Many of the security features in Microsoft Windows Vista are designed to protect your computer from attack by individuals accessing the computer over the network or from the Internet. When the attacker is in your home or office, however, most of these remote access security features fall short in protecting your data. If someone can boot your computer to another operating system, that person could change your computer’s configuration or make other unapproved modifications. He or she could also gain access to your most sensitive data. To protect your data from individuals who have direct access to your computer, Windows Vista includes Trusted Platform Module Services architecture and BitLocker Drive Encryption. Together these features ensure that your computer is protected from many types of attacks by individuals who have direct access to your computer.
This book was written using the Windows Vista Beta to provide an early introduction to the operating system. More so than any other area of Windows Vista, the security features discussed in this book are subject to change. Some of these features might not be included in the final product, and some of the features might be changed substantially.
Both Microsoft Windows XP and Windows Vista include the Encrypting File System (EFS) for encrypting files and folders. Using EFS, you can protect your sensitive data so that it can be accessed only by using your public key infrastructure (PKI) certificate. Encryption certificates are stored as part of the data in your user profile. As long as you have access to your profile and the encryption key it contains, you can access your files.
While EFS offers excellent protection for you data, it doesn’t safeguard the computer from attack by someone who has access to the console. In a situation where you’ve lost your computer, your computer has been stolen, or an attacker is logging on to your computer, EFS might not protect you, because the unauthorized user might be able to gain access to the computer before it starts up. He could then access the computer from another operating system and change your computer’s configuration. He might then be able to hack into your account so that he can log on as you or configure the computer so that he can log on as a local administrator. Either way, the unauthorized user could eventually gain full access to your computer and your data.
To seal a computer from physical attack and wrap it in an additional layer of protection, Windows Vista includes the Trusted Platform Module Services architecture. Using Trusted Platform Module Services architecture, you can create a trusted platform with enhanced security and within which your computer’s data is protected even when the operating system is offline. How the Trusted Platform Module Services architecture does this and how you can use Trusted Platform Module Services architecture is what this section is all about.
In Windows Vista, Trusted Platform Module Services provide the infrastructure necessary to take advantage of Trusted Platform Module (TPM) Security Hardware. Trusted Platform Module Services protect a computer by using a dedicated hardware component called a TPM. A TPM is a microchip that is usually installed on the motherboard of a computer, where it communicates with the rest of the system by using a hardware bus. Computers running Windows Vista can use a TPM to provide enhanced protection for data, to ensure early validation of the boot file’s integrity, and to guarantee that a disk has not been tampered with while the operating system was offline.
A TPM has the ability to create cryptographic keys and encrypt them so that they can be decrypted only by the TPM. This process, which is referred to as wrapping or binding, protects the key from disclosure. A TPM has a master wrapping key called the Storage Root Key (SRK), which is stored within the TPM itself to ensure that the private portion of the key is secure.
Increasingly, new business computers have TPMs installed. Computers that have a TPM can create a key that has not only been wrapped but also sealed. The process of sealing the key ensures that the key is tied to specific platform measurements and can be unwrapped only when those platform measurements have the same values that they had when the key was created, and this is what gives TPM-equipped computers increased resistance to attack.
Because a TPM stores private portions of key pairs separately from memory controlled by the operating system, keys can be sealed to the TPM to provide absolute assurances about the state of a system and its trustworthiness. TPM keys are unsealed (or decrypted) only when the integrity of the system is intact. Further, because the TPM uses its own internal firmware and logical circuits for processing instructions, it does not rely on the operating system and is not subject to external software vulnerabilities.
The TPM can also be used to seal and unseal data that is generated outside of the TPM, and this is where the true power of the TPM lies. In Windows Vista, the feature that accesses the TPM and uses it to seal your computer is called BitLocker Drive Encryption.
When you use BitLocker Drive Encryption and a TPM to seal the boot manager and boot files of a computer, the boot manager and boot files can be unsealed only if they are unchanged since they were last sealed. This means that you can use the TPM to validate a computer’s boot files in the pre-operating system environment. When you seal a hard disk by using the TPM, the hard disk can be unsealed only if the data on the disk is unchanged since it was last sealed. This guarantees that a disk has not been tampered with while the operating system was offline.