Book Read Free

Microsoft Press Windows Vista Administrator's Pocket Consultant ebook

Page 54

by MS


  Note

  If you move an uncompressed file from a different drive to a compressed folder, the file is compressed. However, if you move an uncompressed file to a compressed folder on the same NTFS drive, the file isn't compressed. Remember also that you can't encrypt compressed files.

  Expanding Compressed Drives

  You can remove compression from a drive as follows:

  In Windows Explorer or Disk Management, right-click the drive that contains the data that you want to expand and then select Properties.

  On the General tab, clear the Compress Drive To Save Disk Space check box and then click OK.

  Tip

  Windows always checks the available disk space before expanding compressed data, and you should, too. If there is less free space than used space available, you might not be able to successfully complete the expansion. For example, if a compressed drive uses 1 gigabyte (GB) of space and has 700 megabytes (MB) of free space available, there might not be enough free space to expand the drive. With regard to disk quotas, it is also important to point out that the full size of the data, rather than the compressed size, is tracked. This ensures there is room if needed to expand the data.

  Expanding Compressed Files and Folders

  If you decide that you want to expand a compressed file or folder, reverse the process by completing the following steps:

  Right-click the file or folder in Windows Explorer.

  On the General tab of the related property dialog box, click Advanced. The Advanced Attributes dialog box appears. Clear the Compress Contents To Save Disk Space check box and click OK.

  With a file, Windows Vista removes compression and expands the file. With a folder, Windows Vista expands all the files within the folder. If the folder contains subfolders, you'll also have the opportunity to remove compression from the subfolders. To do this, select Apply Changes To This Folder, Subfolders And Files when prompted and then click OK.

  Note

  Windows Vista also provides command-line tools for compressing and decompressing your data. The compression tool is called Compact (Compact.exe) and the decompression tool is called Expand (Expand.exe).

  Managing BitLocker Drive Encryption

  BitLocker Drive Encryption, a feature of the Enterprise and Ultimate Editions of Windows Vista, provides an additional layer of protection for your organization's computers. Regardless of whether you work in a large or small organization, you should consider using BitLocker Drive Encryption on any computer that stores sensitive information, as well as on your mobile PCs.

  Introducing BitLocker Drive Encryption and Trusted Platform Module

  BitLocker Drive Encryption protects computers from attackers who have physical access to a computer. BitLocker Drive Encryption uses Trusted Platform Module (TPM) to validate the integrity of the computer's boot manager and boot files at startup, and to guarantee that a computer's hard disk has not been tampered with while the operating system was offline. BitLocker Drive Encryption also stores measurement details pertaining to core operating system files in the TPM.

  When a computer is started, Windows Vista validates the boot files, the operating system files, and any encrypted volumes to ensure they have not been modified while the computer is offline. If the files have been modified, Windows Vista alerts the user and refuses to release the key required to continue startup. The computer then goes into recovery mode and the user is prompted to provide a recovery key before allowing access to the boot volume. The recovery mode is also used if a disk drive is transferred to another system.

  If BitLocker Drive Encryption is not enabled, an attacker could start the computer with a boot disk and then reset the administrator password to gain full control of the computer. Alternatively, the attacker could access the computer's hard disk directly with a different operating system to bypass file permissions. BitLocker Drive Encryption prevents this by entering recovery mode at startup if there are any offline changes to boot files, operating system files, or encrypted volumes. In this way, BitLocker Drive Encryption reduces the risk of an attacker using offline attacks to gain access to confidential data.

  To use BitLocker Drive Encryption, a computer must be running Windows Vista Enterprise or Ultimate editions. BitLocker Drive Encryption can be used both on computers that have compatible TPM architecture and on computers that do not have compatible TPM architecture. If a computer has TPM Version 1.2, using BitLocker Drive Encryption requires that the computer must also:

  Have a configured TPM

  Have its disk drives configured appropriately for working with BitLocker Drive Encryption

  Have BitLocker Drive Encryption enabled

  Computers with a compatible TPM can use one of two TPM modes with BitLocker Drive Encryption:

  Startup key Uses TPM and a startup key for validation. When the computer starts up, TPM is used to validate the boot files, the operating system files, and any encrypted volumes. The user must have a startup key to log on to the computer. The startup key can either be physical, such as a universal serial bus (USB) flash drive with a machine-readable key written to it, or personal, such as a personal identification number (PIN) entered by the user. If the user doesn't have the startup key or is unable to provide the correct startup key, BitLocker enters recovery mode. BitLocker also enters recovery mode if the TPM is missing or the integrity of boot files or encrypted volumes has changed.

  TPM-only Uses only TPM for validation. When the computer starts up, TPM is used to validate the boot files, the operating system files, and any encrypted volumes. The user doesn't need to provide an additional startup key, so this mode is transparent to the user, and the user logon experience is unchanged. However, if the TPM is missing or the integrity of data has changed, BitLocker enters recovery mode and requires a recovery key or password to regain access to the boot volume.

