Enterprise storage helper: drive encryption
It is reasonable to say that BitLocker (drive encryption) is not a new feature, it has appeared in Windows Vista. But in Windows 7, its attention is actually higher than in Windows Vista, so it still deserves a lot of attention from business users who are not interested in it. BitLocker is a component that provides disk-level data encryption. To understand BitLocker, you need to understand its predecessor EFS (Encrypting File System). As we all know, NTFS is the standard file system for Windows NT and later operating systems, supports metadata, and uses advanced data structures to improve performance, reliability, and disk space utilization, and provides several additional extensions, such as EFS. . EFS is available in Windows 2000/XP/Server 2003 to help users perform encryption operations on files and folders stored on NTFS disk volumes. If the files on the hard disk have been encrypted using EFS, even if the hacker can access the files on the hard disk, the files are not available because there is no decrypted key.
Of course, EFS is not invincible. NTFS active system partitions below 1.5GB and boot partitions higher than 50GB cannot be encrypted by EFS. You can use the BitLocker tool to protect it. EFS users can selectively encrypt some important files or folders, but BitLocker unconditionally encrypts all folders of the entire drive. BitLocker can make up for some of the shortcomings of EFS and can be used for unauthorized access. control.
By default, the Windows operating system does not activate the BitLocker feature. To encrypt a drive with Windows installed with BitLocker, the computer must have two partitions: the system partition (which contains the files needed to start the computer) and the operating system partition (including Windows), the operating system partition will be encrypted, and the system partition It will remain unencrypted so that you can start your computer. If the computer does not have a system partition, BitLocker automatically creates a system partition with 200MB of free disk space in Windows 7. The system will not assign a drive letter to the system partition, and the system will not display the folder. System partition. When encrypting a drive (operating system drive) with Windows installed, BitLocker stores its own encryption and decryption keys on a hardware device other than the hard disk, so you must have one of the following hardware devices: Trusted Any platform computer (TPM) (a computer with a special microchip that supports advanced security features); a removable hard drive or USB flash drive.
In the partition where the operating system that starts the BitLocker function is located, this function can monitor a series of disk errors, BIOS changes, startup configuration file changes, etc. If these functions are abnormally changed, BitLocker will automatically lock the disk. live. The system administrator can then unlock the drive with a pre-set key. This can be helpful in preventing data loss, preventing theft or preventing hacking. And, BitLocker can lock portable storage devices that are easily seen by others, such as USB drives or removable hard drives.
Enterprise Application Butler: AppLocker
AppLocker (Application Control Policy) is a new security feature added to Windows 7, which can be easily configured using AppLocker administrators. For example, the QQ.exe executable can be used by all users before the AppLocker management is performed, and the restricted user cannot use the program after setting the relevant application control policy.
The specific method is to open “ start → run & rdquo;, enter gpedit.msc to open the group policy editor. In the left pane, open “Computer Configuration →Windows Settings →Security Settings →Application Control”, you can see AppLocker Group Policy Configuration Item ——“Executable Rules”,&ldquo ; Windows Installer Rules & rdquo; and & ldquo; script rules & rdquo; three types, right-click on each rule can create a new rule, users can create corresponding action rules according to their own needs. Right-click "Executable Rules & Rarr; Create New Rule", click "Next", click the "Select" button, in the pop-up dialog box, click "Advanced", click "ld" Find ”, find the user you want to disable, and then you can add qualified users to the rule. Then you can point the disabled object to QQ.exe, and finally click “Create”
To prevent the spread of flash viruses, leave the AutoRun.inf file out of operation. In this case, you can select "script rules"→“create new rules", select “permissions"→“reject" in the pop-up window, select “ in "users or groups" ;Everyone”,“Next”Select “path" in the creation condition, enter “?:\\AutoRun.inf” in the "path" box, continue to <;Next”, and finally Click “Create”
This kind of user can set the default rules of Applocker according to their actual situation, which can prevent normal system programs from being used by viruses and Trojans, and can prevent malicious programs from entering the computer through abnormal channels.
