BitLocker to Go Reader (bitlockertogo.exe) is a program that works on computers running Windows Vista or Windows XP, allowing you to open and view the content of removable drives that have been encrypted with BitLocker in Windows 7.
You should enable BitLocker (preferably with TPM and another factor) on portable computers if you do not use another data encryption product. Store the BitLocker PINs and recovery information in Active Directory or configure a domain-wide public key called a data recovery agent that will permit an administrator to unlock any drive encrypted with BitLocker. Require BitLocker to Go on all possible removable media drives.
Easily encrypted page file
Users who cannot use BitLocker but still want to prevent the memory swap page file from being analyzed in an offline sector editing attack no longer need to erase the page file on shutdown. Windows XP and earlier versions had a setting that allowed the page file to be erased on shutdown and rebuilt on each startup. It's a great security feature, but it often caused delayed shutdowns and startups -- sometimes adding as much as 10 minutes to the process.
In Windows 7 (and Vista), you can enable page file encryption. Even better, there is no key management. Windows creates and deletes the encryption keys as needed, so there is no chance the user can "lose" the key or require a recovery. It's crypto security at its best.
Better cryptography
Windows 7 includes all the latest industry-accepted ciphers, including AES (Advanced Encryption Standard), ECC (Elliptical Curve Cryptography), and the SHA-2 hash family. In fact, Windows 7 implements all of the ciphers in Suite B, a group of cryptographic algorithms that are approved by the National Security Agency and National Institute of Standards and Technology for use in general-purpose encryption software.
While Microsoft added support for Suite B cryptographic algorithms (AES, ECDSA, ECDH, SHA2) to Windows Vista, Windows 7 allows Suite B ciphers to be used with Transport Layer Security (referred to as TLS v.1.2) and Encrypting File System (EFS). Suite B ciphers should be used whenever possible. However, it's important to note that Suite B ciphers are not usually compatible with versions of Windows prior to Windows Vista.
By default, all current technologies in Windows will use industry standard ciphers in place of legacy, proprietary ciphers. Those legacy ciphers that still exist are included only for backward-compatibility purposes. Microsoft has shared the new ciphers in detail with the crypto world for analysis and evaluation. Key and hash sizes are increased by default.
EFS (Encrypting File System) has been improved in many ways beyond using more modern ciphers. For one, you can use a smart card to protect your EFS keys. This not only makes EFS keys more secure, but allows them to be portable between computers.
Administrators will be happy to know that they can prevent users from creating self-signed EFS keys. Previously, users could easily turn on EFS, which generated a self-signed EFS digital certificate if a compatible PKI server could not be found. Too often, these users encrypted files but did not back up their self-signed digital certificates, which frequently led to unrecoverable data loss.
With Windows 7, administrators can still allow self-signed EFS keys, while mandating ciphers and minimum key lengths. Windows 7 will prod users to back up their EFS digital certificates to some other removable media or network drive share -- and keep prodding them until they do it. A Microsoft Web page details the EFS changes.
Read more about how to secure your Windows 7 PCs in InfoWorld's free PDF report, "Windows 7 Security Deep Dive," including:
- Safe browsing with IE8
- Multiple active firewall policies
- Managed and virtual service accounts
- Configuring AppLocker
- Running by the rules
This article, "The InfoWorld expert guide to Windows 7 security," was originally published at InfoWorld.com. Follow the latest developments in information security and Windows at InfoWorld.com.