data and content are secure.

The world has changed a great deal in the last decade. Information workers interact with their computers in new ways and have incorporated technology into everything they do, as a result the security landscape has greatly evolved. For example, in 2001, mobile and wireless workers weren’t impacting IT decision making; today, they make up more than a quarter of the workforce. In 2008, laptops made up more than half of all devices purchased in the enterprise. With Windows Vista, we made significant investments to address many of these security concerns and developed the most secure OS to date. With Windows 7, we are carrying forward that investment.

When we began developing for Windows 7, we decided to approach our security feature enhancements in terms of user type and scenarios. We looked at a few types of workers - the mobile worker on the go, the remote worker in a branch office, the IT Pro and the security expert. All have unique needs, pain points, and styles of work - and we’re addressing each in Windows 7.

Consider being a mobile worker. The challenge for you is connectivity and access. Meanwhile, your IT Pro at the office is worried about balancing those with data protection and network security. With Windows 7, we focused on a few key features to address this scenario, and to build confidence in enterprises trying to get the most out of a mobile workforce.

• DirectAccess lets mobile workers connect quickly and securely to a corporate network over any Internet connection, without having to manually access their virtual private network. IT can leverage DirectAccess to manage the Group Policy settings and deliver updates to mobile computers, even if the user is not logged on.
• BitLocker, introduced in Windows Vista, now allows end users to right-click on a drive to quickly enable it, making it more intuitive and easier to use.
• BitLocker To Go now extends support of BitLocker drive encryption to USB removable storage devices – like our mobile worker’s flash drive (see this Springboard Series Video). Theft and loss of proprietary data from mobile devices is a great expense for businesses. However, the loss of integrity is even harder to recover.

The remote worker scenario has similar challenges to the mobile worker, but requires ease of access on a more regular basis. According to a recent study, 91% of employees work away from the corporate headquarters, with the bulk of these working in branch offices. These workers often face difficulties and long wait times accessing information off the corporate drive. With this pain point in mind, we introduced BranchCache, which lets users access information more quickly. For IT Pros, this means the assurance that branch machines maintain the same security protocols as the home office.

For home-use scenarios, employees expect the same level of connectivity and access they would have in the office. In Windows Vista, the firewall policy was based on the type of network connection established – such as Home or Work. This created an obstacle when workers logged on at home, using a Home connection and virtual private networking (VPN), because firewall settings were not set up appropriately for this scenario. So we made changes. With Windows 7, enterprises will be able to simplify their connectivity and security policies by maintaining a single set of rules for both remote clients and clients physically connected to the corporate network.

And businesses will have confidence that all remote users – whether branch office or mobile - will benefit from key improvements in IE8, including protection against XSS threats, identity theft, and new types of phishing attacks like Clickjacking. I think the work we did in IE 8 really helps put people in control of their online safety and privacy.

Finally, let’s take a look at issues people face when trying to manage these environments. Not surprisingly, IT Pros and security experts have daunting missions: they enable secure access to data for mobile, remote and local users; keep systems up to date; and track accessed data– all while attempting to drive new value for the business - it’s enough to cause IT Pro insomnia. As such, we continue to develop a range of security solutions to address evolving IT needs.

Some key examples of user scenarios empowering technology:

• AppLocker: We received feedback that workers today put software from home on their PCS, download applications from the Internet, and access programs through email. As a result, there’s a higher difficulty ensuring PCs in the enterprise environment are running only approved, licensed software. AppLocker solves this issue; it’s an administered mechanism that allows a business’ security expert to specify what is allowed to run on each user’s PC.
• Network Access Protection: This allows IT Pros to create solutions to validate computers that connect to their network and limit the access or communication of noncompliant computers.
• Microsoft Asset Inventory Service: Part of Microsoft Desktop Optimization, complements the OS security and compliance technologies by allowing our IT Pro a comprehensive view of the enterprise desktop software environment.
• User Account Control: We heard loud and clear that end-users wanted fewer UAC prompts and more control over what items they are prompted for, but we know IT Pros still need control over what’s installed or run on a machine. As a result, in Windows 7, we made specific changes to enhance the user experience, while still ensuring the same level of security.

The enterprise security features we’re discussing today are the product of hard engineering work coupled with an understanding of our customers and the security landscape. It’s important to keep in mind that some of these features only work when partnered with Windows Server; for an optimal experience, we recommend businesses use Windows 7 and Windows Server 2008 R2 together upon their availability.

We recognize the enterprise customer for Windows has evolved dramatically over the years and we’ve created solutions to address the needs of varying enterprise scenarios. It’s important to note our work is never finished! We are constantly hearing from our customers about ways to make their machines more secure and productive in their environments. We continue to listen to this feedback and apply it to our technologies. It’s our goal to build technology that lets businesses prosper in a consistently changing security landscape.

There’s been a lot of talk in the community about what Windows 7 offers consumers. Today, I’d like to highlight the enterprise value of the product and how it reflects what customers and partners told us enterprises need most.

With Windows Vista, we learned a lot about how involved our customers and partners like to be in the development of an OS – in a nutshell, early and often. With Windows 7, we changed the way we developed the Windows OS in order to be more responsive to that feedback. As such, early on we identified three main principles to our new process:

• Planning: Our team spent six months on planning Windows 7 in a “vision phase.” We analyzed trends and customer needs before building features. We also focused more on end-to-end business scenarios, rather than solely on features and technologies.
• Predictability: We committed to giving our customers and partners a timeframe for our release and stuck to it. We remain on track to ship Windows 7 within three years of the Windows Vista release. We also only shared information about Windows 7 when we had a higher degree of certainty which has resulted in minimal changes from earlier disclosures.
• Early Ecosystem Engagement: We engaged with partners during the early stages of Windows 7 development, rather than waiting for the traditional beta timeframe. This has allowed for a more seamless experience and greater compatibility in all areas.

