Windows Vista and Windows 7 Help » Security

How to Measure the Performance of Personal Firewalls

Tony Northrup — Thu, 13 Jan 2011 22:02:28 +0000

A question from a reader:

Hello,

I am currently a student at Liverpool John Moores University in BEng Computer and Control engineering and I have got a project to do.

The title of the project is “Performance of firewalls”, the goal is to compare the performance of different personal firewalls. I have already done a theoretical study thanks to your web page on firewalls and others books.

Now I’m faced with several problems for the practical test, because I do not know really how I can test the performances of different personal firewalls, how I can launch threats against the firewall to see his reaction, I wanted to know if you are able to guide me for carrying on my project, or when you can point me to people that could help me.

And my response (after the jump):

To test how well firewalls work, I’d get a computer with lots of vulnerabilities (such as a fresh installation of Windows XP, with no updates) and put together a suite of attacks. Install the firewall software, start Performance Monitor recording key performance statistics, and then attempt lots of bad things against it.

First, start by doing normal tasks on the computer and see how much the firewall interferes. Visit regular, safe websites, and measure how annoying the firewall is and how much it slows down the computer.

Next, start testing for vulnerabilities. For attacks across the (local) network, Nessus is good–it will attempt hundreds of attacks. There are other software packages that do automated attacks against a computer, too. Here are some:

http://sectools.org/

I suspect any firewall will block all those vulnerabilities, however.

You’ll also need to include attacks initiated from the client side, like visiting websites that automatically attempt to install malware (such as those that exploit ActiveX vulnerabilities) or trick the user into installing something. I always have a hard time finding such websites, since google blocks them from search results, but there are literally thousands out there. You might have luck by misspelling common urls (such as goolge.com).

Good luck, and let me know if there’s something else I can do to help.

Does EFS protect network shares? (70-642 certification question)

Tony Northrup — Tue, 01 Jun 2010 21:56:09 +0000

A question from a reader:

Hi,

first of all thanks a lot for your help and sorry for my english.

I bought your book in order to get the 70-642 certification, I have just finished it and may be next week I will take the exam.

There is a thing I can´t understand about EFS, so let me explain it to you.

In Chapter 11, Lesson 1, page 517 you said :

“How to share files Portected with EFS

If you need to share EFS-protected files with other users on your local computer, you need to add their encryption certificates to the file. You do not need to follow these steps to share files across a network; EFS only affects files that are accessed on the local computer because Windows automatically decrypts files before sharing them”

From your words I understand that EFS don´t affect trough shared folders and any user who has NTFS permissions to read the file will be able to read it instead it is encrypted with EFSif this user access the file trough a network share, not in local.

Later, in the Q&A section, page 524, Question number 2. The answer is D and the answer, page 618 says

“EFS affects only user who access files locally. Therefore, because the user is connecting across the network, you don not need to make any changes.”

I still understand the same, trough network connection there is no EFS protection.

But latter, I began the Practice Test included in the CD and there is a question which answer tells exactly the opposite. I make a capture of the question.

“EFS does protect files that are accessed across the network, providing an additional layer of protection to NTFS permissions.”

Maybe I´m making a mistake but I prefered to try to ask you where is the mistake, because I always thinked that EFS does protect from users without the right certificate to read the files.

Thanks a lot for your help and for all the content of the book wich has helped me to study for this exam.

Best regards.

And my response:

Sorry for the mistake. C is the only correct answer. The explanation is wrong–as the book says, EFS does nothing to protect files from network access.

I’ll send a note to the editors to add this to the errata! Thanks for letting me know.

Creating a Custom DVD or CD for Troubleshooting and Eliminating Viruses

Kurt Dillard — Fri, 12 Feb 2010 04:33:28 +0000

Ever have a friend ask you to help them repair their computer only to find that its so bloated with malware that you think they should just nuke the site from orbit? Some recent malware can be quite difficult to remove. In these sorts of situations you might try an alternative approach: boot from a CD-ROM or DVD and run the repair tools while the virus-laden operating system (OS) is offline. There are other recovery tasks most easily performed while the OS is offline, but I spend more time helping people with malware than doing anything else for them.

