. Indeed, Vista is full of new security features —— including embedded firewall, integrated anti-spyware features, BitLocker driver encryption and UAC (user account control) —— Features will ultimately benefit users. For business users, they need cross-platform capabilities, centralized processing power and absolute reliability. These new features seem to be just a few decorative decorations. Whether for business or personal, let's take a closer look at Vista's security features.
BitLocker Hard Drive Encryption Technology
eWEEK Labs is also interested in the potential role of BitLocker for the enterprise, as it encrypts all system-driven content —— operating system and data files.
BitLocker attempts to provide an experience that is seamlessly close to the end user. Ideally, the decrypted key is stored on a chip in the motherboard and can decrypt the hardware driver at startup. Administrators can configure BitLocker to require a user-entered verification code as an embedded key. Once the driver is automatically loaded, it prevents data thefters from taking offline attacks from other boot drivers instead of an online one. Violent attack.
Enterprises planning to use BitLocker need to be prepared to start using Vista: the system's hardware drivers need to be partitioned in such a way that boot management and boot images need to be stored separately from the operating system, applications, and data. In a partition other than the file. Although it is possible to assign another partition through an existing installation project, the process is not straightforward. At the same time, the administrator needs to ensure that the computer's BIOS is ready for Vista. At the same time, it needs to have a TPM (trusted platform management) chip on the motherboard, or can support access to the USB memory stick in the case of pre-boot.
However, in the early stages of Vista's current development, the necessary level of support provided by hardware manufacturers is still indispensable. For example, although Vista's TPM driver is not branded, we still can't update to get this driver to properly install on our Lenovo ThinkPad T60. We need to perform a new revision of the BIOS, then manually locate and install the driver. According to Microsoft engineers, the T60's TPM chip can't describe the identity of the device, allowing Vista to be recognized, so the driver can't be installed automatically.
After the TPM chip is finally available, we can begin the encryption process with BitLocker's setup compression, which will require us to store the encryption key before starting the system check to ensure that BitLocker will start working. This compression will reboot the machine, test if the key will be cracked, and then start encrypting the entire partition.
We found that the disk encryption process is actually very slow, and a 30GB partition takes more than an hour. In addition, since the encryption key needs to be created on one machine after another, it takes a lot of time and administrator effort to enable many laptops through BitLocker.
According to the documentation, the administrator must first close BitLocker to decrypt the partition when starting a BIOS upgrade. Simple changes to the BIOS can be done with BitLocker temporarily disabled, although we found some changes to —— for example changing the order of partition booting, this step is not required. We did notice that when the Vista installation CD was still in the CD-ROM drive and we started the computer we tested, we had to manually enter the recovery key to boot the system, even if we chose not to actually boot through the CD-ROM drive.
By quickly changing a Group Policy setting, we can also take advantage of BitLocker without the TPM chip, just plug a USB flash drive into the computer at startup to provide the decryption key. The BIOS must be able to access this key in order to work. — Some things we can't do on the ThinkPad T60 can be customized through the AMD Athlon 64 3500+ processor and an Abit motherboard. The computer does it.
Anti-Spyware and Firewall
Vista also includes anti-spyware programs for Windows Defender. In previous tests, we found that Windows Defender is a competent solution for detecting, removing, and blocking spyware, but some residues will remain in Vista.
Windows Defender may be the second line of defense after selecting other companies' standard anti-virus/anti-spyware software. Because of its lack of centralized policy control, identity monitoring, and feedback capabilities, companies must have other appropriate solutions to provide the necessary documentation and controls in many tuning management.
With Active Directory Group Policy, we can only control some actions of Windows Defender: we can disable or enable programs, enable some login rules, and configure SpyNet's feedback features. We were unable to schedule a scan, change the important upgrade check interval, or indicate some form of centralized feedback. The only application we can enable is a Vista-based computer instead of a legitimate Windows version, which makes Windows Defender installation just like an isolated application.
It's Microsoft's ForeFront Client Security suite that is ready to provide enterprise-level management and feedback. ForeFront, which went on sale in the second quarter of 2007, has the same capabilities as Windows Defender, the anti-spyware software, and has the same anti-virus engine as OneCare. The beta version of ForeFront is currently available for download.
Vista is the first operating system to provide an integrated two-way firewall, and we are generally satisfied with this. While the firewall in Windows XP can only block incoming network traffic, Vista's firewall can monitor and block the output, thus preventing authorized content from flowing out of the installed application.
Now you can protect both inbound and outbound connections.
The configuration panel for basic Windows Firewall settings looks similar to the firewall configuration panel in XP, although there is a setting to block all input settings. The new button replaces the functionality used to disable policy exceptions in the past.
Look at it, the page with abnormal policies looks very much like the repetitive part of XP, but the ICMC protocol (Internet Control Message Protocol) reduction rules are obviously gone. These mitigation strategies, along with policy control for output content, now exist in a new MMC (Microsoft Management Console)-based configuration called Windows Firewall with improved security.
Although we believe that the entire integrated firewall tool is highly functional, we still doubt whether it is enough for large companies that must continue to support legitimate Windows operating systems for the foreseeable future. Appeal. In order to simplify management, a block that has been standardized for third-party firewalls for their XP-based work platforms will be reluctant to deploy and manage Vista's Windows firewall. Instead, they are likely to steer clear of this third-party Vista firewall, no matter when it is available.
User Account Control
Vista's UAC is Microsoft's first attempt to develop an operating system that allows users to run with restricted local permissions, rather than proof of administrator status.
The core administrator can specify two UAC modes: users can be banned from having access to all of the administrator's features, such as installing software and changing system settings, or they can be in a secure interface, regardless of the administrator's When the behavior occurs, they can all receive warnings.
Running the latter mode, UAC will generate a lot of warning messages, enough to make the user feel numb to the content of the information, just mechanically click "Yes", "Yes", "Yes". IT managers see it as a LUA (minimum user right) under a system like XP or Windows 2000, so they probably won't let their users suffer this kind of experience, but will be described in the first mode. The way to run UAC.
Microsoft is still delighted with the leap in UAC's vision. It recognizes that users should not be running the system with administrator privileges all the time. But the standards that UAC can provide are what the IT department should have abandoned a long time ago, and they really hope not to use it.