Moving on from Windows XP: Security and Encryption

handson Moving on from Windows XP: Security and Encryption

Part 2: In this part of the ongoing series, we discuss Series: Windows XP security and encryption available in later versions Migration of Windows and Linux — Hiren Mehta

ecurity and encryption in Windows with your computer’s processor to help prevent viruses Vista, 7 & 8 and other unauthorized programs from running on your SIn Windows XP, Microsoft provides a `Security computer. Center’, which is meant to be used to check the PC’s When it comes security settings and the status of different security tools at to user accounts, the a glance. However, Windows XP does not ship pre-installed biggest gap in secu- antivirus software. There is a basic Windows Firewall rity in Windows XP is which is turned on by default. You also have the option of that by default, the automatic updates, so that Windows can routinely check user account created for the latest important updates for your computer and during installation install them automatically. had administrator privileges but lacked a password. You would need to manu- ally set a password for the same, since the installer would only ask to set the Data Execution Prevention settings password for the in Windows XP built-in administrator account and not for the one which you created. It is worth noting here that features such as Remote Desktop require the user account (which is being logged in) to have a valid password, else remote access is not given even if the user account exists in the remote access In Windows XP, the Security Center is used to control the whitelist. firewall updates, OS updates and anti-virus updates. Internet Explorer’s security too is improved. En- hanced security settings warn you about viruses and other security threats that can spread over the Internet. Internet Explorer can now block certain website features and give you a warning, so that you can decide whether it is safe to proceed. This applies to the pop-up blocker too, which lets you stop most browser windows that web sites pop up without your permission. Internet Explorer’s companion, Outlook Express is provided enhanced security settings that help you identify and delete potentially harmful e-mail attachments, which may contain viruses. On a lower level, a feature called as ‘Data Execution Prevention’ is provided. Data Execution Prevention works Managing user accounts in Windows XP

66 PCQuest NOVEMBER 2013 pcquest.com twitter.com/pcquest facebook.com/pcquest linkd.in/pcquest [email protected] Unlike the Encrypting File System (EFS), which ena- bles you to encrypt individual files, BitLocker encrypts the entire drive. You can log on and work with your files normally, but BitLocker can help block hackers from accessing the system files they rely on to discover your password, or access your hard disk by removing it from your computer and installing it on a different computer. If you want to encrypt a data drive, you will also need to encrypt the drive Windows is installed on since the key for the data drive is stored on the Windows drive. If you store files and folders on other drives, such as USB flash drives or external hard drives, you can help protect them with EFS. You can also encrypt files and folders on Bit- Locker-encrypted drives for further security on a shared computer. When you add new files to the drive with BitLocker, BitLocker encrypts them automatically. Files remain encrypted only while they are stored in an encrypted drive. Files copied to an unencrypted drive or another computer are decrypted. If you share files with other users, such as through a network, these files are encrypted Remote Desktop requires a valid password for the concerned user account while stored on the encrypted drive, but they can be accessed normally by authorized users. Windows Vista During computer start-up, if BitLocker detects a Along with existing features such as Windows Firewall system condition that could represent a security risk (for and Security Center, Vista introduced Windows Defender, example, disk errors, a change to the BIOS, or changes Microsoft’s own anti-spyware solution. However, in terms of to any start-up files), it will lock the drive and require a user experience, the biggest change Vista introduced with special BitLocker recovery password to unlock it. Make security is `User Account Control (UAC)’, which is meant to sure that you create this recovery password when you help prevent unauthorized changes to your computer by turn on BitLocker for the first time; otherwise, you could requiring permission before performing actions that could permanently lose access to your files. potentially affect your computer’s operation or that change settings that affect other users. This was felt by many users to be pretty irritating since you could either toggle it on or off. There is no intermediate option that could strike a balance between security and convenience.