There are three key areas we look at in our development process: industry trends, in-depth discussions with top customers and partners, and extensive quantitative customer research.

I won’t go into details except to remind you of trends with the most significant impact on IT today: costs, consumerization, reducing carbon footprint, contingency planning and compliance. As a result of the continued economic deterioration, most businesses are thinking about cost. IT is under pressure to deliver efficiencies in their environments and greater ROI on technology expenses – we recognize this through personal experience and input from our customers and partners.

We spent a great deal of time talking and engaging with our customers and partners in order to really understand what’s on their mind. Knowing where their challenges lie and what tools they need to be successful helps us deliver an OS that meets their needs and is a valuable investment, which is critical when IT budgets are tighter than ever.

This engagement came in two forms – qualitative and quantitative.

Our qualitative outreach consisted of over 100 of our top customers through five programmatic engagement vehicles:

• Desktop Advisory Council: Twenty-seven active IT leaders across a variety of industries including some of the world’s largest manufacturers, banks, insurers, telecoms, energy companies and professional services firms. We used their input for overall direction and feature decisions.
• OEM Engagement: Leading manufacturers from around the world. This gave us an opportunity to inform and set direction, while receiving their feedback.
• Ecosystem Engagement: Members of the Windows Ecosystem Readiness Program received access to builds and toolkits for Windows 7. They also gained access to Windows 7 and Windows Server 2008 R2 labs for partners.
• Technology Adoption Program: Strictly engineering-focused, customers in TAP committed a large investment of their time and resources in test deployments of Beta and pre-Beta code. Their help enables us to validate features in real-world situations, produce bugs and generate feedback.
• First Wave Program: Customers who are already in progress with deploying Windows 7 Beta in their environment. This group provides real time feedback on their experience deploying Windows 7 Beta and helps us see what an enterprise deployment looks like.

For our Quantitative Research, we engaged extensively with almost 4000 customers in developing and emerging markets. This research surfaced the top areas of concern: Risk Management, Compliance and Mobility. Key findings included:

• 56% said they needed help protecting corporate data on laptops. This validated our decision to include BitLocker in Windows 7 Enterprise, and to extend its capabilities to the portable hard drives that can be just as dangerous and more loosely monitored than laptops.
• 61% expressed a deep concern about ensuring their users install and use only authorized applications (for fear of security breaches from unauthorized applications). This helped prioritize our plan to develop AppLocker.
• 49% wanted to make it easier for remote workers to access corporate resources, bubbling a plan up for Direct Access capabilities.

So how did this affect Windows 7?

Windows 7 Enterprise mirrors what we learned during our planning and research phase and resulted in three big areas of investment:

• Making users Productive Anywhere is a focus on the mobile user community and empowering users with seamless access: We built technologies into Windows 7 such as BranchCache, Direct Access, Federated Search, and Enterprise Search Scopes to enable users to access to their data and applications anywhere and anytime.
• Improving Security and Control is a focus on protecting data, enabling compliance and giving IT better control: With this in mind we designed BitLocker To Go, which protects data stored on portable media, such as USB drives. This enables IT to only allow authorized users to read data or portable media, even if the media is lost or stolen. Additionally, AppLocker provides a mechanism for administrators to specify via Group Policy exactly what is allowed to run on their systems.
• Streamlining PC Management is a continued focus to drive the cost of managing a Windows environment down: Windows 7 makes managing and deploying desktops, laptops and virtual environments much easier. IT Pros can use the same tools and skills they use today with Windows Vista for Windows 7. New scripting and automation capabilities through Windows PowerShell 2.0 help reduce the costs of managing and troubleshooting PCs.

And we’re not finished! Research on Windows 7 overall continues today as we receive feedback from our Beta testers. We’ve received over 500,000 Send Feedback reports on Windows 7 Beta. Thanks to our dedicated customers, we have hundreds of fixes in the pipeline. This is a testament to how we’re taking your feedback and inputting it directly into Windows 7.

With Windows 7, we’ve advanced our vision for an Optimized Desktop to allow administrators the ability to balance flexibility and control in helping end-users work better in their environments. Windows 7 Enterprise, along with Microsoft Desktop Optimization Pack (MDOP), delivers Microsoft Windows Optimized Desktop vision to customers: it gives users anytime, anywhere access to information they need to get their work done; while providing tools for IT to support their business securely, protect corporate data, achieve cost efficiencies, and take advantage of the virtualization trends in the client computing arena.

To summarize, customers tell us the economy is bringing new levels of scrutiny to how they manage costs, mitigate risks and make their people more productive with less. We get it. Windows 7 Enterprise is about helping both IT Pros and end users manage an intensifying – and often opposing – confluence of pressures.

Throughout the Windows 7 development process, we’ve been committed to creating an OS that is designed for the way people actually work. We’re convinced Windows 7 has an exciting and powerful offering for our business customers, but we want to hear from you. If you are one of our enterprise customers considering Windows 7, our guidance to you is to start testing and planning now and send us your feedback. If you haven’t been considering Windows 7, we think there are compelling reasons for you to take another look.