Another random Windows 7 fact I learned today – if you disable the Windows 7 firewall, it will also disable IPV6 and Service Hardening. Microsoft’s logic appears to be simply that if a system doesn’t have the Windows firewall enabled, then it should be treated as an insecure machine and not trusted to connect with an IPV6 IPSec tunnel. The obvious flaw in this logic is that many enterprises use other firewalls, which Windows will not account for. Those people will then have ot enable the Microsoft firewall and just put it into a completely accepting state if they want to use IPV6.

I’ve been reading up on new Windows 7 security features (more on them perhaps later), but one caught my eye – SmartScreen. It’s a web filter (like the one Firefox has) that checks the websites you visit against a list of known bad websites. If it’s on the list, you get a red nasty warning screen telling you not to visit. What I was thinking about though was the privacy aspect – whenever you visit a new website your browser automatically sends the URL to Microsoft. Not just the domain, but the entire URL. They do of courser have a privacy policy, but nowhere in that policy do they actually say how they will or won’t use the data collected (we can of course, always assume the worst).  They also do other data collection:

From time-to-time, information about your usage of SmartScreen Filter will also be sent to Microsoft such as the time and total number of websites browsed since an address was sent to Microsoft for analysis. Some information about files that you download from the web such as name and file path may also be sent to Microsoft. Some website addresses that are sent to Microsoft may be stored along with additional information including web browser version, operating system version, SmartScreen Filter version, the browser language, and information about whether Compatibility View was enabled for the website.

I don’t know about this one – sounds more like a marketing tool masquerading as a security tool.

I’ve been using Windows 7 fairly regularly on one of my machines for the past month or so. One thing I noticed is that the default password settings for Windows 7 include the fact that password expire after 42 days. Since most home users will never change their default settings, this setting will likely become a de-facto standard. However, the default settings also have a password history of zero (no remembered passwords), and a minimum age of zero as well. This means that every home user, when prompted to change their password, will simply change it to the password they had initially, making this setting useless.