1. WINDOWS 7 PRO VS WINDOWS 7 ENTA Presentation on the exceptional differences between the two Operating Systems
2. Extra Features In WIN 7 Ent• BitLocker• Bitlocker To Go• Applocker• Boot from VHD• BranchCache• DirectAccess
3. BitLockerAvailable on Win 7 Enterprise and Ultimate. It is used in Encrypting the HDD with128bit AES encryption. It is faster than other AES encryption and has low RAMrequirements since the CBC mode with a 128bit key is used for encryption.Authentication Mechanism • Transparent mode: Uses TPM chip for key storage. Releases the Key to the OS loader only if the early bootfile appears to be unmodified. Vulnerable to a ‘coldboot’ attack. • User Authentication mode: Uses the bootloader. Requires authentication to the pre-boot environment in the form of a PIN. Vulnerable to the ‘bootkit’ attack but not to ‘coldboot’ attack. • USB Key mode: Uses a USB dongle containing the startup key. BIOS must support portable USB devices at the Pre-boot OS stage. This mode is immune to ‘coldboot’ attack.
4. BitLockerRecovery Modes• Recovery Password: A numerical Key protector for recovery purposes.• Recovery Key: An external Key for recovery purposes.• Certificate: Adds a certificate-based public key protector for recovery.The following Combination of Authentication modes are possible and all can be recoveredusing the ‘Recovery Key’ method.• TPM• TPM+PIN• TPM+PIN+USB key• TPM+USB key• USB KeyRequirements1. Two NTFS formatted volumes(one for OS and a 100MB min from which the OS boots). This can be achived using the DISKPART util or the Bitlocker Drive Preparation Tool.2. An optional Key can be stored on the AD for recovery purpose and can be used for recover using the ‘BitLocker Recovery Password Viewer for AD users’. For server versions before 2008 the ‘Schema’ must be updated.
5. BitLocker Benefits to the Business• Good Degree of safety in case of Laptop theft.• Integrated with AD directly no extra application or Add-on required.• It encrypts more than the OS partition thus ensuring max security of data.• Works on Multiboot environments.• Flexible configuration as GP can be used. Limitations• Cool boot attack while using it in the TPM mode(transparent operation mode)• Only Supported on the NTFS partision and on NT based OS(but BITLOCKER TO GO Reader can run on NTFS, FAT 32 or exFAT).• Workaround possible without TPM.• BitLocker gives the End user local admin Rights. This gives them the opportunity to turn off the encryption if desired
6. AppLockerThis help to prevent the use of Unknown or Unwanted application within the Network.Helps to boast security and compliance for the organisation. It is a rule based service,with 3 main rules configurable( Exec rule, Windows Installer rule, Script rule). Applocker Vs Other SolutionsRestriction policies can be applied to the following.• Specific User or Group.• Default Rule Action is Deny.• Audit-only mode possible.• Wizard to create multiple rules at once.• Policy import or export.• Rule Collection available.• PowerShell Support.• Custom Error Messages.
7. AppLocker Requirement• Windows Server 2008 R2. Windows 7 Ult, Windows 7 Ent(Win 7 pro can create rules but can’t enforce them.)• For GP deployment, at least one computer with the Group Policy Management Console(GPMC) or the Remote Server Administration Tools(RSAT) installed to host the Applocker rules.• Computers to enforce the Applocker rules created. Rule ConditionsRules are created either by PUBLISHER, PATH or by FILE HASH. Benefits• Increased security.• Cost of Procuring third party apps lock down application eliminated.
8. Booting from VHDVHD(Virtual Hard Drive) Benefits• It can be used as a simplified backup mechanism which is also portable.• Booting from VHD helps to test new configurations and applications before final role-out.• Any Malware infection only affects the VOS and does not spread to the Main OS.• Native image deployment using Windows Deployment Service for Workstation/ Server redeployment or recovery Limitations• VHD size limited to 2TB• EFS/NTFS compression not suported• Hibernating not supported.• OS can’t be upgraded.• Cannot be nested.• Can’t be booted from a USB.
9. BranchCacheCaching contents of files and webservers locally at branch office, increasing thenetwork responsiveness of centralized applications when accessed remotely.Modes of Operation• Distributed Cache.• Hosted Cache. Benefits• Reduced WAN link Utilisation in Branch offices(intranet based HTTP and SMB traffic).• Accelerates delivery of encrypted contents(HTTPS and IPSec).• Does not require additional equipment at the branch office and can be managed using GP.• Caching done by default when round trip lattency time exceeds 80ms. Limitations• Depends on the caching mode(distr requires more processing power from work stations thus performance may be affected. Hosted however combats this but requires extra hardware investment.
10. DirectAccessEnables connection to the office securely through the internet without the need for aVPN. Advantages• Working outside the office is easier as there is no need for traditional VPN.• Remote Management possible(Update deployment and GP settings over the internet).• Enhanced Security and Access control.• Communicates using IPv6 over IPsec.