How to create a bootable disc? You could do it with Linux, but then you’d have to learn another OS, I prefer to stick with Windows. Besides, there are a lot of useful tools already available for Windows. You may have heard of the Windows Preinstallation Environment (Windows PE or simply PE) that has been available to computer vendors for years. Microsoft made it available to everyone a few years ago, and I’ve found it to be extremely useful. There are several ways to create a customized Windows PE disc, the simplest approach is to use the Microsoft Deployment Toolkit (MDT) that some colleagues of mine in the Solutions Accelerators Team (SAT) at Microsoft created. You’ll need several gigs of storage space to download and use everything described below, make sure you have enough room before you start!

Download and install MDT 2010, you can use the default values for the installation.
Download Windows Automated Installation Kit (AIK) for Windows 7 and burn the disc image to a DVD. Run StartCD.exe from the DVD to install the AIK on your computer. Once again, you can use the default values for the installation. This is a big file, if you have an MSDN subscription I suggest that you download it from there because the MSDN downloader can resume interrupted downloads from where they left off.
Download malware scanning tools and other utilities designed for offline use. There are a lot of free antimalware tools available, but for this troubleshooting disc you need those that will work in offline mode, I’ve been able to use Microsoft’s Malicious Software Removal Tool, Alwil Software’s avast! Virus Cleaner, and McAfee AVERT Stinger with ease.
To create a Deployment Share in MDT
1. Open Deployment Workbench from the Start Menu.
2. In the console tree expand Deployment Workbench and right-click Deployment Shares.
3. Select New Deployment Shares and specify a location for the deployment share such as C:\Deploymentshare.
4. Accept the default values for the rest of the options and complete the wizard.
You’re ready to create the troubleshooting disc, to do so
1. In the console tree expand Deployment Workbench and right-click Deployment Shares.
2. Right-click the deployment share you created in the details pane and select Properties.
3. Select the Windows PE x86 Settings tab and click Generate a Generic Windows PE WIM File.
4. Enter an Image Description such as Offline Troubleshooting.
5. Select Generate a generic bootable ISO image.
6. Enter an ISO file name such as Troubleshooting_Disc.iso.
7. Next to Extra Directory to Add enter the path to the folder where you saved the malware and troubleshooting tools in task 3.
8. Set the scratch space size to: 128.
9. Click on OK.
10. Right click on the Deployment Share and choose Update Deployment Share.
11. Click on Next two times, and then click Finish.
12. Burn the iso image file to a CD-ROM or DVD, it will be located in a directory called Boot folder in the deployment share folder, e.g. c:\Deploymentshare\Boot folder\Troubleshooting_Disc.iso.

Your troubleshooting disc is ready to go, when you boot the stricken system the system drive is X:, and you’ll find your troubleshooting tools in the root of that drive.

This brief article has only brushed the surface of what’s available in MDT, if you have to manage more than a few PCs or if you have to install Windows frequently then you should look at what else it has to offer. MDT greatly simplifies the tasks involved in creating and maintaining installation images and deploying those images to different computers.

Kurt Dillard

kurtdillard.com

Facebook LinkedIn

Reseting a Gateway Computer Password

Tony Northrup — Mon, 01 Feb 2010 19:28:39 +0000

I got this question in the comments today:

I have a gateway computer and i use apassword each and every time i turn it on so that nobody can get on it. But for some strange reason my password has either been changed or someone has been messing with my computer behind my back. It is a good computer and ive never had any trouble with it. Now the only thing that shows up on the screen is GATEWAY and ENTER PASSWORD no matter how many times i enter my password after ther 3rd time it say system disabled and i have to start all over again. What can i do? I miss my computer. That’s my pet.

Quick lecture about security–every security measure has some cost, though it might not be obvious. With passwords, or any type of authentication, part of the cost is that legitimate users will be deprived access.

First, let’s make sure you’re entering the password correctly. Make sure you’re typing the right password (I forgot my gym locker combination after more than 3 years the other day, so it does happen). Then, swap the keyboard out, or attach an external keyboard if it’s a laptop, and try again. If your keyboard isn’t working, it might prevent you from correctly entering the password.

