Ultimate guide to Windows 7 security
Use AppLocker, BitLocker to Go and other Microsoft security tools
By Roger A. Grimes | InfoWorld | Published: 14:30, 21 April 2010
BitLocker Drive Encryption
In Windows 7, BitLocker Drive Encryption technology is extended from OS drives and fixed data drives to include removable storage devices such as portable hard drives and USB flash drives. This new capability is called BitLocker to Go.
In Windows Vista SP1, Microsoft added official support for encrypting fixed data drives, but it could only be done using command line tools. Now you can encrypt operating system volumes, fixed data drives, and USB flash drives with a simple right-click, via the Windows Explorer GUI. Moreover, you can use smart cards to protect data volumes, and you can set up data recovery agents to automatically back up BitLocker keys. If you're using a Trusted Platform Module (TPM) chip, you can enforce a minimum PIN length. Five characters should suffice for most environments.
In Windows 7, there is no need to create separate partitions before turning on BitLocker. The system partition is automatically created and does not have a drive letter, so it is not visible in Windows Explorer and data files will not be written to it inadvertently. The system partition is smaller in Windows 7 than in Windows Vista, requiring only 100MB of space.
With BitLocker to go, you can encrypt removable drives one at a time or require that all removable media be encrypted by default. Further, encrypted removable media can be decrypted and reencrypted on any Windows 7 computer, not just the one it was originally encrypted on. BitLocker to Go Reader is a program that works on computers running Windows Vista or Windows XP, allowing you to open and view the content of removable drives that have been encrypted with BitLocker in Windows 7.
You should enable BitLocker (preferably with TPM and another factor) on portable computers if you do not use another data encryption product. Store the BitLocker PINs and recovery information in Active Directory or configure a domain-wide public key called a data recovery agent that will permit an administrator to unlock any drive encrypted with BitLocker. Require BitLocker to Go on all possible removable media drives.
Easily encrypted page file
Users who cannot utilise BitLocker but still want to prevent the memory swap page file from being analysed in an offline sector editing attack no longer need to erase the page file on shutdown. Windows XP and earlier versions had a setting that allowed the page file to be erased on shutdown and rebuilt on each startup. It's a great security feature, but it often caused delayed shutdowns and startups, sometimes adding as much as 10 minutes to the process.
In Windows 7 (and Vista), you can enable page file encryption. Even better: There is no key management. Windows creates and deletes the encryption keys as needed, so there is no chance the user can "lose" the key or require a recovery. It's crypto security at its best.