Windows7 Enterprise Edition How to store security new features

Enterprise Storage Good helper: Drive Encryption

BitLocker (Drive Encryption) is arguably not a new feature, and it appears in Windows Vista. But in Windows 7, which is much more concerned than it is in Windows Vista, it still deserves a lot of attention from business users who have not previously been interested in it. BitLocker is a component that provides disk-level data encryption capabilities, and to understand BitLocker, you need to know about its predecessor, EFS (Encrypting File System, Encrypting file Systems). As we all know, NTFS is a standard file system for Windows NT and later operating systems, supports metadata, and uses advanced data structures to improve performance, reliability, and disk space utilization, and provides several additional extension features, such as EFS. EFS is available in Windows 2000/xp/server 2003 to help users perform cryptographic operations on files and folders that are stored on NTFS disk volumes. If the files on your hard disk are encrypted using EFS, even if the hacker has access to the files on the hard disk, the file is not available because there are no decrypted keys.

Of course, EFS is not invincible, and the NTFS active system partition below 1.5GB and the boot partition above 50GB cannot be encrypted by EFS, and the BitLocker tool can be used to protect it. With EFS users can selectively encrypt some important files or folders, while BitLocker encrypts all of the entire drive's folders unconditionally, BitLocker compensates for some of the deficiencies in EFS and allows for a good control of unauthorized access.

By default, the Windows operating system does not start the BitLocker feature. To encrypt a drive with Windows installed with BitLocker, the computer must have two partitions: the system partition (which contains the files needed to start the computer) and the operating system partition (including Windows), the operating system partition is encrypted, and the system partition remains unencrypted. So that you can start your computer. If your computer does not have a system partition, BitLocker automatically creates a system partition using 200MB of free disk space in Windows 7, and the system partition is not assigned a drive letter, and the system partition is not displayed in the Computers folder. When encrypting a drive that has Windows installed (the operating system drive), BitLocker stores its own encryption and decryption key on a hardware device other than the hard disk, so you must have one of the following hardware devices: A Trusted Platform Module (TPM) ( A computer in which many computers have a special microchip that supports advanced security features; removable hard disk or USB drive.

In the partition where the BitLocker-enabled operating system is enabled, this feature monitors a range of disk errors, BIOS changes, startup profile changes, and so on, and BitLocker automatically locks up the disk if these features are changed unexpectedly. The system administrator can then use a preset key to unlock the drive. This is helpful for preventing data loss, preventing theft, or preventing hackers from being hacked. Also, BitLocker can lock down portable storage devices that are easy for others to see important data, such as U disk or removable hard disk.

Enterprise Application small Butler: AppLocker

AppLocker (Application Control Policy) is a newly added security feature in Windows 7 that can be easily configured with AppLocker administrators. For example, a QQ.exe executable can be used by all users before it is AppLocker managed, and users who are restricted cannot use the program after the relevant settings for the application program control policy are applied.

To do this, open "Start → run" and enter Gpedit.msc to open the Group Policy Editor. In the left pane, turn on Computer configuration →windows settings → security settings → application control, and you can see AppLocker Group Policy Configuration Items--Executable rules, Windows Installer rules, and scripting rules three types. A new rule can be created by right-clicking on each rule, and the user can create the appropriate action rules for their own needs. Right-click "Execute rules → create new rules", click "Next", click "Select" button, click "Advanced" in the pop-up dialog box, click "Find Now", locate the user you want to disable, and then add the restricted user to the rule. You can then point the Disabled object to QQ.exe, and the last point "create."

If you want to prevent flash virus transmission, so that Autorun.inf files do not run. Select Script rule → create new rule for this option. Select "Permissions" → "Deny" in the pop-up window, select "Everyone" in "User or group", "Next" select "Path" in the Create condition, and in the Path box, enter "?: Autorun.inf", continue to point "next ", the last point" create "can be.

In this way, if the user can set up the default rules of various types of AppLocker according to their actual situation, it can prevent the normal system program from being exploited by viruses and trojans, and can prevent the malicious program running through the abnormal access to the computer.