If that doesn’t work, based on your description, it sounds your BIOS password has become corrupted.

If it’s a laptop, try unplugging it, removing all the batteries, and holding down the power key for five minutes. If it’s a desktop, unplug it, open the case, and remove the watch battery from the motherboard. Let it sit overnight without power.

This might reset the password… but probably not.Nowadays, most computers store the BIOS password in solid state storage that doesn’t lose its data without power. It’s more secure, certainly, but this is the downside of security.

On the motherboard (you might try searching the Internet for a manual), look for a CMOS reset jumper. This depends entirely on the specific computer you have, so I can’t provide more explicit directions.

Next, try Gateway’s support. Get the serial number from the back, and enter it here. Try and find the default password. You might also be able to get it from the computer’s manual, if you have it around.

Still no luck? Try some typical default passwords: admin, administrator, owner, gateway, cmos, password, 1234, 1234567890.

Hope that helped!

Dual-boot Windows Vista and Windows 7 with BitLocker Enabled for Both

Tony Northrup — Fri, 22 Jan 2010 20:20:45 +0000

Tony, I’ve set my computer up to dual-boot between Windows Vista and Windows 7, and I’ve enabled BitLocker on the Windows Vista system volume. How can I enable BitLocker for the Windows 7 volume?

Here’s a Microsoft article on how to set up dual boot with BL on both:

http://technet.microsoft.com/en-us/library/ee449438(WS.10).aspx#BKMK_dualbootW7Vista

OK, I haven’t tried this, but I think it’ll work. I’m partially copying the steps from that TechNet article to create these:

1. Backup your computer. Seriously, if things go wrong, it won’t start. Also, make sure you have the latest Windows Vista service pack installed.

2. Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.

3. For any data drives that you want to access in both Windows Vista and Windows 7, click Turn On BitLocker, and follow the BitLocker setup process.

4. After all of the drives you want to encrypt are fully encrypted, click Start, click Control Panel, click Security, click BitLocker Drive Encryption, and then click Turn Off BitLocker on the drive Windows Vista is installed on.

5. On the dialog box that appears, click Disable BitLocker.

6. Boot Windows 7. Then, click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption.

7. For the drive Windows 7 is installed on, click Turn On BitLocker, and follow the BitLocker setup process.

8. After encryption is complete, click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption.

9. Click Manage BitLocker for the drive Windows Vista is installed on, and then click Automatically unlock on this computer. Repeat this step for any additional data drives.

10. Boot Windows Vista. Click Start, click Control Panel, click Security, and click BitLocker Drive Encryption.

11. For the drive Windows Vista is installed on, click Turn On BitLocker.

Completing this procedure will permit access to BitLocker-protected drives as follows:

When running Windows 7, you will have access to any BitLocker-protected fixed data drives and the drive Windows Vista is installed on.
When running Windows Vista, you will have access to any BitLocker-protected fixed data drives but will not be able to access the drive Windows 7 is installed on.

Let me know how it goes!

Privacy Problem with Recently Changed Folder

Tony Northrup — Mon, 30 Jul 2007 01:17:57 +0000

Question:

In the Windows Explorer window there is a folder named Searches which contains a folder named Recently Changed. This folder shows every file that I have ever recently changed. These are not shortcuts so if I try to remove this evidence of my work by deleting a file in this folder the actual file is deleted from the folder it actually sits in. I need to be able to empty the contents of this Recently Changed folder (obviously without losing any files) and then disable it permanently. This is a terrible feature that denies the main user of a computer security and privacy.Â All other users have access to the Recently Changed folder.

Your help is greatly appreciated.

Les

Answer: Hey, Les. This is an easy one–just right-click the Recently Changed folder and then click Delete.

These are saved searches, and they’re kinda useful–basically they’re shortcuts to searches that you could do manually with a little more work. Windows Vista doesn’t stop you from deleting the default ones. To find them, open My Computer, expand your username, and then expand Searches.

Since you’re concerned about privacy, you really should just create separate user accounts for every person who might use your computer, password protect your user account, and have other users log on with their own accounts when they use the computer. Otherwise, they stillcan figure out what you’ve been working on.

