Differences in Win7 versions?

[luciddream]

So what are the differences between Home, Pro, Ultimate (am I missing any?)...

I know that there is more built-in security in at least the Pro version compared to Home. But what about versions higher than Pro? Are there any additional security components in them, say Ultimate for example, that aren't in Pro that are useful?

I want to be able to have all of this built-in security I can get, but don't care for any other bloat. So if I can get all of this security in the Pro version, and everything else in Ultimate is more bloaty type stuff I don't need, then I'd go with Pro.

I know that I'm going 64-bit, if that makes a difference.

Thanks.

[Page42]

Check them out here...
Compare Windows 7 editions

[Kerodo]

More comparison details here:

http://www.winsupersite.com/article/...parison-128684

[Page42]

My PC came with W7 Home Premium and I purchased an Ultimate upgrade because of BitLocker and AppLocker.
Unless I have it wrong, as I recall, AppLocker is available in Pro but can only be configured in Ultimate.
I have not as yet installed Ultimate, but I look forward to it.
I paid about 70 bucks for the upgrade at buycheapsoftware.com, or maybe it was on eBay, I've forgotten.

[luciddream]

Thanks. Based on what I see there I'd at least want Pro, for Group Policy & XP Mode. Possibly Ultimate depending on how useful I found AppLocker and/or BitLocker.

I guess that would be my next question... how useful people find either (or both of) those 2 tools. I'm almost hoping the answer is: "not very useful", because Ultimate comes with a bunch of bloat I don't need too. Exactly as I expected it might.

Thanks again Page... you're always there for me.

[Kerodo]

AppLocker is pretty nice if you want to use it as an anti-executable and lock down your system pretty tight. But for some, that's not exactly the most convenient way to go. I've used it in Ultimate a few times, but then decided on a more traditional approach using an AV, etc... BitLocker I'm not familiar with, so I can't say. Just my 2 cents, for what it's worth....

[Sully]

I have ultimate, but don't use any of what it offers I think other than the GP stuff. XP pro at least offered quite a bit over XP home. I might not worry about any more ultimate versions in the future if it is the same.

Sul.

[ComputerSaysNo]

You can tweak a lot in Win 7 Ultimate, group policies + services + aslr + bitlocker. IMHO it's worth the extra coin especially if your security conscious.

[luciddream]

^ Yeah ^... but it seems you can do all that stuff with the Pro version too. Namely GP & mitigations. Seems to me the decision will come down to how useful I find AppLocker and/or BitLocker. I prefer more granular control over apps than AppLocker can probably provide. I imagine it's more a: "do you want this to run, or not" type control. Black or white. But I want to control exactly what an app can or can't do (HIPS).

BitLocker actually seems more useful to me. It sounds like system wide encryption similar to what TrueCrypt provides, unless I'm mistaken. If only you could make neat little containers with it too...

Thanks Sully, I was hoping to hear from someone like you on this. Now if Kees came in here and said he didn't even find use in AppLocker or BitLocker... it'd be a done deal, I'd go with Pro. Because he relies so heavily on OS built-in security.

[Sully]

I got ultimate in the hopes that SRP/AppLocker would work like it did in vista/xp. I had no plans to use bitlocker. Since they have changed SRP in ways that don't benefit me, I just don't see a need for what little ultimate offers.

Applocker is not my cup of tea, but a lot of people do use it. Maybe you should try it out or watch some demos first to decide. I have only messed with it a few times, and didn't really like it, so my opinion may not mean much

Sul.

[luciddream]

Quote:

Originally Posted by Sully

I got ultimate in the hopes that SRP/AppLocker would work like it did in vista/xp. Since they have changed SRP in ways that don't benefit me,

Could you describe these changes? And are you saying that SRP in Win7 IS AppLocker? Or just that neither worked the way they do in XP? And if the latter is the case, SRP is only available in Ultimate then? That would seem like a deal-maker to me, on the surface, to go with Ultimate. But if it doesn't work the way it does in XP, perhaps not.

