Windows7's BitLocker escorts corporate data

  
        

The security of the operating system is generally divided into two aspects, namely the security of the operating system itself and the security of the data on the operating system. In Windows 7, the UAC control mechanism, system backup and restore measures have greatly improved the security and stability of the operating system. So we not only ask, is there any new measures for the protection of data security in Windows7? This answer is exciting. In Windows 7, it proposed a new data protection mechanism, BitLocker. This tool can protect the security of corporate information files.

As shown in the above figure, it is the interface to start the BitLocker driver. By default, the Windows operating system does not start this BitLocker function. If the enterprise has higher security requirements for data files, this function can be activated as appropriate. So what are the characteristics of this function? What restrictions are there in using it? I will solve this puzzle for everyone today.

First, the difference between BitLocker and EFS encryption mechanism.

People who have used the Windows operating system must understand that from the 2000 operating system, Microsoft has implemented a file format called NTFS on the operating system. This file format is relatively safer and more stable than the root FAT32 file format. And in this partition format, Microsoft has also implemented a lot of exciting features. The EFS file encryption mechanism is one of them. So what is the connection between this EFS file encryption mechanism and this BitLocker? What is the difference?

The first thing to be sure is that both technologies are good file protection mechanisms and can be used to a large extent. Secure the data files. However, they have a big difference, that is, EFS is encrypted for specific files or folders. BitLocker encrypts the entire drive. In other words, with EFS technology, users can selectively encrypt some important files or folders. And if BitLocker is used, the user does not have this option. It either encrypts all the folders of a drive or does not encrypt them all. This is the main difference between the two file encryption mechanisms.

But they also have a lot in common. For example, whether it is an EFS encryption system or a BitLocker protection mechanism, it is transparent to the end user. This is mainly reflected in the following aspects. First of all, as long as it is a legitimate user, it does not feel that such protection measures exist when accessing data. Whether it is encrypting or decrypting data, it is done in the background without user intervention. If BitLocker technology is implemented on the drive, the operating system will automatically encrypt the file when the user saves the file to the drive. The operating system will automatically decrypt it the next time it is accessed. Second, if other non-preferred users attempt to access the encrypted data, they will be prompted by an "access denied" error. Whether it is an EFS encryption system or a BitLocker protection mechanism, it can protect users' unauthorized access. Third, their user authentication process is completed when logging into the Windows operating system. In other words, their keys are directly tied to the operating system's account. For this reason, if the user illegally copies the file to another host, if there is no authorization (certificate) from the owner user, then even if other illegal users have these files, they cannot open it.

Visible EFS has many of the same places with this BitLocker protection mechanism. So why is Microsoft still struggling to develop this BitLocker file encryption protection mechanism? This is mainly because this protection mechanism still has its own characteristics. These features, to some extent, make up for the shortcomings of the EFS file encryption system.

Second, BitLocker is more convenient to share.

If a file in a folder is encrypted with an EFS encryption system, it is cumbersome to share the file on the network. For example, a system administrator often wants to import a user's certificate into another user's operating system, or other similar means can achieve the sharing of this file. However, if you use the BitLocker protection mechanism, it will be more convenient in this file sharing.

When a user saves a file to a drive that uses the BitLocker mechanism, it is automatically encrypted. But what happens if the user copies this encrypted file to another drive that does not use BitLocker technology? The file will be automatically decrypted. At this point, other users can read as much as they have the relevant permissions. However, the premise is that the user who copied the file has the right to decrypt. The method of file encryption system processing with EFS is still similar here. However, there is still a big difference between the two sides in this file sharing. Suppose now that users want to share a file encrypted with BitLocker encryption mechanism to other users through the network. What happens to the operating system at this point? The first thing to be clear is that as long as the shared file is still on the protected drive, the file is still stored in encrypted form and the operating system does not decrypt it. Second, as long as the user allows other users to access the shared file (implemented by authorization authentication), other users can access the file. Instead of manually importing certificates to other users, like the EFS encrypted file system. That is to say, under the BitLocker protection mechanism, this authentication and authorization process is transparent to the user. This is one of the biggest improvements in BitLocker compared to the EFS file encryption system.

Third, the special protection of the operating system partition.

The EFS Encrypted File System treats system files the same as normal user files. However, in the BitLocker protection mechanism, special protection measures are taken to protect the security of system files to the greatest extent. As long as the system administrator encrypts the system partition using BitLocker technology, the system will always monitor the computer after the operating system starts, such as monitoring disk errors, BiOS changes, startup configuration file changes, etc., and can prevent this. The security risks. If the operating system detects these errors, BitLocker will automatically lock the disk drive. At this point, the system administrator needs to unlock the drive with a pre-set key. This measure prevents the operating system's files and configuration files from being modified without the system administrator's knowledge. This is useful for preventing Trojans, viruses, malicious programs, etc. from damaging the operating system.

However, when using this protection mechanism for the operating system, you need to pay attention to two points. First, when you first use the encryption protection mechanism for the system partition, you need to create an unlock password. Otherwise, when the operating system is locked by a suspicious tool, the system administrator cannot unlock it. The files in this drive will also be inaccessible. So, don't forget to set an unlocked password when this drive is enabled for each drive. Second, if the TPM chip is installed in the user's computer, the password can be stored on the chip. When the system partition is locked, BitLocker will unlock the password as the chip requires. If the Windows 7 operating system is used as a server, configuring a TPM chip for this server and enabling the BitLocker protection mechanism on the system partition can largely guarantee the security and stability of the server system. It can also be seen from this that Microsoft has been continuously improving the security and stability of the server.

In addition, if the EFS encrypted file system is used, the attacker can log in to the operating system as long as the attacker knows the account and password. At this point, the protection mechanism of the EFS encrypted file is lost. However, BitLocker has also improved in this regard. Even if the attacker knows the user's account and password, it can still take steps to protect the system files, ie BitLocker will monitor system file changes. If it finds that this change poses a security risk to the operating system, it takes steps to reject the change. So far, this is a feature that the EFS file encryption system cannot.


The visible EFS encryption system and the BitLocker encryption mechanism are quite different in terms of implementation details. BitLocker has a relatively unique performance in protecting system partitions. And it is more convenient in the management of shared files.

Copyright © Windows knowledge All Rights Reserved