BitLocker without TPM

Tony Northrup — Thu, 12 Apr 2007 16:26:50 +0000

Question:

So I want to use Bitlocker, don’t have a TPM and my bios doesn’t seem to ‘see’ the usb drives in time.

Now I know I can still use bitlocker… by entering a 48 or so pin key but that’s a bit too long.
I could update my Bios but I have the latest version and when I rang Dell they didn’t think it would be updated.

There must be another answer, there are other programs out there but I have Vista, any idea for a work around?

Generic firmware for the Bios? Key stored on a CD?

It seems the USB requirement is pointless and restricting, after all the best key or password is one only in my head not on a USB drive.

Answer:

Hi, John. I’ve wondered the same thing.

First, this statement doesn’t make sense to me:

…my BIOS doesn’t seem to to ‘see’ the usb drives in time.

BitLocker isn’t built into the BIOS, it’s part of the Windows Boot Manager. The Windows Boot Manager has the ability to read file systems, including your hard disks and USB flash drives. So, if your computer supports a USB drive while Windows is loaded, it should support it for startup with BitLocker. BTW, I’ll throw in a shameless plug for Chapter 30 of the Windows Vista Resource Kit, which covers the startup process, and Chapter 15, which covers BitLocker in detail.

As you’ve figured out, if your computer doesn’t have a TPM, you have two options for starting up with BitLocker:

Inserting a USB key
Entering a 48-character recovery key

If your computer does have a TPM, you have two additional options:

Automatic startup with no user-supplied password
Entering a PIN

If your computer doesn’t have a TPM, you can’t use a PIN to startup. Technically, BitLocker could support this–after all, it supports the 48-character recovery key. But it doesn’t, and if you want it to, you’re going to have to write your own boot manager. I wish it did support it, but I can only guess that the BitLocker team felt a PIN alone wouldn’t be sufficient security. I wish they had left that decision to the users, especially considering many people simply won’t use BitLocker without that option available.

John brings up a good point in his response:

Thanks for your excellent and speedy reply, I really appreciate it.

Anyway IIRC Vista actually came up with an error that mentioned a bios upgrade (after the ubs test had failed).

I have seen something very much like the following sentence in many places:
‘The system BIOS supports both reading and writing small files on a USB flash drive in the pre-operating system environment’

with the suggestion of contacting the manufacturer.

quote from:
http://www.windowsecurity.com/articles/Best-practice-guide-how-configure-BitLocker-Part1.html

Anyway you’ve given me encouragement to try it again, got an idea…

Damn, you’re right about the firmware requirement. I wrongly assumed that Windows Boot Loader interacted with the flash drive in the same way as the OS. However, according to the official requirements:

5. BitLocker Requirements for System Firmware Support of USB Flash Drive

This section lists the BitLocker requirements for system firmware support for reading and writing files from a USB mass storage class device.

BIOS 1j

The BIOS must successfully perform a read operation on a reference USB mass storage class device.

So you’re right, the BIOS has to support a specific operation that apparently isn’t completely common. I will say that my Dell D600, which I bought in 2003 I think, supports BitLocker.

Please do let me know if you get it figured out or come up with anything else. Good luck.

Antivirus software

Tony Northrup — Thu, 25 Jan 2007 04:17:53 +0000

I hate antivirus software. It costs money, slows everything down, and prompts you with 1,000 false alarms for every real alarm.

Still, you probably need it. Information Week points us to several vendors who are offering free trials of antivirus software:

PC-cillin from Trend Micro. A beta version of PC-cillin 15.3 can be downloaded for free.

Windows Live OneCare. Free 90-day trial here.

CA, the former Computer Associates. Free CA Anti-Virus Beta For Vista here.

McAfee Total Protection For Small Business. Free beta of what’s billed as an “integrated security software as a service — providing virus, spyware, firewall, and now browser protection, as well as centralized management.”

F-Secure Anti-Virus Beta For Vista. They call their free download the “7.0 Beta”.

So, give them a shot, if you want. I think I’ll pass for now. Antivirus software is only one way to manage the risk of malware. For me, I think the built-in features like UAC and Internet Explorer Protected Mode will do enough. Also, I test any questionable software in virtual machines. If I do get bitten by malware, I’ve got nightly backups, and restores are easy to do in Vista. Basically, I’m betting that running antivirus software would waste more of my time than it would save.