Windows BitLocker Drive Encryption in Windows Vista Ultimate Configuring User Account Control in Windows Vista BitLocker typically uses the Trusted Platform Module In some editions, Windows BitLocker Drive Encryp- (TPM) chip in your computer to store keys that are used to tion is provided. Windows BitLocker Drive Encryption is unlock the encrypted hard disk. When you log on to your meant to restrict access to data in the situation that your computer, BitLocker asks the TPM for the keys to the hard computer is lost or stolen. BitLocker encrypts the entire disk and unlocks it. Because the TPM provides BitLocker system drive, including files needed for start-up and with the keys immediately after you’ve logged on to your login, which can improve security by preventing hack- computer, the security of your computer relies on the ers from accessing important system files. BitLocker also strength of your logon password. If you have a strong works with data drives on the same computer. password that prevents unauthorized users from logging pcquest.com twitter.com/pcquest facebook.com/pcquest linkd.in/pcquest [email protected] NOVEMBER 2013 PCQuest 67 handson on, the BitLocker-protected hard disk will remain locked. Windows 8 acquired additional responsibilities of being an You can turn off BitLocker at any time, either temporarily anti-virus program as well and not just an anti-spyware. by disabling it, or permanently by decrypting the drive. This, in other words, meant that the security checklist Before you can turn on BitLocker Drive Encryption, could now be satisfied out-of-the-box in Windows 8. you need to make sure that your computer’s hard disk has at least two volumes. If you create a new volume Security and encryption: Switching after you have already installed Windows, you will have to Linux to reinstall Windows before turning on BitLocker; one As far as a Gnu/Linux distribution is concerned, it is volume is for the operating system drive (typically drive usually considered to be more secure than the Windows’ C) that BitLocker will encrypt, and one is for the ac- counterparts. However, that is no excuse for going easy on tive volume, which must remain unencrypted to start security. The main problem with ascertaining a Gnu/Linux the computer. The size of the active volume must be at system’s security is that security is directly affected by least 1.5 gigabytes (GB). Both partitions must be for- the attack surface area of your system, and in a system matted with the NTFS file system. You can also encrypt as modular as Gnu/Linux, it is difficult to determine a data drives on the same computer, but the drive that standard for exactly how `visible’ your system becomes Windows is installed on must also be encrypted with depending on what you have installed and configured. BitLocker. If you do not already have two partitions, you However, there are system-wide mechanisms that try can use the BitLocker Drive Preparation Tool to help get to address this problem from a manageability point of your system ready for BitLocker by creating the required view, such as SELinux. Many of the popular modern Linux second partition. distributions give an option to users to encrypt at least If you are using Windows Vista Ultimate, you can their home directories. download and install the BitLocker Drive Preparation Tool Automatic updates are usually easy to set up, with from Ultimate Extras. Download and install the Ultimate many Linux distributions enabling them by default. Extra called BitLocker and EFS enhancements. After you However, care needs to be taken in order to set up your have installed this tool, type BitLocker into the Start preferred repositories for updates, so that you select menu search box, and then double-click BitLocker Drive the fastest (which may not necessarily be the nearest) Preparation Tool to run the tool. After the tool runs, you mirror. Package management tools like Yum and Apt must restart your computer before turning on BitLocker. offer an easy way for system administrators to automate If you are using Windows Vista Enterprise, you can updates in order to suit their requirements. Anti-mal- get the BitLocker Drive Preparation Tool through these ware solutions are also available, with ClamAV antivirus standard support channels: being particularly popular. Although the chances of a • Microsoft Volume Licensing Services spyware/virus infection on a Gnu/Linux system are lesser • Microsoft Services Premier Support than in a typical Windows installation, they are far from zero. It is always recommended that you use the root In Windows 7: account only when necessary and not otherwise. Many It was around the time when Windows 7 was launched login managers in Gnu/Linux tend to block GUI logins as that Microsoft came out with Microsoft Security the root user by default, although you can still enable Essentials. Earlier it did have an anti-virus product in them if you want to. the form of Windows Live OneCare. However, except Linux is very well known for its firewall capabilities, for its online scanner, Windows Live OneCare was not with lots of hardware firewalls running customized Linux a free product. Microsoft Security Essentials runs on distributions. IPTables is a popular and highly configura- XP and Vista too. Apart from that, the `Security Center’ ble firewall software which can be used with Linux. The got renamed to Action Center in Windows 7 since here super-user mechanism of Linux gives you similar func- it monitors a few non-security related settings as well tionality to what User Account Control does in Windows. (such as maintenance tasks). User Account Control now However, do keep in mind that many distributions tend allows you to set intermediate levels of prompting, to be choosy with default passwords. For instance, many providing much needed relief for administrators live distributions such as Knoppix simply do not have a and power users frequently needing to provide root password at all out-of-the-box, making its use highly confirmation/type a password. risky unless you do a hard-disk install of the same and set a strong root password at the first boot. Fedora allows In Windows 8: you to use `su’ to switch to the root user whereas with Adding to what Windows 7 offers, Windows Defender in Ubuntu you end up using `sudo’.

68 PCQuest NOVEMBER 2013 pcquest.com twitter.com/pcquest facebook.com/pcquest linkd.in/pcquest [email protected]