S 2.442 Use of Windows Vista and Windows 7 on mobile systems

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: User

The use of a mobile computer comes in conjunction with the typical threats resulting from mobile use. When using Windows Vista and Windows 7 on portable computers, as well as on all mobile computers, module M 3.3 Laptops must be taken into account. Windows Vista and Windows 7 provide their own mechanisms for the areas of data encryption, data backup, and locally installed firewalls. We make the following recommendations for these areas.

Data encryption

Mobile computers are often located in environments offering a significantly lower level of security than a protected office environment. For this reason, any data stored on the mobile computer requiring protection should be encrypted (see also S 4.29 Use of an encryption product for portable IT systems). In addition to a series of products offered by third-party manufacturers, the mechanisms integrated into Windows Vista and Windows 7 can also be used for encryption:

• BitLocker Drive Encryption can be used on the Enterprise and Ultimate version of Microsoft Vista and Windows 7 to encrypt hard drive partitions (see S 4.337 Use of BitLocker drive encryption.
  
  In Windows Vista without SP1, BitLocker only encrypts the boot partition. It is only possible to encrypt additional partitions such as the data partition of a user in Windows Vista SP1 and Windows 7 and higher. The administrator can configure one of four different procedures for user authentication for BitLocker while Windows Vista or Windows 7 is starting up. "No authentication", "PIN", "USB stick", and "PIN and USB stick" ("PIN and USB stick" is only available in Vista SP1 and Windows 7 or higher). The "No authentication", "PIN", and "PIN and USB stick" procedures assume that the mobile computer has a TPM (Trusted Platform Module) installed. When used together with a TPM, BitLocker can also ensure system integrity during the boot process.
• EFS (Encrypting File System) can be used to encrypt individual files and/or directories (see S 4.147 Secure use of EFS under Windows).
• Encryption of the offline files
  
  Offline files are basically copies of documents found on a share in the network. They are stored in a database on the local computer so that the documents can still be accessed even when the share is not accessible over the network. The possibility of encrypting these offline files was introduced in Windows XP.
  
  The entire storage area used for offline files, which contains files from every user, is encrypted using a computer-specific key. The encryption is transparent to the user and can only be enabled and disabled by an administrator.

In any case, it is recommended to use the BitLocker. The use of the EFS in addition to the BitLocker makes sense when BitLocker is used on a Windows Vista system without SP1. The additional use of the EFS is also recommended when the data requiring protection on the mobile computer should also be encrypted when the mobile computer running Windows Vista or Windows 7 is turned on. The BitLocker encryption function does not offer any protection once the computer has been turned on. In contrast, EFS ensures individual files and drives are encrypted when they are not permanently decrypted. When a user works on the files or drives protected by the EFS, the data is also available here in unencrypted form.

When running Windows Vista without SP1, it is recommended to use the function for encrypting offline files in additional to BitLocker when the local folder for offline files has been moved from the boot partition to another partition on the mobile computer.

The strategy used to protect the data stored on a mobile computer (BitLocker, Windows Vista or Windows 7 EFS, offline file encryption, or encryption using a third-party product) must be specified based on the specific circumstances and on a case-by-case basis, if necessary.

Data backups

To avoid irretrievable losses of data, regular backups of the data must be made. More detailed information on data backups can be found in S 6.32 Regular data backup.

In Windows Vista or Windows 7, it is possible to back up individual files and create complete images of of partitions (see S 6.78 Data backup under Windows clients).

If the data backup is configured to store the backups on network drives, then backups can only be made when the mobile computer is connected over a network to the backup server. For this reason, it is necessary to schedule the data backups accordingly.

Removable media can be used for data backups. If the use removable media is planned, it must be possible to access the removable media to back up the data, and also to restore the data. This must be taken into account when technically implementing access restrictions for removable media (see S 4.339 Prevention of unauthorised use of removable media under Windows Vista and Windows 7).

The data backup strategy for a mobile computer (backup of individual files, Windows Complete PC Backup image, or the use of a third-party product as well as the backup times and storage locations) must be specified based on the specific circumstances and on a case-by-case basis, if necessary.