Vista Visits Goggle.com

Tony Northrup — Mon, 22 Jan 2007 13:56:21 +0000

Here’s a fun video showing what can happen to an unprotected computer by visiting a malicious website:

[youtube=http://www.youtube.com/watch?v=eFdm4PxRWd4]

Nasty, right? The user isn’t guilty of anything worse than a typo. What happens if you visit the same page with Windows Vista in a completely default, unpatched state? I recorded this:

[youtube=http://www.youtube.com/watch?v=4ImuYjvNGPA]

Yep, nothing bad happens.

Window Service Hardening

Tony Northrup — Wed, 10 Jan 2007 22:06:20 +0000

Wole Moses has a great overview of Windows Service Hardening (WSH). I’ve written about this a couple of times–basically, it’s a defense-in-depth (think belt-and-suspenders; a second layer of security) that keeps services from doing something really bad even if they get compromised. So, if the Server service doesn’t normally add startup programs, WSH will block it if it ever tries to, because clearly it must be under the influence of an attacker. So, WSH doesn’t prevent a compromise, but it helps reduce the damage done after a compromise.

It might be a good reason to upgrade to Vista, but you don’t really need to know about it. You can’t configure it; it’s already setup for standard Windows services. If you’re a developer, you can use the SC.exe tool to configure WSH, but you’ll probably choose to configure it programmatically as part of service installer.

Windows Vista Security Templates

Tony Northrup — Wed, 10 Jan 2007 21:45:24 +0000

Windows XP included several security templates (.inf files that represent a computer’s security configuration), but Windows Vista includes none. Want some? Download and install the Windows Vista Security Guide.

The Windows Vista Security Guide includes several templates:

Vista Default Security. A security template that you can use to restore default security settings or compare your current settings to the default.

VSG EC Desktop, VSG EC Laptop, and VSG EC Domain. Templates that the Windows Vista Security Guide team recommends for use in enterprise environments. EC stands for Enterprise Configuration. Use this if you have a domain.

VSG SSLF Desktop, VSG SSLF Laptop, and VSG SSLF Domain. Templates that the Windows Vista Security Guide team recommends for organizations that are willing to sacrifice some functionality for improved security. SSLF stands for Specialized Security Limited Functionality. Don’t use these unless your 200 feet underground in some concrete bunker. They break stuff (like application compatibility) and you’ll spend weeks tweaking the configuration to get things to work again.

After installation, you can examine these security templates by using the Security Templates snap-in.

Follow these steps to open the security templates in the Security Templates snap-in:

Click Start and type mmc.

A blank MMC console appears. Click the File menu, and then click Add/Remote Snap-In.

From the Add Or Remove Snap-Ins dialog, double-click Security Templates. Click OK.

Right-click Security Templates and then click New Template Search Path.

In the Browse For Folder dialog, expand your user folder, Documents, Windows Vista Security Guide, GPOAccelerator Tool, and then select Security Templates (the Windows Vista Security Guide installs the templates to “C:UsersDocumentsWindows Vista Security GuideGPOAccelerator ToolSecurity Templates”). Click OK.

Click the new folder in the Security Templates snap-in, and browse through the templates.

Want to see what the Windows Vista Security Guide team recommends that’s different from your current configuration? Use the Security Configuration And Analysis Snap-in:

Create a new Microsoft Management Console (MMC) console, and add the Security Configuration And Analysis snap-in.

Right-click Security Configuration And Analysis, and then click Open Database.

In the Open Database dialog box, type a name for the new database, and then click Open.

In the Import Template dialog box, select a security template to import. Click Open.

Right-click Security Configuration And Analysis, and then click Analyze Computer Now.

In the Perform Analysis dialog box, click OK.

After the analysis is complete, examine the results by expanding the nodes contained within the Security Configuration And Analysis node. The Database Setting column shows what’s recommended in the template. The Computer Setting column shows your setting.

Copy as Path

Tony Northrup — Thu, 04 Jan 2007 05:22:08 +0000

To quickly copy the full path of a file to your clipboard, hold down the Shift key, right click a file, and then click Copy as Path. The full path to the file is placed on your clipboard.

