Sunday, May 25, 2008

Windows Vista Implementing Local and Network File System Security

No other issue has dominated the PC industry like that of security. Data theft is one of the biggest concerns companies have today, whether it’s someone physically stealing a laptop, an internal employee gaining unauthorized access to information, computer viruses and network worms, or unauthorized copying of confidential data onto removable media security, the risks are high and numerous. All of this seems extremely overwhelming, but Microsoft provides incredible tools and features to help you in securing your systems. The subject of security is large enough to create a volume of books, but for our purposes we will be focusing on implementing local and network file system security. We will briefly cover four features that Windows Vista provides in aiding you in securing the file system.

■ Windows Rights Management Service

■ User Account Control (UAC)

■ BitLocker

■ Encrypted File System (EFS)

Windows Rights Management Service

Have you ever received an e-mail from someone that had a notice at the bottom saying that the message was for the recipient only and that any reproduction of the e-mail was strictly prohibited? We all have received e-mails like this; many of us have confidentiality notices at the bottom of our e-mails just like it. So what is to prevent you or whomever from forwarding the e-mail on or even printing it out? Microsoft has moved toward allowing users to better control the use of the content they send by means of Windows Rights Management Services (RMS).Windows Vista comes with an RMS client installed.This enables Windows Vista PCs to open RMS-encrypted documents and enforce whatever restrictions have been placed on them. To use RMS, you must have an RMS infrastructure in place and applications that support it. An RMS infrastructure consists of a server running the RMS service, an RMS client (Windows Vista), and supporting applications such as Microsoft Office. When in place, RMS can:

■ Allow a user to view a document, but not save a copy of it, print it, or forward it.

■ Restrict users from copying and pasting text within a document.

■ Make it difficult to open a document using a client that does not enforce RMS protection.

User Account Control

Many threats to the operating system have occurred in the context of the user having administrative privileges. Viruses, worms, spyware, Trojan horses, and now most recently malware have been the biggest threats so far. To combat this, Microsoft recommends using accounts with limited privileges. The logic is this: If a user lacks the permission to install a new application to the %systemroot%\Program Files directory, any malware the user accidentally runs is prevented from installing.

For years now, we’ve been making users members of the local administrators group of their PCs because of the limitations of having a limited user account such as those in Windows XP. UAC provides the best of both worlds. It offers the benefits of a standard user account from a security standpoint without the limitations of previous versions of Windows. The following are three advantages of using UAC.

■ All users including administrators run limited privileges by default, therefore reducing security risks.

■ Standard users are able to perform most common tasks without having to provide administrative credentials.

■ UAC enables most applications that required administrative privileges in Windows XP to run with no problems under standard user accounts.


Using Windows Vista’s BitLocker volume encryption can reduce the risk of important data being removed if a user’s laptop is stolen. BitLocker provides a full-volume encryption and is especially useful against “offline” attacks. An offline attack is one where another user attempts to gain access to the data on the hard drive. One way of doing this is to install another operating system on that drive to gain access to the data. It seals the symmetric encryption key in a Trusted Platform Module or TPM chip. BitLocker can also store the key on a USB flash drive as well. There are two TPM modes.

TPM only. Transparent to the user and does not change the user’s logon procedure. If missing or altered, BitLocker will go into recovery mode. To gain access to the drive, you will need a recovery key or PIN. This provides protection from hard disk theft.

TPM with startup key. The user must have a startup key to log on to the system. The key can be stored on a USB flash drive or can even be a password.

BitLocker provides the following for users:

■ Causes great difficulty for an attacker to gain access to data from a stolen system or drive

■ Encrypts the entire volume, including the hibernation file, page file, and temporary files

■ Allows users to easily recycle or reuse drives by simply deleting the encryption keys

BitLocker, on the other hand, does NOT do the following:

■ Protect data from network attacks

■ Protect data while Windows is running

■ Protect data on volumes other than the Windows partition

Encrypting File System

Supported only on NTFS volumes, Encrypting File System (EFS) has been with us since Windows 2000. Just like BitLocker, EFS also protects against offline attacks. To the end user, EFS is transparent. They still access files just as they did before EFS was implemented, as long as they have the correct decryption key—without it, any files that have been encrypted are impossible to open.

EFS uses a symmetric key encryption along with public key technology in protecting files and folders of the system. Users of EFS are issued a digital certificate with a public and private key pair. It then uses these keys to encrypt and decrypt files for the logged-on user. Files are encrypted using a single symmetrical key. That key is then encrypted twice: once with the user’s EFS public key, and once with the recovery agent’s key to allow for data recovery. Windows Vista includes two new features in its EFS implementation.

■ The ability to store both user and recovery keys on smart cards

■ The ability to encrypt pagefile.sys


Microsoft recommends using both BitLocker and EFS together. BitLocker is able to encrypt all files on the system partition, including the system files, while EFS is able to encrypt volumes that are outside of the system partition, which BitLocker cannot touch. Together they provide a solid solution.


Encrypt the pagefile, this is one of the new features of EFS within Windows Vista. By encrypting it, you make reading the pagefile practically impossible for thieves.

*.* Source of Information : Syngress How to Cheat at Microsoft Vista Administration

No comments: