![]() ![]() In Windows 7, there is no need to create separate partitions before turning on BitLocker. If you're using a Trusted Platform Module (TPM) chip, you can enforce a minimum PIN length five characters should suffice for most environments. Moreover, you can use smart cards to protect data volumes, and you can set up data recovery agents to automatically back up BitLocker keys. Now you can encrypt operating system volumes, fixed data drives, and USB flash drives with a simple right-click, via the Windows Explorer GUI. In Windows Vista SP1, Microsoft added official support for encrypting fixed data drives, but it could only be done using command-line tools. This new capability is called BitLocker to Go. No matter what else, UAC should be enabled.īitLocker drive encryption In Windows 7, BitLocker drive encryption technology is extended from OS drives and fixed data drives to include removable storage devices such as portable hard drives and USB flash drives. That way, users will be prompted to input their passwords to perform high-risk administrative actions. Your domain environment should already be at the highest and most secure level ("Always notify"). If you must have high security, users should not log on with an elevated user account until they need it. Note too that, although UAC provides a much-needed mechanism to prevent the misuse of administrator privileges, it can be bypassed. ![]() Standard users have UAC security default to the most secure setting, while administrator accounts reside a notch below the highest setting, which is potentially riskier. However, depending on whether you are logged on as administrator or a standard user, some installs of Windows 7 may have a default UAC security setting that's one level lower than some experts (including yours truly) recommend. User Account Control A Windows Vista feature that users loved to hate, User Account Control has been significantly improved to be both less intrusive and smarter at distinguishing between legitimate and potentially malicious activities in Windows 7. Also noteworthy is a new feature called Extended Protection for Authentication, which prevents many sophisticated man-in-the-middle attacks that can strike at some of our most trusted security protocols (such as SSL and TLS). A few the biggies not discussed here are built-in support for smart cards and biometrics, the ability to force the use of Kerberos in a feature called Restrict NTLM, and support for the new DNSSec standards, which are becoming essential to prevent DNS exploitation attacks. While this guide focuses on the ones that most organizations will be interested in, keep in mind that plenty of others may deserve your attention. Windows 7 has literally hundreds of security changes and additions, far too many to cover in one fell swoop. I'll pay especially close attention to the new AppLocker application-control feature, which may be a Windows shop's most practical and affordable way to combat socially engineered Trojan malware. In this guide, I'll run through these and other significant security enhancements in Windows 7, and provide my recommendations for configuring and using them.
0 Comments
Leave a Reply. |