Note: The information in this post is based on the features of beta software and hence they may change before Windows Vista ships.
To make the most of Windows Vista’s advanced security features you need to ensure that new machines are TPM 1.2 compliant. TPM stands for Trusted Platform Module – details of which can be found at the TrustedComputingGroup’s website.
Whilst many new laptops are shipping with TPM support they are generally v1.1 compliant and this is not make the most of all the new operating system features. Over the coming months we’re likely to see more TPM 1.2 systems on the market.
If you’ve already completed your hardware refresh or don’t have the budget to do so in the near future then you can still take advantage of Windows Vista’s improved security architecture.
Windows Vista includes the capability to encrypt the entire file system – this was originally termed “Secure Startup – Full Volume Encryption”. The feature has subsequently been renamed to “BitLocker”. TPM 1.2 capable hardware brings the added benefit of hardware based encryption and additional system integrity protection prior to operating system boot.
These features aim to mitigate the threat of an attacker gaining access to the data of a stolen machine simply by removing the hard drive or booting into an alternative operating system instance to overcome the access control. The design allows for the use of a USB memory device to store the startup key. User security awareness will be required to reduce the likelihood of the USB device being left in the laptop bag and hence defeating the security benefit it could have provided.
Click here to view a technical white paper on the subject – it was written before the name changed to “BitLocker”. There’s another useful paper available here which has details of how the technology will work in different usage scenarios including key recovery and operation on systems that are not TPM 1.2 compliant.
It’s worth considering that a purely software oriented solution can’t protect you against a physical attack hence combining TPM 1.2 support AND USB tokens is advised.