Windows 7 security primer, part one

In part one of a three-part series, Roger Grimes delivers explanations and recommendations about key security improvements in Windows 7

Page 2 of 3

In Windows 7, there is no need to create separate partitions before turning on BitLocker. The system partition is automatically created and does not have a drive letter, so it is not visible in Windows Explorer and data files will not be written to it inadvertently. The system partition is smaller in Windows 7 than in Windows Vista, requiring only 100MB of space.

BitLocker to Go Reader (bitlockertogo.exe) is a program that works on computers running Windows Vista or Windows XP, allowing you to open and view the content of removable drives that have been encrypted with BitLocker in Windows 7.

Recommendation: You should enable BitLocker (preferably with TPM and another factor) on portable computers if you do not use another data encryption product. Store the BitLocker PINs and recovery information in Active Directory and/or configure a domain-wide public key called a data recovery agent that will permit an administrator to unlock any drive encrypted with BitLocker. Require BitLocker to Go on all possible removable media drives.

Suite B Cryptography Support
Suite B comprises a group of cryptographic algorithm standards that's approved by the National Security Agency and National Institute of Standards and Technology for use in general-purpose encryption software. Microsoft added Support for Suite B cryptographic algorithms (AES, ECDSA, ECDH, SHA2) to Windows Vista (and later). Windows 7 allows Suite B ciphers to be used with Transport Layer Security (TLS), referred to as TLS v.1.2, and Encrypting File System (EFS).

Recommendation: Suite B ciphers should be used whenever possible; however, it's very important to note that Suite B ciphers are not usually compatible with Windows OS's prior to Windows Vista.

DirectAccess allows remote users to securely access enterprise resources (such as shares, Web sites, applications, and so on) without connecting to traditional types of VPNs. DirectAccess establishes bi-directional connectivity with a user's enterprise network every time a user's DirectAccess-enabled portable computer connects to the Internet, even before the user logs on. The advantage here is that users never have to think about connecting to the enterprise network, and IT administrators can manage remote computers outside the office, even when the computers are not connected to the VPN.

Once DirectAccess is enabled, when a user's computer connects to the Internet, it's as though he or she is on the organization's local network. Group policies work, remote management tools work, and automatic push patching works.

Unfortunately, DirectAccess has fairly involved requirements, including Windows Server 2008 R2 (to act as the RAS server); Windows 7 (and later) Enterprise or Ultimate clients; PKI; IPv6; and IPSec.

| 1 2 3 Page 2
Cybersecurity market research: Top 15 statistics for 2017