Take Windows 7 security technologies such as the
bidirectional Windows Firewall, Windows Defender, and Windows Service
Hardening; throw in good patch-management policies (that is, applying
security patches as soon as they’re available); and add a dash of common sense. If you do so, your computer should never be compromised by malware while Windows 7 is running.
Windows Service Hardening is
an under-the-hood Windows 7 security feature designed to limit the
damage that a compromised service can wreak upon a system by
implementing the following security techniques:
All services run in a lower privilege level. All services have been stripped of permissions that they don’t require. All
services are assigned a security identifier (SID) that uniquely
identifies each service. This enables a system resource to create its
own access control list (ACL) that specifies exactly which SIDs can
access the resource. If a service that’s not on the ACL tries to access
the resource, Windows 7 blocks the service. A system resource can restrict which services are allowed write permission to the resource. All
services come with network restrictions that prevent services from
accessing the network in ways not defined by the service’s normal
operating parameters.
|
However, what about when Windows 7 is not
running? If your computer is stolen or if an attacker breaks into your
home or office, your machine can be compromised in a couple of different
ways:
Either exploit gives
the attacker access to the contents of your computer. If you have
sensitive data on your machine—financial data, company secrets, and so
on—the results could be disastrous.
To help you prevent a
malicious user from accessing your sensitive data, Windows 7 comes with a
technology called BitLocker that encrypts an entire hard drive. That
way, even if a malicious user gains physical access to your computer, he
or she won’t be able to read the drive contents. BitLocker works by
storing the keys that encrypt and decrypt the sectors on a system drive
in a Trusted Platform Module (TPM) 1.2 chip, which is a hardware
component available on many newer machines.
Note
To find out whether
your computer has a TPM chip installed, restart the machine and then
access the computer’s BIOS settings (usually by pressing Delete or some
other key; watch for a startup message that tells you how to access the
BIOS). In most cases, look for a Security section and see if it lists a
TPM entry.
Enabling BitLocker on a System with a TPM
To
enable BitLocker on a system that comes with a TPM, select Start,
Control Panel, System and Security, BitLocker Drive Encryption. In the
BitLocker Drive Encryption window, shown in Figure 1, click the Turn On BitLocker link associated with your hard drive.
Note
You can also use the
Trusted Platform Module (TPM) Management snap-in to work with the TPM
chip on your computer. Press Windows Logo+R, type tpm.msc,
and click OK. This snap-in enables you to view the current status of
the TPM chip, view information about the chip manufacturer, and perform
chip-management functions.