  If a computer doesn't have TPM Version 1.2 or later, using BitLocker Drive Encryption requires that the computer must also:

  Have its disk drives configured appropriately for working with BitLocker Drive Encryption

  Have BitLocker Drive Encryption enabled

  Computers without a TPM or computers with TPMs that are incompatible with Windows Vista do not have the added security benefit of early boot file integrity validation. Here, BitLocker Drive Encryption uses USB Flash Drive Key mode, which requires a USB flash drive containing a startup key. The user inserts a USB flash drive in the computer before turning it on. The key stored on the flash drive unlocks the computer. If the user doesn't have the startup key or is unable to provide the correct startup key, BitLocker enters recovery mode. BitLocker also enters recovery mode if the integrity of encrypted volumes has changed. BitLocker doesn't attempt to validate the boot files.

  The sections that follow discuss working with Trusted Platform Modules and BitLocker Drive Encryption. Because most new business computers that are shipped with Windows Vista Enterprise or Ultimate should have appropriately configured TPMs and drives, the only step that administrators typically must perform is enabling BitLocker Drive Encryption.

  Working with Trusted Platform Modules

  Before you can use TPM, the TPM must be initialized for first use and turned on. You'll find that most business computers that have a TPM are shipped with that TPM initialized and turned on. That said, if for some reason, a TPM isn't ready for use on a computer equipped with a TPM, you can use the Trusted Platform Module Management console to initialize and turn on the TPM. To start the Trusted Platform Module Management console, follow these steps:

  Click Start, click All Programs, Accessories, and then Run.

  Type tpm.msc in the Open box and then click Enter.

  Manage the computer's TPM configuration using the commands listed under Actions.

  In addition to using this console to initialize and turn on TPM, you can use this console to perform the following tasks:

  Turn off the TPM as might be necessary if you don't want to use TPM.

  Cancel TPM ow
nership and shut down the TPM such as might be necessary when you are recycling a computer.

  Change the owner password associated with the TPM such as might be necessary if you suspect the TPM owner password has been compromised.

  Working with BitLocker Drive Encryption

  Before a computer can use BitLocker Drive Encryption, a BitLocker Drive Encryption partition must be created on the computer's hard drives. If a computer isn't shipped with this partition, it can be created before or after installation of the operating system. (See http://www.microsoft.com/technet/itsolutions/msit/security/bde_note.mspx for details and ensure that you test first before trying the Microsoft procedure on production computers.) The next step to configure a computer to use BitLocker Drive Encryption is to enable the feature in the operating system:

  Log on to the computer as an administrator. Click Start, Control Panel, Security, and then BitLocker Drive Encryption.

  For the system volume, click Turn On BitLocker. This starts the Turn On BitLocker Drive Encryption Wizard. After you read the welcome message, click Next.

  On the Save The Recovery Key As A Password page, the BitLocker Drive Encryption Wizard provides options for you to display, print, or save the 48-digit recovery password.

  Tip

  Store the recovery password in a secure location. You will need the recovery password to unlock the secured data on the volume if BitLocker Drive Encryption enters a locked state. Each recovery password is unique to a particular BitLocker encryption. You cannot use it to recover encrypted data from any other BitLocker encryption session.

  Click Print The Password to print the password. Be sure to store the printed password in a secure location.

  Click Save The Password. In the Save BitLocker Drive Encryption Password As dialog box, type a file name for the password and then click Save. The password is saved by default in the Documents folder in your user profile.

  Click Next. The Save The Recovery Key On A USB Device page is displayed. If you want to save the recovery password to a USB memory device, insert the device and select the corresponding drive in the list provided. Then click Save Key.

  Click Next. The Save The Recovery Key To A Folder page is displayed. If you want to save the recovery password to a folder on another computer or a network share, click Save and then use the Browse For Folder dialog box to select the save location.

  Click Next. If you are on a TPM-equipped computer, the Create A PIN For Added Security page gives you the option of creating a PIN for added security. If desired, enter and confirm a PIN and then click Set PIN. The PIN will then be required to start the computer. Click Next.

  On the Create A Startup Key For Added Security page, you have the option of creating a startup key. When using a startup key, keep the following in mind:

  q On a TPM-equipped computer, creating a startup key is optional. If you want to require a startup key to boot the computer, insert a USB memory device and select the corresponding drive in the list provided. Then click Save Key.

  q On a computer without TPM, creating a startup key is required. Insert a USB memory device and select the corresponding drive in the list provided. Then click Save Key.

  Note

  The startup key is different from the recovery key. Every user of a particular computer will need the startup key to start the computer. On the other hand, the recovery key is required only to unlock the computer if BitLocker enters recovery mode, such as would happen if BitLocker suspects the computer has been tampered with while offline.

  Click Next. On the Encrypt The Selected Disk Volume page, click Encrypt to encrypt the selected disk volume. An Encryption In Progress status bar is displayed. You can monitor the ongoing completion status of the disk volume encryption by moving the pointer over the BitLocker Drive Encryption icon in the toolbar at the bottom of your screen. Volume encryption takes approximately one minute per gigabyte to complete.