This is particularly useful if you need to open a file that requires administrative privileges, for example a log file in the system directory. If you were to double-click the file to open it in Notepad, Notepad would give you a file not found error–because Notepad is running as a standard user (thanks to UAC) and it needs admin privileges to open the file. So, if you wanted to quickly open that protected file in Notepad, click Start, type Notepad Ctrl+V, and then press Ctrl+Shift+Enter. Then, press Alt+C to approve the UAC prompt. Ctrl+Shift+Enter runs the program from the Start menu using admin privileges.

Updating an Application to Run as an Administrator

Tony Northrup — Thu, 04 Jan 2007 03:14:47 +0000

Question:

Hi Tony,

I have been reading you vista clues and I appreciate the help.

Is there a way to run a batch file on vista to set the â€œRun as administratorâ€ on an exe.

We have a exe that is delivered to our customers monthly. The exe writes files and expects them to be were we installed the product. Of course, with vista this is not true. I can fix this problem but setting the Run as administrator.

The applications are built under XP so I can not set this property before I packages, so what I was thinking was as part of my install/update

Install the exe on vista and then run a batch program to set it as run as administrator. I can not have the customer do this manually.

Do you think this will work? Do you know how to do this?

Any help would be appreciated.

Thank you

Answer:

Your best bet is probably to add a manifest to your application, and release it as an update (a batch file could just replace the .exe, if you’re determined to go that route). To add a manifest to existing applications, use the Application Compatibility Toolkit (ACT). You might be able to figure out a way to script the ACT, but then again, it might not be worth the effort.

That’s still not a great answer, because it requires your users to have administrative credentials (which they won’t in many organizations). For the best answer, use the Standard User Analyzer tool, to diagnose issues that would prevent a program from running properly as a standard user. Then, fix your app to work as a standard user. Your customers will appreciate it.

Good luck.

Tony

Always Run a Batch File as an Administrator

Tony Northrup — Sun, 17 Dec 2006 19:22:28 +0000

You can run a command prompt or any application as an administrator by right-clicking it and then clicking Run As Administrator. If you have a batch file that you need to always run as an administrator, follow these steps so it runs with the proper privileges every time:

1. In Explorer, right-click the batch file and then click Create Shortcut.

2. Rename the new shortcut to something useful, such as “filename-admin rights.bat”.

3. Right-click the new shortcut, and then click Properties.
2. On the Shortcut tab, click the Advanced button.

3. Select the Run as administrator checkbox.

4. Click OK twice.

Now, when you double-click the batch file, UAC will prompt you for administrative privileges. You can use a similar technique to always run the command prompt as administrator, or to always run an application as administrator.

Always run a command prompt as Administrator

Tony Northrup — Sat, 16 Dec 2006 01:30:37 +0000

You can run a command prompt or any application as an administrator by right-clicking it and then clicking Run As Administrator. If you always run an app as an administrator, you can usually change a setting to automatically elevate privileges.

You have to follow different steps to always run the command prompt as an administrator:

1. Click Start. Type Command. Right-click Command Prompt, and then click Properties.

2. On the Shortcut tab, click Advanced.

3. Select the Run as administrator checkbox.

4. Click OK twice.

Now, when you launch a command prompt from the Start menu, UAC will prompt you for administrative privileges.

Enable BitLocker without a TPM

Tony Northrup — Wed, 13 Dec 2006 18:23:18 +0000

Vista tells you it needs a TPM for BitLocker, but it lies. Follow these steps to enable BitLocker without a TPM:

1. Open the group policy editor by clicking Start, typing gpedit.msc, and then pressing Enter.

2. Navigate to Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive Encryption.

3. Double-click Control Panel Setup: Enable Advanced Startup Options.

4. Click Enable. Then, select the Allow BitLocker Without A Compatible TPM checkbox.

5. Click OK.

Now, you can enable BitLocker without a TPM.

