Indeed, Vista is chock-full of new security features—including a beefed-up firewall, integrated anti-spyware functionality, BitLocker drive encryption and UAC (User Account Control)—but these features will ultimately have greater benefits for consumers. For corporate customers demanding cross-platform functionality, centralized manageability and rock-solid reliability, these new features will likely be nothing more than window dressing.
eWEEK Labs has been most interested in BitLockers potential for the enterprise, as it encrypts all the contents of the system drive—operating system and data files alike.
BitLocker tries to provide an experience that is seamless to the end user. Ideally, the decryption key is stored on a chip on the motherboard, which automatically decrypts the hard drive upon boot. Administrators can configure BitLocker to require a user-entered PIN code as well, as an embedded key can prevent a data thief from performing an offline attack from another boot drive but not an online brute force attack once the drive is automatically loaded.
Corporations that plan to use BitLocker need to plan for it from the Vista get-go: System hard drives need to be partitioned in such a way that the boot manager and boot images are stored on a partition separate from the rest of the operating system, applications and data files. Although it is possible to repartition the drive on an existing installation, the process is not straightforward. Also, administrators need to ensure that a computers BIOS is Vista-ready, and that it has either an on-board TPM (Trusted Platform Management) chip or supports access to a USB stick under preboot conditions.
However, at this early stage in Vistas development, the necessary level of support from hardware manufacturers is still to come. For example, although Vista comes with a generic TPM driver, we could not initially get the driver to install correctly on our Lenovo ThinkPad T60. We needed to update the BIOS to the most recent revision, and then manually locate and install the driver. According to Microsoft engineers, the T60s TPM chip did not report a device ID that Vista would recognize, so the driver would not install automatically.
With the TPM chip finally enabled, we could start the encryption process through the BitLocker configuration wizard, which asked us to archive the decryption key before initiating a system check to ensure that BitLocker would work. The wizard rebooted the machine, tested whether the key was detected and then began encrypting the entire drive.
We found the actual disk encryption process to be slow: It took more than an hour for a 30GB partition. In addition, since the encryption keys must be created on a machine-by-machine basis, it will take considerable time and administrative effort to enable a fleet of notebooks with BitLocker.
According to documentation, administrators will have to turn off BitLocker to decrypt the drive before initiating a BIOS upgrade. Simple BIOS changes can be done by temporarily disabling BitLocker, although we found that some changes—such as changing the drive boot order—did not require that step. We did note that when we booted our test machine with the Vista install CD still in the drive, we had to manually enter the recovery key to start the system, even though we chose not to actually boot from the media drive.
With a quick change to a Group Policy setting, we also could use BitLocker without a TPM chip—instead using a USB thumb drive inserted into the computer at boot time to provide the decryption key. The BIOS must be able to access the key during the boot process for this to work—something we couldnt achieve with our ThinkPad T60 but were able to do with a custom-built machine based on Advanced Micro Devices Athlon 64 3500+ processor and an Abit motherboard.