Blog Archives

AppLocker

This is the fourth part of a feature comparison series where I look at the differences between Microsoft Windows 7 Professional and Enterprise editions. For the full list of features, see the first post.

In this post I’ll review the usage scenarios and explore the benefits and caveats of AppLocker; hopefully it will help you decide if AppLocker contributes to the case for the extra cost of the Enterprise license.

AppLocker is a policy based security mechnaism that either allows or disallows software from running on a system. You’re right in thinking this sounds a lot like Microsoft’s Software Restriction Policy (SRP) feature. They are very similar, but not the same thing. As with SRP, AppLocker can either block all applications from running except for the ones you whitelist, or allow all except for the ones you blacklist. Like most security solutions, the more secure it is, the more burdensome management can be. AppLocker improves on SRP with new features that make setup and management easier. My favourite is the ability to white- or black-list applications by vendor, so for example I can unlock all Adobe apps with one rule.

Applocker may be better than SRP but this doesn’t mean that you have to get rid of your SRP group policies, as Windows 7 supports both AppLocker and SRP. It does this by ignoring SRP if both AppLocker and SRP settings are applied to the system. This also means that if you have a mixture of Windows 7, XP and or Vista machines then you can use use a mixture of AppLocker and SRP, but it is advisable to thoroughly test the effects of combining these settings in the same group policy.

To conclude, I think AppLocker offers a great way to make your Windows 7 desktops more secure. The biggest obstacle to implementing it may actually be user acceptance, especially in environments where they had free reign over their pre-Windows 7 machines, but that’s not an insurmountable problem. To get started with evaluating Applocker you can download the walkthrough from Microsoft’s website.

Advertisements

Bitlocker and Bitlocker To Go

This is the third part of a feature comparison series where I look at the differences between Microsoft Windows 7 Professional and Enterprise editions. For the full list of features, see the first post.

In this post I’ll review the usage scenarios and explore the benefits and caveats of Bitlocker and Bitlocker To Go; hopefully it will help you decide if Bitlocker contributes to the case for the extra cost of the Enterprise license.

Bitlocker has been a feature of Microsoft’s client operating systems since Windows Vista, but Windows 7 adds some compelling new features, most notable of which is Bitlocker To Go, which enables protection of USB flash drives.

Bitlocker offers data protection in scenarios where loss or theft of storage media is a concern, so it’s ideal for protecting portable storage media, laptops and physically vulnerable desktops. It works by encrypting the entire volume, and only allowing access to the disk after the system has been started by a trusted party. This trust is established during the boot process when the user either keys in a PIN, inserts a USB key or both.

On the plus side, Bitlocker trumps EFS (Microsoft’s file-level encryption technology) as it is transparent to users and does not rely on them remembering to encrypt sensitive data. On the down side, it offers no protection once the system is up and running. Bitlocker can also cause administrators headaches if there is no centralised management of data encryption. Bitlocker has the potential to render important information inaccessible if users enter the incorrect PIN too many times and then can’t remember their recovery password. Fortunately Bitlocker can be managed with a variety of Group Policy settings that allow comprehensive management of Bitlocker, including saving the recovery password information to Active Directory.

Group Policy makes it possible to manage Bitlocker on an enterprise scale but this not guarantee everything will be plain sailing. It is advisable to invest some time and resources in evaluating and testing Bitlocker in your environment. I’d recommend that you only roll out Bitlocker once you have a tried and tested recovery procedure in place and you’ve trained support staff and end users how to use it.

In summary, Bitlocker offers protection against attackers who try to access your sensitive data by booting compromised systems with other operating systems or by installing stolen disks in another system and either booting from or slaving them. When properly managed, it offers an important layer of security to enterprises who’s mobile users travel with sensitive data.

For more information, including a FAQ page and detailed deployment guides, visit the Windows 7  Bitlocker page on TechNet