The expert guide to Windows 7 security

How to configure Microsoft's new Windows operating system to beat malware and keep data secure

By Roger A. Grimes, InfoWorld |  Windows, Windows 7

BitLocker to Go Reader (bitlockertogo.exe) is a pro­gram that works on computers running Windows Vista or Windows XP, allowing you to open and view the content of removable drives that have been encrypted with BitLocker in Windows 7.

You should enable BitLocker (preferably with TPM and another factor) on portable computers if you do not use another data encryption product. Store the BitLocker PINs and recovery information in Active Directory or configure a domain-wide public key called a data recovery agent that will permit an administrator to unlock any drive encrypted with BitLocker. Require BitLocker to Go on all possible removable media drives.

Easily encrypted page file Users who cannot use BitLocker but still want to prevent the memory swap page file from being analyzed in an offline sector editing attack no longer need to erase the page file on shutdown. Windows XP and earlier versions had a setting that allowed the page file to be erased on shutdown and rebuilt on each startup. It's a great security feature, but it often caused delayed shut­downs and startups -- sometimes adding as much as 10 minutes to the process.

In Windows 7 (and Vista), you can enable page file encryption. Even better, there is no key management. Windows creates and deletes the encryption keys as needed, so there is no chance the user can "lose" the key or require a recovery. It's crypto security at its best.

Better cryptography Windows 7 includes all the latest industry-accepted ciphers, including AES (Advanced Encryption Standard), ECC (Elliptical Curve Cryptography), and the SHA-2 hash family. In fact, Windows 7 implements all of the ciphers in Suite B, a group of cryptographic algorithms that are approved by the National Security Agency and National Institute of Standards and Technology for use in general-purpose encryption software.

While Microsoft added support for Suite B cryptographic algorithms (AES, ECDSA, ECDH, SHA2) to Windows Vista, Windows 7 allows Suite B ciphers to be used with Transport Layer Security (referred to as TLS v.1.2) and Encrypting File System (EFS). Suite B ciphers should be used whenever possible. However, it's important to note that Suite B ciphers are not usually compatible with versions of Windows prior to Windows Vista.

By default, all current technologies in Windows will use industry standard ciphers in place of legacy, proprietary ciphers. Those legacy ciphers that still exist are included only for backward-compatibility purposes. Microsoft has shared the new ciphers in detail with the crypto world for analysis and evaluation. Key and hash sizes are increased by default.


Originally published on InfoWorld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question