[Sully]

Quote:

Originally Posted by luciddream

Could you describe these changes? And are you saying that SRP in Win7 IS AppLocker? Or just that neither worked the way they do in XP? And if the latter is the case, SRP is only available in Ultimate then? That would seem like a deal-maker to me, on the surface, to go with Ultimate. But if it doesn't work the way it does in XP, perhaps not.

Actually AppLocker is SRP2. SRP still exists as a separate mechanism in win7.

I am speaking of the ability to execute something, with SRP, as a "Basic User". In XP and Vista you could choose to run as an admin, apply SRP to "everyone including admins" and make the default rule to "allow". Then create a list of "blacklisted" applications. The choise then for the blacklisted item would be to allow, deny or restrict (that is, restrict to the rights of a 'basic user'). This allowed one to restrict any process, or any directory to a limited level of rights.

In vista, it still works. In win7, it works, but it requires a very contorted method, so much that I gave up trying it, so it is broken from my point of view.

SRP still works in win7 in the typical use I believe, where you create a default deny policy using it for user, but admin are exempt from the restrictions.

Sul.

[wat0114]

Quote:

Originally Posted by Sully

In XP and Vista you could choose to run as an admin, apply SRP to "everyone including admins" and make the default rule to "allow". Then create a list of "blacklisted" applications. The choise then for the blacklisted item would be to allow, deny or restrict (that is, restrict to the rights of a 'basic user'). This allowed one to restrict any process, or any directory to a limited level of rights.

Hi Sul,

I'm not sure if AppLocker can do what you've described above, but I believe it might be able to, although through a different approach. In the screenshots, you'll see I've created Allow Path rules that are identical for Users VMWare7 and VMWare7-Test (please disregard the names as the rules are actually identical in their Path designations %ProgramFiles% and %Windir%). Administrators are allowed globally. The difference between the %ProgramFiles% rules are that VMWare7-test is allowe to run all applications that reside under %ProgramFiles% just as VMWare7 is, but is denied launching of Internet Explorer and CCleaner via Path Exceptions.

Allow rules or Allow with Exceptions rules are also recommended in AppLocker over Deny rules because, as you can see in the one screenshot, even though I've copied the CCleaner.exe file to the VMWare7-test desktop (could be anywhere), it is still Denied because the Allow rule with exceptions prevents this type of circumvention through its implicit deny rule action.

In no way am I trying to undermine the effectiveness of SRP. It is an excellent way of creating a policy that restricts users to an approved desktop environment, but I believe AppLocker offers more flexibility over creating and maintaining policies. BTW, with AppLocker I've slowly been changing my Hash rules to Path rules. I find Hash rules are a PITA to maintain because of the fact the hash value changes whenever the application it's part of is updated.

[Sully]

I messed with this briefly, but did not see a method to do what XP was able to with SRP. I have not visited it since. It might be some late night experiment this fall/winter though.

Hash rules can have advantages, but I rarely used them. It was better for me to know that 'proces.exe' would be restricted, and I would utilize wildcards to make sure it was going to be restricted no matter where its FQP was.

I wonder if there is a way to completely rid my admin token of the secondary token. Maybe that would let SRP work like it used to for me. Never thought of that till just now.

See how you are, all casual and such, causing wild ideas to be planted in the old noggin

Thanks for the info though. I would be interested to see what you come up with if you mess with that line of thought any more.

Sul.

[Kees1958]

Sul.

Have you tried messing with SRP and Applocker together! Applocker overrules/precedes SRP, so setting SRP to basic user as the default level, sort of achieves the run as basic user in Vista and XP

Define the exceptions in Applocker (run unrestricted) in stead of SRP (e.g. keep the default windows rule in Applocker, but dare to mess with default program file rules in AppLocker)

The publisher rules of Applocker are really easy to apply, e.g. deny execute of user land directories in SRP, allow all signed programs by all publishers to run by Administrators everywhere. Lots of combo's possible

[Sully]

No, I don't think so. I did not see AppLocker or SRP giving a working "Basic User" option, which is what I want. I might give it another go-round late this year though.

Edit: that is, as you and I discussed in another thread some time ago, basic user option is extremely convoluted now, therefore I don't see it as a suitable option.

Sul.