If you’re planning to buy new laptops and want to make the most of the security features of Windows Vista

Note: The information in this post is based on the features of beta software and hence they may change before Windows Vista ships.

To make the most of Windows Vista’s advanced security features you need to ensure that new machines are TPM 1.2 compliant. TPM stands for Trusted Platform Module – details of which can be found at the TrustedComputingGroup’s website.

Whilst many new laptops are shipping with TPM support they are generally v1.1 compliant and this is not make the most of all the new operating system features. Over the coming months we’re likely to see more TPM 1.2 systems on the market. 

If you’ve already completed your hardware refresh or don’t have the budget to do so in the near future then you can still take advantage of Windows Vista’s improved security architecture.

Windows Vista includes the capability to encrypt the entire file system – this was originally termed “Secure Startup – Full Volume Encryption”. The feature has subsequently been renamed to “BitLocker”. TPM 1.2 capable hardware brings the added benefit of hardware based encryption and additional system integrity protection prior to operating system boot.

These features aim to mitigate the threat of an attacker gaining access to the data of a stolen machine simply by removing the hard drive or booting into an alternative operating system instance to overcome the access control. The design allows for the use of a USB memory device to store the startup key. User security awareness will be required to reduce the likelihood of the USB device being left in the laptop bag and hence defeating the security benefit it could have provided.

Click here to view a technical white paper on the subject – it was written before the name changed to “BitLocker”. There’s another useful paper available here which has details of how the technology will work in different usage scenarios including key recovery and operation on systems that are not TPM 1.2 compliant.

It’s worth considering that a purely software oriented solution can’t protect you against a physical attack hence combining TPM 1.2 support AND USB tokens is advised.

Comments (3)

  1. Matt Dickins says:

    Excellent article, thanks very much 🙂

    Just wondering, too what extent is this just applicable to notebooks (I didn’t read it in depth – doing two things atm – so sorry if mentioned). Just am thinking towards building a desktop system geared specifically towards Vista (including an HDCP compliant monitor). Is there anything desktop wise particularly relevant to this?


  2. wigunara says:

    My guess is, using a USB key may become a security policy of the MOD or DOD, but I doubt that many other organisations will use that method and even if they do, I doubt the end-users will keep the USB key seperately from the laptop.

    The secure way must also be the easy way.

  3. Steve Lamb says:

    wigunara (Will?)> Indeed the secure way must be the easy way (to quote one of the Immutable Laws of Security).

    Security is about reaching the appropriate compromise between mitigating risk AND ease of use. The best way to deal with the threat of the data falling into the wrong hands is to keep physical control over the machine – i.e. lock it up somewhere safe.