The Ultimate Guide to Windows 7 Security

Note too that, although UAC provides a much-needed mechanism to prevent the misuse of administrator privileges, it can be bypassed. If you need high security, users should not log on with an elevated user account until they need it.

Your domain environment should already be at the highest and most secure level ("Always notify"). If it isn't, make it so. That way, users will be prompted to input their passwords to perform high-risk administrative actions. No matter what else, UAC should be enabled.

BitLocker Drive Encryption. In Windows 7, BitLocker Drive Encryption technology is extended from OS drives and fixed data drives to include removable storage devices such as portable hard drives and USB flash drives. This new capability is called BitLocker to Go.

In Windows Vista SP1, Microsoft added official support for encrypting fixed data drives, but it could only be done using command-line tools. Now you can encrypt operating system volumes, fixed data drives, and USB flash drives with a simple right-click, via the Windows Explorer GUI. Moreover, you can use smart cards to protect data volumes, and you can set up data recovery agents to automatically back up BitLocker keys. If you're using a Trusted Platform Module (TPM) chip, you can enforce a minimum PIN length; five characters should suffice for most environments.

In Windows 7, there is no need to create separate partitions before turning on BitLocker. The system partition is automatically created and does not have a drive letter, so it is not visible in Windows Explorer and data files will not be written to it inadvertently. The system partition is smaller in Windows 7 than in Windows Vista, requiring only 100MB of space.

With BitLocker to go, you can encrypt removable drives one at a time or require that all removable media be encrypted by default. Further, encrypted removable media can be decrypted and reencrypted on any Windows 7 computers -- not just the one it was originally encrypted on.

BitLocker to Go Reader (bitlockertogo.exe) is a program that works on computers running Windows Vista or Windows XP, allowing you to open and view the content of removable drives that have been encrypted with BitLocker in Windows 7.

You should enable BitLocker (preferably with TPM and another factor) on portable computers if you do not use another data encryption product. Store the BitLocker PINs and recovery information in Active Directory or configure a domain-wide public key called a data recovery agent that will permit an administrator to unlock any drive encrypted with BitLocker. Require BitLocker to Go on all possible removable media drives.

Easily encrypted page file. Users who cannot utilize BitLocker but still want to prevent the memory swap page file from being analyzed in an offline sector editing attack no longer need to erase the page file on shutdown. Windows XP and earlier versions had a setting that allowed the page file to be erased on shutdown and rebuilt on each startup. It's a great security feature, but it often caused delayed shutdowns and startups -- sometimes adding as much as 10 minutes to the process.

Subscribe to the Best of TechHive Newsletter

Comments