Setup BitLocker after Installing Windows

Tony Northrup — Wed, 13 Dec 2006 18:16:24 +0000

BitLocker is a Windows Vista security feature that encrypts an entire hard disk (technically, a volume) to protect your data if someone steals your entire computer. If you see, â€œThe drive configuration is unsuitable for BitLocker Drive Encryption. To use BitLocker, please re-partition your hard drive according to the BitLocker requirements.â€, it means you need two partitions (a partition is a smaller section of your hard disk). As shown in the figure above, BitLocker needs a small, 1.5GB â€œactiveâ€ partition to store the Windows Boot Manager, which basically decrypts your BitLocker-protected partition so Windows can start. The main partition, your C: drive, is the BitLocker encrypted one with your personal files, the paging file, and everything that needs to be encrypted.

Instructions after the jump.

Microsoft promises to release a tool to repartition your hard disk for BitLocker. In the meantime, follow these high-level steps to repartition your disk:

1. BACKUP YOUR COMPUTER. Your messing with your disk here, and if things go wrong, it won’t start. Don’t take chances. After the backup, ensure that your C: drive has at least 1.5 GB free space. If necessary, use the Disk Cleanup Wizard to free space.
2. Open the Computer Management console by clicking Start, right-clicking Computer, and then clicking Manage.
3. Right-click the C: drive and then click Shrink Volume. Configure the Shrink dialog to reduce the size of the C: drive by at least 1.5 GB. Then, click Shrink.
4. After shrinking the C: drive, right-click the new, empty volume in the Disk Management snap-in, and then click New simple volume.
5. Use the New Simple Volume wizard to format the volume with NTFS.
6. The formatting might take several minutes. Afterwards, you will have the two partitions necessary to use BitLocker. However, the smaller partition must be marked as active. Right-click it, and then click Mark partition as active.
7. After changing the active partition, Windows will no longer start. Restart the computer from the Windows Vista DVD (the computer must be configured to start from CD/DVD), and start setup. When prompted, click Repair your computer.

8. Startup Repair will automatically detect a problem. When prompted, click Repair and restart, and then restart your computer from the Windows Vista DVD. If Startup Repair does not automatically detect a problem, continue to the next step.
9. When prompted, click Repair Your Computer. This time, manually launch Startup Repair from the System Recovery Options. Startup Repair will detect that the Active Partition does not have the boot manager installed, and copy the required files to the active partition. Remove the Windows Vista DVD and restart your computer normally.

Now, the computer has a small boot partition separate from the system partition, which meets the disk partitioning requirements for BitLocker.

BitLocker Overview

Tony Northrup — Wed, 13 Dec 2006 18:00:52 +0000

BitLocker is a Windows Vista security feature that encrypts an entire hard disk (technically, a volume) to protect your data if someone steals your entire computer. Unfortunately, in the event of disk corruption, it can make your computer more difficult to fix and might prevent you from recovering your data–so it’s really important to do nightly backups if you enable BitLocker. Because of this, it’s not right for most people; you only need it if the privacy of your data is really important.

More after the jump

Only the following editions of Windows Vista support BitLocker:

Enterprise Edition

Ultimate Edition

If you have a Home or Starter edition, you can’t use it (but you probably don’t want it).

When you start your computer, BitLocker need to verify your computer’s integrity (to make sure the hard disk hasn’t been removed and put into a different computer) and, optionally, your identity (to make sure someone hasn’t stolen your computer). You have the following startup security options:

TPM Only. Verifies that the hard disk is in your computer and that your system files are intact. This requires that your computer has a TPM chip, which is primarily offered on newer computers.

PIN. At startup, BitLocker prompts you to enter a PIN to identify yourself before Windows starts. This also requires that your computer has a TPM chip.

USB key. At startup, BitLocker prompts you to insert a USB flash drive that you have stored a secret key on. Windows won’t start unless you insert the USB key, so if someone steals your computer but not your USB key, they can’t get to your files. Of course, if you lose your USB key, you’re out of luck, too, so you’d better keep a backup. Try keeping the USB key on your keychain so you won’t lose it and a thief isn’t likely to steal both your computer and the USB key. This is the only option available if your computer doesn’t have a TPM.

