Indeed, Vista is crammed with new security features-including embedded firewalls, integrated anti-spyware capabilities, BitLocker-driven encryption, and UAC (user Account Control)-which ultimately benefits users. For enterprise users, they need cross-platform functionality, centralized processing power, and an absolutely reliable degree of trust, and these new features seem to be just cosmetic decorations. For both companies and individuals, let's delve into Vista's security features.
BitLocker hard Disk Encryption technology
The eWEEK lab is also interested in the potential role of BitLocker in the enterprise, because it encrypts all system-driven content-operating systems and data files.
BitLocker attempts to provide an experience that is seamless to end users. Ideally, the decrypted key is stored on the chip in the motherboard and is capable of decrypting the hardware driver at startup. The administrator can configure BitLocker to require a user to enter the authentication code, as an embedded key, once the driver is automatically loaded, it will be able to prevent data thieves through the other boot-driven offline attack rather than an online brute-force attack.
Companies planning to use BitLocker need to be prepared to start using Vista: The hardware drivers for the system need to be partitioned in such a way that both boot management and boot mirroring need to be stored in partitions that are separate from the operating system, applications, and data files. Although it is possible to redistribute a partition through an existing setup project, the process is not straightforward. At the same time, administrators need to make sure that the computer's BIOS is ready for Vista, and that there is a TPM (trusted platform Management) chip on the motherboard, or that it can support access to USB memory sticks in the case of a pre boot.
However, in the early stages of Vista development, the required level of support for hardware manufacturers remains essential. For example, although Vista's TPM driver is not branded, we still cannot update this drive to properly install to our Lenovo ThinkPad T60. We need to update the BIOS with a new revision, and then manually locate and install the driver. According to Microsoft's engineers, T60 's TPM chip could not describe the identity of the device and allow Vista to be identified so that the driver could not be automatically installed.
When the TPM chip is finally available, we can start the encryption process with BitLocker settings compression, which will require us to store the encryption key before we start the system check to make sure BitLocker can start working. This compression will reboot the machine, test whether the key will be cracked, and then start encrypting the entire partition.
We found that the disk encryption process is actually very slow, and a 30GB partition takes one hours. In addition, because the encryption key needs to be created on a single machine, it takes a lot of time and administrator effort to enable many laptops via BitLocker.
According to the file description, the administrator must turn off BitLocker to decrypt the partition before starting a BIOS upgrade. Simple changes to the BIOS can be done with BitLocker temporarily disabled, although we have found some changes-such as changing the order of the partition boot-without this step. We did notice that when the Vista installation CD was still in the optical drive and we started to start the computer we were testing, we had to manually enter a restorative key to start the system, even if we chose not to actually boot through the optical drive.
By quickly changing a group Policy setting, we can also use BitLocker without a TPM chip, and simply plug a USB flash drive into the computer at startup to provide the decryption key. The BIOS must be able to access this key during startup-something we can't do on the ThinkPad T60, but it can be done through a custom computer with a processor with AMD Athlon 64 3500+ and a abit motherboard.
Anti-spyware and firewalls
The Windows Defender Anti-spyware program is also included in Vista. In previous tests, we found that Windows Defender was used to detect, remove, and block spyware, or a competent solution, but some remains remain in Vista.
Windows defender may be able to act as a second line of defense against standard Anti-Virus/Anti-spyware software that chooses other companies. Because of its lack of centralized strategy control, identity monitoring and feedback capabilities, enterprises in many of the adjustment management, there must be other appropriate programs to provide the necessary document description and control methods.
With Active Directory Group Policy, we are only able to control some of the actions of Windows Defender: We can disable or enable programs, enable some login rules, and configure SpyNet feedback features. We cannot schedule scans, change important upgrade check intervals, or indicate some form of centralized feedback. The applications we can enable are only using Vista computers instead of legitimate versions of Windows, which makes Windows Defender installation like an orphaned application.
Ready to provide enterprise-level management and feedback capabilities is Microsoft's Forefront Client Security suite. Forefront, which was listed in the second quarter of 2007, has the same capabilities as the Anti-spyware Windows Defender and has the same anti-virus engine as OneCare. The beta version of Forefront is now open for download.
Vista is the first operating system to provide an integrated bi-directional firewall, and we still feel satisfied with it. The firewall in Windows XP can only block the input of network traffic, Vista firewall can monitor and block the output of the content, so as to prevent the contents of the authorized content from the installed applications.
Now you have the ability to protect both inward and outward connections.
The configuration panel for basic Windows Firewall settings looks similar to the firewall configuration panel in XP, although a new button to block all input settings replaces the previous feature used to prevent policy exceptions.
With a closer look, the page of the policy exception looks much like the duplicated part of XP, but the ICMC protocol (Internet Control message Protocol) 's waiver rules are clearly missing. These reduction strategies, along with policy controls for output, now exist in a new configuration based on MMC (Microsoft Management Console) called Windows Firewall for improved security.
While we think the entire integrated firewall tool is highly functional, we still doubt whether it is attractive enough for large businesses that must continue to support legitimate Windows operating systems for the foreseeable future. In order to simplify management, a blocking that has been standardized by a third-party firewall for their XP based work platform will be very reluctant to deploy and manage Vista Windows Firewall in particular. Instead, they are likely to avoid this third party Vista firewall whenever it is available.
User Account Control
Vista UAC is the first time Microsoft has tried to develop an operating system that allows users to run with restricted local privileges, rather than being certified by an administrator.
The core administrator can specify two UAC modes: Users can be prevented from having access to all functions of the administrator, such as installing software and changing system settings, or they can receive alerts in a secure interface, regardless of when the administrator's behavior occurs.
After running a pattern, UAC produces a lot of alert information, enough to make users feel numb to the content of the information, but click "Yes", "yes", "yes" mechanically. IT managers think of it as LUA (minimum user rights) under a system like XP or Windows 2000, so they probably won't let their users suffer and run UAC in the way described in the first pattern.
We are delighted by the Microsoft's Leap of vision for UAC, which realizes that users should not run the system at all times with administrator privileges. But the standards that UAC can provide are the things that the IT department should have deprecated and do not want to use.