In earlier Windows versions, USB ports were a significant security vulnerability for enterprise computing. Windows 7 has several USB enhancements and has made flash drives fully manageable. Here’s what you need to know.
Windows 7 is more USB–aware than previous versions of Windows. The new operating system also adds several new features to make USB “flash” drives both more secure and more useful for administrators and technical support staff.
This goes beyond carrying applications and diagnostics on a USB flash drive. Now, you can boot from a USB drive in Windows 7. You can use a USB flash drive to install Windows 7. You can encrypt the entire contents of a flash drive. And you can use up to eight drives as an additional disk cache to speed up a system’s performance.
Not all of these features are new in Windows 7; Microsoft introduced some of them in Vista. But the versions in Microsoft’s latest operating system are more powerful, more polished, and have more features than their Vista ancestors.
In Windows Vista, you had a limited range of choices for a system’s USB port. For example, you could turn the port off entirely or disable read or write either for specific users or for the system as a whole. Now, with BitLocker To Go, you can enable the port for specific kinds of devices, or even specific devices, as well as setting general read and write permissions.
ReadyBoost was introduced in Vista but it is extended – and a lot more useful – in Windows 7. ReadyBoost uses flash memory as a drive for disk cache. Because flash is considerably faster than disk, the result is improved performance.
Because ReadyBoost was redesigned for Windows 7, the performance improvement is considerably greater than it was with Windows Vista. This applies to shut down as well as to application performance. Users are reporting speed boosts of 20 percent or more on large files. Generally, how much improvement you’ll get depends on the amount of memory in the system. The speedup is particularly noticeable on Windows 7 systems with a minimal amount of memory.
The original ReadyBoost version was limited to a single flash device with 4 GB of memory. In Windows 7, ReadyBoost supports up to eight devices for a maximum of 256 GB of additional memory. (Microsoft recommends one to three times the amount of RAM as the maximum amount of ReadyBoost memory.)
For administrators and technical support people, ReadyBoost provides a rough-and-ready diagnostic tool for underperforming computers. The most common cause of poor performance is not enough RAM, as most technical staff know – but that’s not the only cause. The question is: Is it worth adding RAM to this particular snail in an effort to speed up a system?
ReadyBoost provides a quick way to find the answer by using a flash drive as additional memory. Although performance isn’t equivalent to actually installing more RAM because of the differences in flash and RAM, plugging in a memory stick and using it as additional disk cache can give you an idea of the kind of improvement you can expect by adding more memory to the system.
BitLocker To Go
Flash drives are convenient, capacious, and highly portable. Of course, these same characteristics mean that USB flash drives are potential security risks. The drives are easy to lose and can carry large quantities of information off premises in a pocket or purse. Some organizations have seen them as such significant risks that they have physically disabled USB ports on their computers by gluing them shut.
With Windows Vista, and even more with Windows 7, such extreme measures aren’t needed. Windows 7 in particular includes a raft of policy-based controls for handling USB ports and the attached devices.
In Windows 7 Enterprise and Ultimate editions, Microsoft extended BitLocker to cover USB drives. BitLocker, introduced with Windows Vista, allows encrypting an entire drive rather than just files and folders on the drive; that is inherently more secure.
In addition to extending BitLocker with BitLocker To Go, Microsoft made BitLocker easier to use in general. For one thing, you no longer have to manually make a separate partition for the bootup files that won’t run encrypted. Also, unlike most third-party drive encryption programs, BitLocker can be controlled by setting group or individual policies. For example, you can set group policies so flash drives can only download information from systems which have BitLocker installed. This makes it harder for users to forget to encrypt flash drives when they download information.
Although you can only encrypt a flash drive in Windows 7, you can read the drive on Windows Vista systems as well. This means that even notebooks which are still running Vista can have the benefit of full-disk encryption on USB flash drives.
Encrypting a USB drive is just as easy as encrypting any other kind of drive in Windows 7. Connect the USB drive; go to “Computer;” right-click the device, and turn on BitLocker.
Make sure you have an appropriate password control policy in place before using BitLocker or any other form of drive encryption. You should also enable the recovery key option so you have a way of accessing the drive’s contents if the password is lost. (See Microsoft’s walkthrough of BitLocker.)
Booting From A Flash Drive
A bootable flash drive is handy for installing or running Windows 7 on a system which is not connected to a network. Again, Windows 7 makes it easy to create a bootable flash drive.
For netbooks and other systems without DVD drives, a bootable image on a flash drive provides an alternative method for installing Windows 7. Microsoft offers a bootable Windows 7 image as a download from its online store as well as a utility called Windows 7 USB/DVD Download Tool (WUDT) to manage the process. You can also create a bootable image from an installation DVD.
It is much faster to install Windows 7 from a flash drive because flash drives have higher transfer speeds than DVDs.
Because Windows 7 takes up about 2.5 GB of disk space, you need at least a 4 GB flash drive to create your image. You also need to set the target system’s BIOS to boot first from the flash drive.
USB flash drives are rapidly replacing floppy disks for administrative tasks. They are smaller, more rugged, and they hold more data. In fact, for a lot of jobs, flash drives are replacing CDs or DVDs. The flash drive support in Windows 7 will accelerate that trend by making flash drive more flexible and useful for administrators and other Windows 7 users.