Disk Encryption. Aaron Howard IT Security Office

Transcription

1 Disk Encryption Aaron Howard IT Security Office

2 Types of Disk Encryption? Folder Encryption Volume or Full Disk Encryption OS / Boot Volume Data Volume Managed or Unmanaged Key Backup and Data Assurance

3 How Does Disk Encryption Help? Useful when Physical Security Fails Stolen Laptop Protects Data from Public Disclosure Not a replacement for permissions Does Encryption Protect from Malware?

4 Recomendation for Laptops Mobile Device Physical Security Secured when not in use Implement Screen Saver Passwords Mobile Devices should not contain Level 3 Highly Sensitive Data e.g. CC #s, SSNs, Medical Records Data Classification Guide

5 Level 3 Highly Sensitive Data Stored on Laptops Must be Encrypted

6 Encryption Challenges Business Continuity Encryption Key Management Passwords Backups & Restores Additional Complexity False sense of security

7 Strategy for Deployment Identify Sensitive Data Cornell Spider Is sensitive data required? Can data be moved to a server? Only encrypt when sensitive data is required

8 What s Being Done? Upgrading Existing AD Integrated PKI Offline Root CA Adding support for EFS Planning EFS Pilot Develop Support Documentation FDE Product Evaluation

9 Which Technology to Use? Migrate Laptops to Vista Use Bitlocker for long term solution When EFS Infrastructure is ready Enable EFS on Legacy hardware Use AD & PKI for Key Management PGP interim solution

10 Encrypting File System Included in Windows NTFS + Encryption Module Transparent Encryption Uses Public Keys - PKI Managed with AD & Group Policy

11 EFS Data Recovery Multiple ways to Recover Data Key Recovery Agents Key Backup / Escrow Data Recovery Agent Allowed to Decrypt Only

12 Key Recovery 2003 Enterprise CA Creates backup key automatically Key Recovery Separation of Duties CA Admin extracts encrypted key Key Recovery Agent(s) decrypts key Key Escrow

13 EFS Best Practices Use EFS with domain accounts Assign Data Recovery Agent Backup EFS Keys Encrypt folders instead of files Disable swap file and hibernation

14 EFS Warnings XP Local account password reset Causes loss of encryption keys Change password back Use Data Recovery Agent to recover XP does not have a Default DRA

15 EFS Vulnerabilities Windows 2000 Local Admin default DRA Local Admin can access EFS data Original Clear text files are not wiped Create files in encrypted folder Use secure erase or cipher to wipe Won t encrypt swap or hibernation file

16 What EFS Doesn t Do Doesn t encrypt across network FTP, CIFS, SMB ( Network Shares ) WEBDAV is encrypted EFS is enabled on specific folders Accidents happen Sensitive data could be made public

17 Manual Key Backup Backup keys before encrypting Certificate Manager MMC Right click key -- Export Cipher.exe Keep backup keys offline Store keys in secure location

18 EFS Setup Disable EFS when not in Use Curious users may enable EFS Data could be lost Configure EFS individually Configure Data Recovery Agent Backup encryption keys Encrypt data and temporary folders

19 Which Folders to Encrypt? My Documents and all subfolders All Folders with Sensitive Data Temporary folders Found in Environment Variables Use set command

20 EFS Data is Protected by a Password EFS is as weak as your password Use at least 15 character complex pw Require authentication after hibernation or screen saver Enable Syskey for Windows 2000 or when using local accounts

21 Encrypting for multiple Users XP & 2003 only EFS files can be shared Add additional users to specific files Managed via file properties Cumbersome to manage Can t add groups or share folders Try sharing encrypted ZIP files

22 FDE Full Disk Encryption

23 Full Disk Encryption All data is encrypted Including Swap & Hibernation files Better protection for stolen laptops Separate pre-boot authentication Disk unlocked at boot Still requires password after screensaver, sleep and hibernation

24 FDE Product Evaluation Ongoing PGP Enterprise Pointsec Winmagic SecureDoc Guardian Edge Compusec Bitlocker and others

25 OS Specific Encryption Most are windows only Bitlocker Vista Only Linux Open Source or Pointsec OS X FileVault or PGP Data Volumes or virtual disks

26 Hardware Disk Encryption Seagate and others have disks with encryption built-in Is it enterprise ready? Management tools are in development Can we make key backups? How will encryption keys be protected?

27 MS Bitlocker FDE Built into Vista Enterprise Managed via group policy Scriptable with WMI AD key backup Great pre-boot authentication Supported by MS

28 Bitlocker Pre-Boot Authentication Trusted Platform Module TPM Based Modes TPM only TPM + PIN TPM + USB Key USB Key Only Mode

29 USB Key Only

30 Bitlocker Disk Configuration Two NTFS drive partitions one for bitlocker one for the operating system volume Bitlocker partition must be at least 1.5 GB

31 Bitlocker Hardware Requirements TPM chip, version 1.2 Or USB key attached to user Trusted Computing Group (TCG) compliant BIOS Minimum requirements for Vista

32 How To Configure Bitlocker Bitlocker installation guide on Technet Partition drives before installing Vista Initialize TPM TPM MMC Enable Bitlocker Control Panel Create recovery password

33 Bitlocker AD Integration Backup recovery key in AD Disable encryption until key is stored Initialize TPM Backup TPM password or key in AD Select encryption strength AES bit keys

34

35 Recovery Password 48 digit random number Saved to USB Key Saved to Network File Share Sent to Printer

36 Disaster Recovery TPM is not required for recovery Encrypted disk can be recovered on alternate system Boot normally Type in recovery password What happens if the drive fails? What about corrupt sectors?

37 Bitlocker Security Is Bitlocker Secure? Not yet FIPS compliant Use BIOS password with TPM Does not support single sign-on TPM plus fingerprint reader

38 Performance FDE can slow disk usage 2x Most FDE is reasonable to use Copying large files will show latency Faster CPU will help

39 Vista Security Guide Best practices for implementing Bitlocker and EFS Great advice on preventing malware Templates and tools for Vista security dowsvista/security/guide.mspx