BitLocker

The need for drive encryption has been a popular topic in a lot of security channels lately. In both Windows Vista and Longhorn Server, Microsoft has risen to the call by developing a feature called BitLocker. BitLocker is designed especially for scenarios where a thief may gain physical access to a hard drive. Without encryption, the hacker could simply boot another operating system or run a hacking tool and access files, completely bypassing the NTFS file-system permissions.

The Encrypting File System (EFS) in Windows 2000 Server and Windows Server 2003 went a step further, actually scrambling bits on the drive, but the keys to decrypt the files weren't as protected as they should have been. With BitLocker, the keys are stored within either a Trusted Platform Module chip on your system or a USB flash drive that you insert upon boot-up.

BitLocker is certainly complete: When enabled, the feature encrypts the entire Windows volume, including both user data and system files, the hibernation file, the page file and temporary files. The boot process itself is also protected by BitLocker -- it creates a hash based on the properties of individual boot files, so if one is modified and replaced by, for example, a Trojan horse file, BitLocker will catch the problem and prevent the boot. It's definitely a step up from the limitations of EFS and a significant improvement to system security over unencrypted drives.

Device installation control