Vista new security tools introduction

Indeed, Vista is stuffed with new security features —— including embedded firewalls, integrated anti-spyware features, BitLocker driver encryption and UAC (User Account Control) & mdash;— and these features will eventually make Users benefit greatly. For business users, they need cross-platform capabilities, centralized processing power and absolute reliability. These new features seem to be just a few decorative decorations. Whether for business or personal, let's take a closer look at Vista's security features.

BitLocker Hard Drive Encryption Technology

eWEEK Labs is also interested in the potential role of BitLocker for the enterprise, as it encrypts all system-driven content ——OS and data files can.

BitLocker attempts to provide an experience that is seamlessly close to the end user. Ideally, the decrypted key is stored on a chip in the motherboard and can decrypt the hardware driver at startup. Administrators can configure BitLocker to require a user-entered verification code as an embedded key. Once the driver is automatically loaded, it prevents data thefters from taking offline attacks from other boot drivers instead of an online one. Violent attack.

Companies planning to use BitLocker need to be prepared to start using Vista: the system's hardware drivers need to be partitioned in such a way that both boot management and boot images need to be stored in an operating system independent of the application. In a partition other than the program and data files. Although it is possible to assign another partition through an existing installation project, the process is not straightforward. At the same time, the administrator needs to ensure that the computer's BIOS is ready for Vista. At the same time, it needs to have a TPM (trusted platform management) chip on the motherboard, or can support access to the USB memory stick in the case of pre-boot.

However, in the early stages of Vista's current development, the necessary level of support provided by hardware manufacturers is still indispensable. For example, although Vista's TPM driver is not branded, we still can't update to get this driver to properly install on our Lenovo ThinkPad T60. We need to perform a new revision of the BIOS, then manually locate and install the driver. According to Microsoft engineers, the T60's TPM chip can't describe the identity of the device, allowing Vista to be recognized, so the driver can't be installed automatically.

Once the TPM chip is finally available, we can begin the encryption process with BitLocker's setup compression, which will require us to store the encryption key before starting the system check to ensure that BitLocker will start working. This compression will reboot the machine, test if the key will be cracked, and then start encrypting the entire partition.

We found that the actual disk encryption process is very slow, and a 30GB partition takes more than an hour. In addition, since the encryption key needs to be created on one machine after another, it takes a lot of time and administrator effort to enable many laptops through BitLocker.

According to the documentation, the administrator must first close BitLocker to decrypt the partition when starting a BIOS upgrade. Simple changes to the BIOS can be done with BitLocker temporarily disabled, although we found some changes to —— for example changing the order of partition booting, this step is not required. We did notice that when the Vista installation CD was still in the CD-ROM drive and we started the computer we tested, we had to manually enter the recovery key to boot the system, even if we chose not to actually boot through the CD-ROM drive.

By quickly changing a Group Policy setting, we can also take advantage of BitLocker without the TPM chip, just plug a USB flash drive into the computer at boot time to provide the decryption key. The BIOS must be able to access this key in order to work. — Some things we can't do on the ThinkPad T60 can be customized through the AMD Athlon 64 3500+ processor and an Abit motherboard. The computer does it.

Anti-Spyware and Firewall

Vista also includes Windows Defender anti-spyware programs. In previous tests, we found that Windows Defender is a competent solution for detecting, removing, and blocking spyware, but some residues will remain in Vista.

Windows Defender may be the second line of defense after choosing another company's standard anti-virus/anti-spyware software. Because of its lack of centralized policy control, identity monitoring, and feedback capabilities, companies must have other appropriate solutions to provide the necessary documentation and controls in many tuning management.

With Active Directory Group Policy, we can only control some actions of Windows Defender: we can disable or enable programs, enable some login rules, and configure SpyNet's feedback features. We were unable to schedule a scan, change the important upgrade check interval, or indicate some form of centralized feedback. The only application we can enable is a Vista-based computer instead of a legitimate Windows version, which makes Windows Defender installation just like an isolated application.

Microsoft's ForeFront Client Security suite is ready to provide enterprise-level management and feedback. ForeFront, which went on sale in the second quarter of 2007, has the same capabilities as Windows Defender, the anti-spyware software, and has the same anti-virus engine as OneCare. The beta version of ForeFront is currently available for download.

Vista is the first operating system to offer an integrated two-way firewall, and we are generally satisfied with this. While the firewall in Windows XP can only block incoming network traffic, Vista's firewall can monitor and block the output, thus preventing authorized content from flowing out of the installed application.

Now you can protect both inbound and outbound connections

The configuration panel for basic Windows Firewall settings looks similar to the firewall configuration panel in XP, although one is used A new button that blocks all of the entered settings replaces the functionality used to disable policy exceptions.

Looking closely, the page with abnormal policies looks very much like the repetitive part of XP, but the ICMC protocol (Internet Control Message Protocol) reduction rules are obviously gone. These mitigation strategies, along with policy control for output content, now exist in a new MMC (Microsoft Management Console)-based configuration called Windows Firewall with improved security.

Although we believe that the entire integrated firewall tool is highly functional, we still doubt it for large companies that must continue to support legitimate Windows operating systems for the foreseeable future. Is there enough attraction? In order to simplify management, a block that has been standardized for third-party firewalls for their XP-based work platforms will be reluctant to deploy and manage Vista's Windows firewall. Instead, they are likely to steer clear of this third-party Vista firewall, no matter when it is available.

User Account Control

Vista's UAC is Microsoft's first attempt to develop an operating system that allows users to run with restricted local permissions, rather than proof of administrator status.

The core administrator can specify two UAC modes: users can be banned from having all of the administrator's features, such as installing software and changing system settings, or they can be in a secure interface, regardless of When the administrator's behavior occurs, they can all receive warnings.

After running the latter mode, UAC generates a lot of warnings, which is enough for the user to be numb to the content of the information, just mechanically click "Yes", "Yes", "Yes". IT managers see it as a LUA (minimum user right) under a system like XP or Windows 2000, so they probably won't let their users suffer this kind of experience, but will be described in the first mode. The way to run UAC.

We are still delighted with Microsoft's vision of UAC. It recognizes that users should not be running the system with administrator privileges all the time. But the standards that UAC can provide are what the IT department should have abandoned a long time ago, and they really hope not to use it.