  When the encryption process is complete, you have encrypted the entire volume and created a recovery key unique to this volume. If you created a PIN or startup key, this key will be required to start the computer.

  Recovering Volumes Protected by BitLocker Drive Encryption

  If you've configured BitLocker Drive Encryption and the computer enters recovery mode, you will need to unlock the computer using a startup or recovery key stored on a USB memory drive. Follow these steps to unlock the computer:

  Turn on the computer. Because the computer is in BitLocker Recovery mode, the computer starts the BitLocker Drive Encryption Recovery Console when you start the computer.

  When you are prompted, insert the portable USB memory drive that contains the startup or recovery key and then press Enter.

  The computer will unlock and reboot automatically. You will not need to enter the recovery key manually.

  To unlock the computer by typing the required recovery key, follow these steps:

  Turn on the computer. Because the computer is in BitLocker Recovery mode, the computer starts the BitLocker Drive Encryption Recovery Console when you start the computer.

  Type the recovery password and press Enter.

  The computer will unlock and reboot automatically.

  In some cases, the computer might become locked. For example, if you tried to enter the recovery key but were unsuccessful, you can press Esc twice to exit the recovery prompt and turn off your computer. You can then turn on the computer and try to unlock it again using the correct startup or recovery key.

  A computer might also become locked if an error related to TPM occurs or if a boot file is modified. In this case, the computer halts very early in the boot process, before the operating system starts. Because the locked computer cannot accept standard keyboard numbers at this point, you must use the function keys to enter the recovery key password. In this case, the function keys F1–F9 represent the digits 1 through 9, and the F10 function key represents 0.

  Managing the Encrypting File System

  File encryption allows users to store data in encrypted format, which is more secure than standard file access permissions. By default, the person who encrypted the file is the only one who can read files in encrypted format. Before other users can read an encrypted file, the user must decrypt the file or grant special access. Otherwise, encrypted files can be copied, moved, and renamed just like any other files—and these actions, in most cases, don't affect the encryption of the data. However, if you move an encrypted file to a device formatted using FAT, the file is decrypted automatically.

  The process that handles encryption and decryption is called the Encrypting File System (EFS). The default setup for EFS allows users to encrypt files without special permission. Files are encrypted using a public/private key that is automatically generated by EFS on a per-user basis.

  Tip

  By default, the encryption algorithm used is Advanced Encryption Standard 128-bit Cyclical Bit Check (AES-128-CBC). For stricter security, Windows Vista supports the Triple DES encryption algorithm (Transport Layer Security [TLS] traffic encryption, RSA public key algorithm for TLS key exchange and authentication, and SHA-1 hashing for any TLS hashing requirements). You can use Triple DES encryption by enabling the System Cryptography: Use the FIPS Compliant Algorithms For Encryption policy in Group Policy. This policy is under Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options. Regardless of the encryption algorithm you choose, administrators designated as recovery agents can decrypt files if necessary. If you enable Triple DES encryption, Internet Explorer also uses only TLS for Secure Sockets Layer (SSL), which not all Web sites support.

  Encrypting Files and Folders

  With NTFS volumes, Windows Vista enables you to select files and folders for encryption. When you encrypt a file, the file data is converted to an encrypted format that only the person who encrypted the file can read. Users can only encrypt files if they have the proper access permissions. When you encrypt folders, they are marked as encrypted, but actually only the fil
es within them are encrypted. All files that are created in or added to a folder marked as encrypted are encrypted automatically.

  You can't encrypt compressed files, system files, or read-only files. If you try to encrypt compressed files, they are automatically uncompressed and then encrypted. If you try to encrypt system files, you'll get an error message.

  To encrypt a file or folder, complete the following steps:

  Right-click the file or folder that you want to encrypt and then select Properties.

  On the General tab of the related property dialog box, click Advanced. The Advanced Attributes dialog box appears. Select the Encrypt Contents To Secure Data check box.

  Click OK.

  For an individual file, Windows Vista marks the file as encrypted and then encrypts it. For a folder, Windows Vista marks the folder as encrypted and then encrypts all the files in it. If the folder contains subfolders, Windows Vista displays the Confirm Attribute Changes dialog box, which allows you to encrypt all the subfolders associated with the folder. Simply select Apply Changes To This Folder, Subfolders And Files, and then click OK.

  Note

  On NTFS volumes, files remain encrypted even when they're moved, copied, and renamed. If you copy or move an encrypted file to a FAT16 or FAT32 drive, the file is automatically decrypted before being copied or moved. Thus, you must have proper permissions to copy or move the file.

  Sharing Decrypted Files

  By default, encrypted files can be viewed only by the file owner. If you want other users to be able to access an encrypted file, you must either decrypt the file or grant the users special access to the file by completing the following procedure:

  Right-click the file or folder in Windows Explorer and then select Properties.

  On the General tab of the related property dialog box, click Advanced. The Advanced Attributes dialog box appears.

 

‹ Prev