Locally installed firewall

In contrast to stationary desktop computers installed in the institution, it is possible with mobile computers to connect directly to the Internet. It is essential in this case to protect the mobile computers using locally installed firewalls.

The Windows firewall in Windows Vista and Windows 7 offers a combination of a "personal firewall" and an IPSec gateway. The firewall can be configured using the Windows Security Center. In Windows 7 and higher, the firewall can also be configured in the Action Center under Security. For Windows Vista and Windows 7, there is a snap-in available for the MMC management console (mmc.exe) that offers significantly more detailed configuration options for the Windows firewall. A snap-in is a component that extends the functionality of a console for certain administrative tasks.

The Windows firewall can check outgoing as well as incoming data traffic. The default settings are set to block all incoming data traffic other than the exceptions configured (whitelist approach) and allow all outgoing data traffic to pass not configured as an exception (blacklist approach).

The default settings of Windows firewall depend on the version of the Windows Vista or Windows 7. In Windows Vista and Windows 7 Enterprise and Windows Vista Business and Windows 7 Professional, only few ports are open in the Windows firewall. In Windows Vista Ultimate and Windows 7 Ultimate, in contrast, numerous local Windows services can be accessed from outside.

The Windows Firewall uses the Network Location Awareness (NLA) service available in Windows. The administrator can configure his own policies for the Windows Vista or Windows 7 firewall for every network environment (also referred to as network location types). Windows Vista and Windows 7 can detect three network environments: Domain (in Windows 7 and higher, Domain Network), Public and Private. If a Windows Vista or Windows 7 client connects to a network for the first time, then Windows Vista or Windows 7 asks the user what type of network environment is present. However, the user must have administrative privileges in this case. If the user does not have administrative privileges, then Windows Vista and Windows 7 select Public as the network environment. If the network is a domain with the Windows Vista or Windows 7 client as a member, then Windows Vista and Windows 7 automatically select the Domain/Domain Network network environment.

Once a network has been classified, it is recognised automatically by the NLA service based on various criteria such as the MAC address of the default gateway. Only users with administrative authorisations are able to change the classification or modify the response of the Windows firewall to a certain network classification.

The following default settings determine the default response of the Windows firewall for the Domain, Public, and Private network environments.

The following applies for a Domain network environment:

• The Windows firewall is enabled.
• The Windows firewall obtains the policy settings from the Active Directory domain.
• The configuration of the network detection function and the file and printer sharing settings are based on the group policies downloaded from the Active Directory domain.

The following applies for a Public network environment:

• The Windows firewall is enabled.
• Network detection (NLA) is disabled.
• Every file and printer share is disabled, including shared removable media.

The following applies for a Private network environment:

• The Windows firewall is enabled.
• Network detection (NLA) is enabled.
• Every file and printer share is disabled, including shared media

In all probability, mobile computers will be able to access networks in different environments. Typical network environments include the institution's own LAN, a LAN at a home workplace, or the Internet access available over a public wireless LAN hotspot. Windows Vista and Windows 7 support the automatic detection of a network environment and use different sets of firewall rules depending on the current network environment. If the users will be allowed to use this feature, then they must have administrative rights to access a network for the first time. In this case, the user must also have received proper training on how to assign the right network environment and, if necessary, on how to change the sets of firewall rules.

The strategy for the use of the local firewall on a mobile computer (network environment-dependent rule sets, ability of the users to specify the network environment) must be specified based on the specific circumstances and on a case-by-case basis, if necessary. In this context, it should be checked whether the Windows firewall provides the required protection even in more complex scenarios such as in connection with a Virtual Private Network (VPN), or if a product by a third-party manufacturer has to be used.

Review questions:

• Is the data on a mobile Windows Vista or Windows 7 computer protected using encryption and data backup?
• Is the strategy for the use of the local firewall on a mobile computer specified based on the specific circumstances and on a case-by-case basis, if necessary?