After a period of hot sales, Windows 7 and Windows Server 2008 R2 are fully integrated into corporate computers. In order to better meet the needs of enterprise users, Microsoft has introduced a large number of storage, network access, security and other functions in Windows 7 Enterprise /Ultimate and Windows Server 2008 R2, becoming a new tool for enterprise applications. And what are the typical functions of this kind? How to use it? What impact will it have on enterprise applications?
Enterprise efficiency multiplier: Branch cache
According to Microsoft, Branch Cache (branch cache) ) is an enterprise-class new feature provided in Windows 7 and Windows Server 2008 R2. When this function is enabled for the first time in WAN (Wide Area Network), it can access data according to authorization as usual, and when it needs to be accessed again, it can be in the nearest department. Another client accesses the same content based on the authentication status. Through this nearby access, the bandwidth utilization of the network can be improved, and the performance of the remote office network application can be improved, and the occupation of the network bandwidth of the enterprise can be reduced.
Branch Cache has two working modes: one is Distributed Cache and the other is Hosted Cache. Distributed caching uses a peer-to-peer model, similar to the Ad-hoc network, which enables faster access in smaller applications. The hosted cache uses a server/client architecture, similar to the AP central mode, which allows Windows 7 clients to copy content to a local computer running Windows Server 2008 R2 so that other clients that need access to the same content can be directly on the local server. Access this data and no longer depend on the original server. To use Branch Cache, all server systems must be Windows Server 2008 R2, and all clients must use Windows 7.
Users can manage the Branch Cache client using Group Policy settings or the Netsh command line script utility. You can use either of these tools to perform the following configuration tasks on the Branch Cache client: enable Branch Cache (it is disabled by default); select distributed cache mode or hosted cache mode; specify the size of the client computer's cache ( Use distributed cache mode) By default, Branch Cache uses up to 5% of the hard drive for the cache; specifies the location of the hosted cache (using hosted cache mode). In this regard, when using this setting, the Windows system gives detailed and intuitive setup instructions, and you can complete the setup according to the instructions.
According to Microsoft's test, downloading a 3MB file from an enterprise remote server took 47 seconds for the first time, and only 2 seconds for the second time. From this, the efficiency of the Branch Cache function is visible. It is useful for large and medium-sized enterprise architecture branch offices. A joint acceleration application that compresses, eliminates redundancy, transport optimization, caching, and content distribution provides organizations with an easy way to consolidate branch servers, consolidate storage and backup infrastructure while ensuring end-user high-performance applications.
Enterprise Access New Security: DirectAccess
DirectAccess is also a new enterprise application feature available in Windows 7 and Windows Server 2008 R2. With this function, users on the external network can directly access the resources behind the corporate firewall from the Internet at high speed and securely without connecting to a VPN (virtual private network, the core of the VPN is to use the public network to establish a virtual private network).
How is the DirectAccess function implemented? To achieve this, DirectAccess takes advantage of some of the features of IPv6 technology. As we all know, in the early stage of IPv6 development, how to make a large number of local pure IPv6 networks “traversing” the traditional IPv4 backbone network to achieve interoperability? For this reason, IPv6 “tunnel” technology emerged between IPv6 networks and IPv4 networks. At the entrance of the tunnel, the router encapsulates the IPv6 data packet into IPv4, and then forwards and forwards the IPv6 packet to the destination node at the exit of the tunnel, so that an IPv6 network similar to an island can be connected.
DirectAccess takes advantage of this technology. When it is turned on, it can establish an IPv6 tunnel connection to the DirectAccess server and work on a normal IPv4 network on the client, so that the administrator can log in at the user. Before the related computers were managed, the DirectAccess server mainly played the role of internal and external network information transmission (ie, gateway) in this process. In order to obtain good encryption and authentication, DirectAccess also utilizes the optional IPsec (Internet Protocol Security) protocol family in IPv4, and encrypts the information in units of IP packets. Encrypt packets in transit or prevent tampering to ensure secure communication.
According to Microsoft, using DirectAccess, enterprise users can manage computers through the Internet without remote login, and have strong security. This feature provides an efficient working environment for mobile workers. For example, if a company employee is doing customer service outside, or if you want to find relevant internal information in an external meeting, you can use a laptop with Internet access without setting up a VPN connection. In the case of high-speed, secure direct access to resources behind the corporate firewall.