Windows 7 Security: Tips and tips to help protect your operating system

Source: Internet
Author: User
Tags bitlocker recovery

There are several obvious basic steps to protect computer security: Keep your computer updated with the latest operating systems and applications, and ensure that the latest anti-spyware and anti-virus software is installed, use a complex password and change it regularly. In this article, I will introduce some security tips other than these basic policies to help you better utilize the security features of Windows 7.

Prepare BitLocker

One of the most significant security improvements in Windows 7 is BitLocker, the first hard disk encryption and startup environment Integrity Protection Technology introduced in Windows Vista .. The Windows 7 Enterprise and enterprise editions contain BitLocker. This technology ensures that unauthorized users cannot recover data from the hard drive of the missing laptop as long as the laptop is disabled or lost.

However, BitLocker also brings about a difficult problem, that is, the data recovery problem after the hardware failure of the locked protected volume occurs. Therefore, although BitLocker provides excellent protection, many IT professionals still feel that there is a problem because they often only pay attention to IT when recovery operations are required.

To recover data, you need to access the BitLocker key or password associated with the locked volume. Although it is easier to track a small number of computers, it is much more difficult to track hundreds of computers.

Group policies help IT professionals configure BitLocker so that they can be activated only when keys and passwords are successfully backed up to Active Directory. By improving the Active Directory user and computer console in Windows Server 2008 R2 and the remote Server management tool for computers running Windows 7, you have greatly simplified the extraction of the recovered data. Searching for recovery passwords and keys is much easier than using tools in Windows Vista.

You can access the BitLocker recovery key and password from the BitLocker recovery tab without downloading, installing, and configuring dedicated tools. This information is displayed when you view the computer account attributes in Active Directory users and computers. Make sure that the process of backing up the BitLocker key and password includes three steps:

1. in the computer account group policy of the system protected by BitLocker, navigate to computer configuration, Windows Settings, Management Templates, Windows components, and BitLocker drive encryption ".

2. Now, if your computer has only one storage drive, navigate to the operating system drive node and edit the "select how to recover the operating system drive protected by BitLocker" policy. If your computer has multiple storage drives, go to the "fixed data drives" node and edit the "select how to recover a fixed data drive protected by BitLocker" policy. Note that although you can configure the same settings, these policies apply to different drives.

3. to configure BitLocker so that the password and key can be backed up to Active Directory when BitLocker protection is activated, make sure the following settings are enabled:

Store BitLocker recovery information for the operating system drive to ad ds or fix the data drive as appropriate)

Disable BitLocker or fix data drives when appropriate before storing recovery information for the operating system drive to ad ds)

The key and password of the protected volume are backed up only after the policy is applied. The volumes configured for BitLocker protection do not automatically store their keys and passwords in Active Directory before the policy is implemented. You must disable and re-enable BitLocker on these computers to ensure that the recovery information is stored in the ad ds database.

Configure the data recovery agent

If you need to recover a volume protected by BitLocker without entering a unique password or PIN for a specific computer account, you can also choose to use another method, that is, the data recovery agent (DRA ). This is a special type of certificate associated with the user account and can be used to restore encrypted data.

The BitLocker data recovery agent is configured by editing the Group Policy and specifying the DRA certificate in the "add data recovery agent" Wizard. However, to use this wizard, you must provide the DRA certificate on an accessible file system or publish the Certificate in Active Directory. Computers that host the Active Directory certificate service role can issue these certificates.

When data must be restored, the user account that locally installs the DRA certificate cannot unlock the volume protected by BitLocker. Navigate to "Computer Configuration" | "Windows Settings" | "Security Settings" | "Public Key Policy" node, right-click "BitLocker drive encryption ", select the "add data recovery agent" option to access the "add data recovery agent" Wizard.

To use BitLocker through DRA, you must also choose how to recover the operating system drive protected by BitLocker policy as appropriate in the fixed data drive policy) select the "enable data recovery agent" check box. You can use DRA and Active Directory key/password backup to restore the same volume protected by BitLocker.

DRA recovery can only be used for volumes protected by BitLocker with BitLocker enabled after the policy is executed. Compared with password/key recovery, this method uses the DRA function as the BitLocker master key. This allows you to recover any protected volume encrypted under the policy, without having to find a unique password or key for each volume to be recovered.

BitLocker To Go

Today, the average storage capacity of many removable storage devices is close to that of most small and medium-sized department-level file sharing 10 years ago. This brings about several difficulties.

First, when a removable storage device is lost or stolen, a large amount of organization data may be damaged. The bigger problem may be that even though users will soon be notified of IT when they lose their laptop, they will not feel equally nervous when they lose USB storage devices that may contain data from several GB of organizations.

BitLocker To Go is a new feature introduced with Windows 7 that protects USB storage devices in a similar way as BitLocker provides for the operating system and fixed drive. Using group policies, you can restrict computers in your organization so that these computers can only write data To removable storage devices protected by BitLocker To Go. This ensures that, when a user loses a mobile device, at least the data on the device is encrypted, and unauthorized third parties cannot access the data easily, thus enhancing security.

The related BitLocker To Go policy is located in "Computer Configuration" | "management template" | "Windows Components" | "BitLocker drive encryption" | "removable data drive" node of the Group Policy item. These policies include:

Controls the use of BitLocker for removable drives. You can use this policy to configure the use of BitLocker for removable drives, including whether normal users can enable or disable this function for removable devices. For example, you may want a specific user to store data on a mobile device with the protection feature configured, but prevent these users from using this feature to configure their own devices.

