Windows 7 RTM Review: Improvements But Security Issues Remain

The RTM version of Windows 7 has plenty of improvements, according to our long review. But Andrew Garcia has concerns over its security implementation

As with Vista, Windows 7 Enterprise and Ultimate come with BitLocker full-disk encryption. BitLocker is a little easier to use on Windows 7, however.

Specifically, Vista required planning for BitLocker right at the time of OS installation because a separate boot partition was needed. Windows 7 builds the boot partition automatically and slims it down (to 100MB in Windows 7 from 1.5GB in Vista). This allows users or administrators to add full-disk encryption well after initial installation without complications.

By default, BitLocker requires that the computer have an onboard TPM (Trusted Platform Module) chip in which to store the encryption keys. Users without a TPM chip can opt to use a USB stick instead, but that will necessitate some changes in Group Policy.

I tested BitLocker on the Lenovo T60p using the laptop’s TPM chip, as well as on the Dell XPS M1330 using a USB stick for the key. Depending on the size of the hard drive and the amount of data that needs to be protected, encryption can take several hours.

It took just under an hour to protect my relatively data-free test machine and more than three hours to encrypt a half full 80GB disk. Thankfully, the encryption process can be paused midstream to accommodate a system reboot and will resume after the next boot.

Enterprise administrators will find solid controls over both BitLocker and BitLocker To Go in Group Policy that can be distributed throughout the domain.

Administrators can control cipher strength, enforce authentication types and strength, and store recovery keys within Active Directory.

Bitlocker trouble in virtual machines

In one detail of note, I found that users running Windows 7 in a virtual machine will have trouble enabling BitLocker disk encryption. (I tried this out in VMWare Workstation 6.5, in my case.)

Specifically, the hypervisor would not virtualize the TPM chip, and the OS could not recognize a USB stick early enough in the boot process to work for BitLocker. Those who want to protect data within a VM running on Windows 7 should probably look into file or folder encryption instead of full-disk protection.

With Windows 7, no longer will administrators need boot media to attempt to recover a distressed or broken Windows instance, as the new OS features a Recovery Console that is accessible simply by pressing F8 upon boot.

During tests, I found that the recovery options differed significantly for administrators and limited rights users.

As a limited rights user, I was able to kick off a diagnostic scan called StartUp Repair that automatically looks at the validity of the file system, the hard disk and the registry, then, as a last resort, offers to let the user recover to the last System Restore checkpoint.