After a period of hot sales, Windows 7 and Windows Server 2008 R2 are fully settled into enterprise computers. In order to better meet the needs of enterprise users, Microsoft in the Windows 7 Enterprise version/flagship and Windows Server 2008 R2 introduced a large number of storage, network access, security and other functions, as a new tool for enterprise applications. What are the typical features of this type of function? How do you use it? What impact will it have on business applications?

Enterprise Efficiency multiplier: Branch Cache

According to Microsoft, Branch cache (branch cache) is a new enterprise-class feature provided in Windows 7 and Windows Server 2008 R2 that enables the first access in a WAN (wide area network) to access data as it normally does, and when it needs to be accessed again, You can access the same content from another client in the nearest department based on the authentication status. This near access can improve the bandwidth utilization of the network, improve the performance of the application of the remote office network, and reduce the consumption of the network bandwidth of the enterprise.

Branch Cache has two modes of operation: one for distributed caching (distributed cache) and the other for managed caching (hosted cache). Distributed caching uses a point-to-point pattern, similar to a AD-HOC network, that enables faster access within a smaller range of applications. Managed caching employs a server/client architecture, similar to AP center mode, where Windows 7 clients can replicate content to a local computer running Windows Server 2008 R2, so that other clients that need access to the same content can access the data directly from the local server. No longer relies on the original server. To use branch Cache, all server systems must be Windows Server 2008 R2, and all clients must adopt Windows 7.

Users can use Group Policy settings or the Netsh command-line scripting utility to manage branch cache clients. You can use any of these tools to perform the following configuration tasks on the branch cache client: Enable branch cache (it is disabled by default), select Distributed cache mode or managed cache mode, specify the size of the client computer's cache (using distributed caching mode), By default, Branch cache uses up to 5% of the hard disk drive for this cache; Specifies the location of the managed cache (using managed caching mode). In this case, when you use this setting, the Windows system gives you a detailed, intuitive set of instructions that you can follow to complete the setup.

According to Microsoft's test, download a 3MB file from the Enterprise remote server, the first time spent 47 seconds, and the second time only used 2 seconds, from which the branch cache (branch cache) function efficiency, it is useful for the large and Medium-sized Enterprise Architecture Branch Office. Federated accelerated applications with compression, redundancy, transfer optimization, caching, and content distribution provide a way for organizations to easily consolidate branch servers, consolidate storage and backup infrastructures, while ensuring high-performance applications for end users.

Corporate access to new security: DirectAccess

DirectAccess (direct access) is also a new enterprise application feature provided in Windows 7 and Windows Server 2008 R2. With this function, extranet users can directly access the resources behind the company's firewall from the Internet without having to establish a VPN (virtual private network, the core of which is to use public network to establish a virtual private network) connection.

How does the DirectAccess function come true? In order to achieve this function, DirectAccess utilizes some features of the IPV6 technology. As we all know, in the early stage of IPV6 development, how to allow a large number of local pure IPV6 network "through" the traditional IPV4 backbone network to achieve interoperability? For this reason, IPv6 "tunnel" technology, the tunnel entrance between the IPV6 network and the IPV4 network, Routers encapsulate the IPV6 packets into the IPV4, and then forward the IPV6 group out to the destination node at the exit of the tunnel, thus connecting the IPV6 network similar to an island.

And DirectAccess is using this technology, it will be opened, the client can establish a DirectAccess server to the normal IPV4 network to work on the IPv6 tunnel connection, so that managers can log in before the user to manage the relevant computer, In this process, the DirectAccess server mainly acts as the role of the information transmission (i.e. gateway) of the internal and external network. In order to obtain good encryption and authentication, DirectAccess also took advantage of the IPV4 in the optional, IPv6 of the necessary IPSec (Internet Protocol Security) protocol family, the IP Packet (packet) as the unit of the way information is coded, To encrypt or prevent tampering with the packets in transit, thus ensuring secure communication.

According to Microsoft, the application of DirectAccess, enterprise users in the remote not logged in the case, but also through the Internet to the Computer Management, and has a strong security. This feature provides an efficient working environment for mobile office staff, for example, the company employees are outside the customer service, or in an external meeting to find relevant internal information, you can use the Internet notebook computer without the need to establish a VPN connection, in the case of high-speed, secure direct access to the company's firewall resources.