WINDOWS 7 PRO VS WINDOWS 7 ENT

A Presentation on the exceptional differences between the two Operating Systems

Extra Features In WIN 7 Ent

BitLocker Bitlocker To Go Applocker Boot from VHD BranchCache DirectAccess

BitLocker
Available on Win 7 Enterprise and Ultimate. It is used in Encrypting the HDD with 128bit AES encryption. It is faster than other AES encryption and has low RAM requirements since the CBC mode with a 128bit key is used for encryption.
Authentication Mechanism

Transparent mode: Uses TPM chip for key storage. Releases the Key to the OS loader only if the early bootfile appears to be unmodified. Vulnerable to a coldboot attack. User Authentication mode: Uses the bootloader. Requires authentication to the pre-boot environment in the form of a PIN. Vulnerable to the bootkit attack but not to coldboot attack. USB Key mode: Uses a USB dongle containing the startup key. BIOS must support portable USB devices at the Pre-boot OS stage. This mode is immune to coldboot attack.

BitLocker
Recovery Modes
Recovery Password: A numerical Key protector for recovery purposes. Recovery Key: An external Key for recovery purposes. Certificate: Adds a certificate-based public key protector for recovery. The following Combination of Authentication modes are possible and all can be recovered using the Recovery Key method. TPM TPM+PIN TPM+PIN+USB key TPM+USB key USB Key Requirements 1. Two NTFS formatted volumes(one for OS and a 100MB min from which the OS boots). This can be achived using the DISKPART util or the Bitlocker Drive Preparation Tool. 2. An optional Key can be stored on the AD for recovery purpose and can be used for recover using the BitLocker Recovery Password Viewer for AD users. For server versions before 2008 the Schema must be updated.

BitLocker
Benefits to the Business

Good Degree of safety in case of Laptop theft. Integrated with AD directly no extra application or Add-on required. It encrypts more than the OS partition thus ensuring max security of data. Works on Multiboot environments. Flexible configuration as GP can be used.

Limitations
Cool boot attack while using it in the TPM mode(transparent operation mode) Only Supported on the NTFS partision and on NT based OS(but BITLOCKER TO GO Reader can run on NTFS, FAT 32 or exFAT). Workaround possible without TPM. BitLocker gives the End user local admin Rights. This gives them the opportunity to turn off the encryption if desired

AppLocker
This help to prevent the use of Unknown or Unwanted application within the Network. Helps to boast security and compliance for the organisation. It is a rule based service, with 3 main rules configurable( Exec rule, Windows Installer rule, Script rule).

Applocker Vs Other Solutions

Restriction policies can be applied to the following. Specific User or Group. Default Rule Action is Deny. Audit-only mode possible. Wizard to create multiple rules at once. Policy import or export. Rule Collection available. PowerShell Support. Custom Error Messages.

AppLocker
Requirement

Windows Server 2008 R2. Windows 7 Ult, Windows 7 Ent(Win 7 pro can create rules but cant enforce them.) For GP deployment, at least one computer with the Group Policy Management Console(GPMC) or the Remote Server Administration Tools(RSAT) installed to host the Applocker rules. Computers to enforce the Applocker rules created.

Rule Conditions
Rules are created either by PUBLISHER, PATH or by FILE HASH.

Benefits
Increased security. Cost of Procuring third party apps lock down application eliminated.

Booting from VHD

VHD(Virtual Hard Drive)

Benefits
It can be used as a simplified backup mechanism which is also portable. Booting from VHD helps to test new configurations and applications before final role-out. Any Malware infection only affects the VOS and does not spread to the Main OS. Native image deployment using Windows Deployment Service for Workstation/ Server redeployment or recovery

Limitations
VHD size limited to 2TB EFS/NTFS compression not suported Hibernating not supported. OS cant be upgraded. Cannot be nested. Cant be booted from a USB.

BranchCache
Caching contents of files and webservers locally at branch office, increasing the network responsiveness of centralized applications when accessed remotely.

Modes of Operation
Distributed Cache. Hosted Cache.

Benefits
Reduced WAN link Utilisation in Branch offices(intranet based HTTP and SMB traffic). Accelerates delivery of encrypted contents(HTTPS and IPSec). Does not require additional equipment at the branch office and can be managed using GP. Caching done by default when round trip lattency time exceeds 80ms.

Limitations
Depends on the caching mode(distr requires more processing power from work stations thus performance may be affected. Hosted however combats this but requires extra hardware investment.

DirectAccess
Enables connection to the office securely through the internet without the need for a VPN.

Advantages
Working outside the office is easier as there is no need for traditional VPN. Remote Management possible(Update deployment and GP settings over the internet). Enhanced Security and Access control. Communicates using IPv6 over IPsec.