Follow these steps to get start with BitLocker:

1. Click Start, and then click Control Panel.

2. Click Security.

3. Then, under BitLocker Drive Encryption, click Protect your computer by encrypting data on your disk.

This opens the BitLocker Drive Encryption window. Odds are, you’ll see a couple of different warnings saying you’re not ready to use BitLocker. Don’t freak, we can work around these.

If you see, “The drive configuration is unsuitable for BitLocker Drive Encryption. To use BitLocker, please re-partition your hard drive according to the BitLocker requirements.”, it means you need two partitions (a partition is a smaller section of your hard disk). BitLocker needs a small, 1.5GB “active” partition to store the Windows Boot Manager, which basically decrypts your BitLocker-protected partition so Windows can start. If this isn’t making sense, don’t sweat it–it’s not too late to configure your disk partitions for BitLocker.

If you see, “A TPM was not found. A TPM is required to turn on BitLocker. If your computer has a TPM, then contact the computer manufacturer for BitLocker-compatible BIOS”, it means that either your computer doesn’t have a TPM or it’s not setup. First, check your computer manufacturer’s website for a BIOS update (that’s a good thing anyway). Then, restart your computer and enter the BIOS setup–TPMs are often disabled by default, and you might need to turn it on (I did for my Dell D820). If you don’t see anything about a TPM in your BIOS, you probably don’t have one. Good news: the message lies–a TPM is not required to turn on BitLocker. Read these instructions to enable BitLocker without a TPM.

If you see, “Turn on BitLocker”, your computer is setup properly. Click that to get started, and initialize your TPM if needed. Then, follow these steps:

1. On the Set BitLocker Startup Preferences dialog, select your authentication choice.

2. If you chose to use a USB key, the Save Your Startup Key dialog appears. Select the startup key and then click Save.

3. On the Save The Recovery Password page, choose the destination to save your recovery password. The recovery password is a small text file containing brief instructions, a drive label and password ID, and the 48-digit recovery password. The choices are a USB drive, a local or remote folder, or to print the password. You can repeat this step to save to multiple locations. Keep the recovery passwords safeâ€”anyone with access to the recovery password can bypass BitLocker security. Click Next.

4. On the Encrypt The Volume page, select the Run BitLocker System Check checkbox, and then click Continue. Click Restart Now and after restarting BitLocker will ensure that the computer is fully compatible and ready to be encrypted.

5. BitLocker displays a special screen confirming that the key material was loaded. Now that this has been confirmed, BitLocker will begin encrypting the C: drive after Windows Vista starts and BitLocker will be enabled. You can use your computer while BitLocker encrypts your drive.

Make User Account Control (UAC) Less Annoying

Tony Northrup — Tue, 12 Dec 2006 18:48:13 +0000

User Account Control (UAC) prompts you before an application makes an important change to your computer that requires administrative privileges. By default, the UAC prompt appears on the “secure desktop”, which freezes and darkens your screen. By freezing your screen, secure desktop makes it more difficult for another application to impersonate Windows and trick you into typing your administrator password into a fake UAC prompt.

The flashing screen is distracting, and slows things down a bit. To turn off the flashing without completely disabling UAC, follow these steps (after the jump):

1. Click Start, type Secpol.msc, and then press Enter. The secure desktop appears (for the last time!). Then, the Local Security Policy console appears.

2. Expand Local Policies and then click Security Options.

3. In the right pane, scroll to the bottom. Then, double-click User Account Control: Switch To The Secure Desktop When Prompting For Elevation.

4. Click Disabled, and then click OK.

The change takes effect immediately. There is no need to restart. Now, the UAC prompt appears like any other window. This slightly reduces the security of your computer, but it might be worth it to make UAC more convenient.

Antivirus software for Windows Vista

Tony Northrup — Fri, 08 Dec 2006 05:17:26 +0000

Vista includes Windows Defender, which is antispyware software. Unfortunately, Windows Defender doesn’t protect you from viruses, worms, and Trojan horses, which are the nastiest types of malicious software. They’re the ones that cause all the damage and can really make your computer unusable.

Antivirus software designed for Windows XP won’t work on Windows Vista. Currently, all the antivirus companies (including Microsoft OneCare) are updating their software to run on Vista, and most of them have beta versions available. For more information about antivirus software, check CNet.