Write access to a removable drive that is not protected by BitLocker is denied. This policy restricts users To write data only To devices protected by BitLocker To Go encryption. When this policy is enabled, unauthorized users cannot easily access data written to a Removable device because the device is encrypted and protected.

Select how to recover a removable drive protected by BitLocker. You can use this policy To configure the data recovery agent or save BitLocker To Go recovery information in Active Directory. This policy is very important, because if you choose To implement BitLocker To Go To protect data on mobile devices, you should have a policy, it is used To restore data when users forget their BitLocker To Go passwords.

When you configure BitLocker To Go for a removable storage device, you must enter a password on another computer To unlock the device. After the password is entered, the user will have the read/write permission on the device on the computer running Windows 7 Enterprise Edition or the flagship edition. You can also configure BitLocker To Go To allow users To read-only access To data protected by BitLocker To Go on computers running other Microsoft OS versions.

If your organization is preparing To use BitLocker To Go, you need a data recovery policy when you lose or forget your password. Configuring BitLocker To Go recovery is similar To configuring BitLocker recovery. In this case, "Computer Configuration" must be set | "Windows Settings" | "management template" | "Windows Components" | "BitLocker drive encryption" | "removable data drive" | "select how to recover drive policy protected by BitLocke.

You can back up the BitLocker To Go password To Active Directory and have the right To access the Active Directory user and the Administrator of the computer console and the computer account that was originally used To protect the device To use the password. You can also configure a policy to use DRA to protect data so that users with DRA certificates can recover data from the drive without the need to recover individual passwords.

Configure AppLocker

There is no anti-malware utility that can capture all malicious programs. AppLocker can add one more layer of protection. Using this technology, you can create a list of applications with known security and restrict the execution of applications that are not in the list. Although this approach to computer protection is a bit difficult for people who regularly run less frequently-used new software, most organizations adopt standard system environments that gradually change their applications, therefore, it is more practical to only allow applications with green lights to be executed.

This set of AppLocker authorization rules can be expanded to include not only executable files, but also files in script, DLL, and MSI formats. These items are not executed unless you authorize the executable files, scripts, DLL or installer through rules.

AppLocker simplifies this process by using a wizard that automatically creates a rule list for authorized applications. This is a major improvement of AppLocker over a technology with similar core features in earlier Windows versions of the software restriction policy.

AppLocker can also use the File issuer's digital signature to identify the file rules, so you can create rules that contain the current and future versions of the file. In this way, the Administrator does not have to update the current rule after the application software is updated. The modified executable file, script, installer, or DLL is still subject to the original rules. This is not possible when software constraint policies are used, because these policies force administrators to update rules when software configurations are changed.

To create a reference set of AppLocker policy rules that can be applied to other computers, perform the following steps:

1. Use all application configurations to be executed in the environment to run Windows 7 reference computers.

2. log on to the computer using a user account with local administrator privileges.

3. Run Gpedit. msc from the search program and file text box to start the Local Group Policy Editor ".

4. Navigate to Computer Configuration | Windows Settings | Security Settings | application control policy | AppLocker | executable rules of the local GPO ". Right-click the "executable rules" node and click automatically generate new rules. This will start the automatic generation of executable rules wizard.

5. In the text box marked with "folder containing the file to be analyzed", enter c :\. In the text box marked with "name to identify this rule set", enter "All executable files" and click "Next ".

6. on the "rule Preferences" Page, select "create publisher rules for Digitally Signed files". If the file is not signed, select "file hash: the rule is created using a file hash ". Make sure that the option "Reduce the number of rules by grouping similar files" is not selected, and then click "Next ".

7. It takes some time to generate a rule. After the rule is generated, click Create ". When you are prompted whether to create a default rule, click "no ". You do not need to create default rules because you have created more comprehensive default rules by creating rules for all executable files on the referenced computer.

8. If your computer stores applications on multiple volumes, repeat steps 5 to 7 and enter the appropriate drive letter when running the automatically generated executable rule wizard.

9. After the rules are generated, you can export the list of allowed applications in XML format by right-clicking the AppLocker node and then clicking "Export Policy ". You can also import these rules to other group policy objects, such as those applied to portable computers in your organization. By applying these rules in a policy, you can restrict the execution of applications and only allow the execution of applications that reference computers.

10. When configuring AppLocker, make sure that the application identification service is enabled on the service console and that the enforced rules can be executed through policies. If this service is disabled, the AppLocker policy is not applied. Although you can configure the service startup status in the group policy, you must restrict which users have local administrator access permissions so that they cannot bypass AppLocker. Right-click "Computer Configuration", "Windows Settings", "Security Settings", "Application Control Policy", and "AppLocker", and then click "policy ", enable the forcible execution of executable rules. Enable the "configured" option under "executable rules", and ensure that "Force rules" are selected ".

Hopefully this will help you learn how To implement and restore BitLocker, use BitLocker To Go, and configure AppLocker policies. Using these technologies and routine maintenance tasks such as ensuring that your computer uses the latest updates, anti-virus software, and anti-spyware programs will enhance the security of your computer running Windows 7 in your organization.

Address of this Article

Source: Microsoft TechNet Chinese site

Edit recommendations]

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.