DriveLock and Windows 8



Similar documents
DriveLock and Windows 7

Do "standard tools" meet your needs when it comes to providing security for mobile PCs and data media?

Windows BitLocker Drive Encryption Step-by-Step Guide

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

DriveLock Quick Start Guide

MBAM Self-Help Portals

Disk Encryption. Aaron Howard IT Security Office

Encrypting with BitLocker for disk volumes under Windows 7

HP ProtectTools User Guide

GoldKey Software. User s Manual. Revision WideBand Corporation Copyright WideBand Corporation. All Rights Reserved.

Check Point FDE integration with Digipass Key devices

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Course 6292A: Installing and Configuring Windows 7 Client. About this Course. Audience Profile

HP ProtectTools Embedded Security Guide

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

BitLocker/Active Directory Encryption Procedure Department: Information Security Office Version: 1.0 Last Revised: 09/26/2011

How to Encrypt your Windows 7 SDS Machine with Bitlocker

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

Course 20688A: Managing and Maintaining Windows 8

Table of Contents. TPM Configuration Procedure Configuring the System BIOS... 2

MS 50292: Administering and Maintaining Windows 7

Using BitLocker As Part Of A Customer Data Protection Program: Part 1

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016

Managing BitLocker Encryption

How Endpoint Encryption Works

etoken Single Sign-On 3.0

Chapter 1 Scenario 1: Acme Corporation

Technical Note Creating a Windows PE Recovery CD

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 12

How Drive Encryption Works

ManageEngine Desktop Central Training

SecureDoc for Mac v6.1. User Manual

HP ProtectTools. Getting Started

MICROSOFT BITLOCKER ADMINISTRATION AND MONITORING (MBAM)

Management of Hardware Passwords in Think PCs.

ICT Professional Optional Programmes

ProtectDrive. User Manual Revision: B00

Designing and Deploying Connected Device Solutions for Small and Medium Business

RSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide

SafeGuard Enterprise Web Helpdesk. Product version: 6 Document date: February 2012

IronKey Enterprise Management Service Admin Guide

Innovative Secure Boot System (SBS) with a smartcard.

Windows BitLocker TM Drive Encryption Design Guide

BitLocker Encryption for non-tpm laptops

How to enable Disk Encryption on a laptop

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

Managing and Maintaining a Microsoft Windows Server 2003 Environment

Installing, Configuring and Administering Microsoft Windows

Smart TPM. User's Manual. Rev MD-STPM-1001R

Implementing and Supporting Microsoft Windows XP Professional

Course Description. Course Audience. Course Page - Page 1 of 7

SafeGuard Enterprise Web Helpdesk

EMBASSY Remote Administration Server (ERAS) BitLocker Deployment Guide

Training Guide: Configuring Windows8 8

HP Commercial Notebook BIOS Password Setup

GFI EndPointSecurity 4.3. Getting Started Guide

etoken TMS (Token Management System) Frequently Asked Questions

Maintaining a Microsoft Windows Server 2003 Environment

SafeGuard Easy startup guide. Product version: 7

20688 Managing and Maintaining Windows 8

Full Disk Encryption Agent Reference

Windows 7, Enterprise Desktop Support Technician

Quick Install Guide - Safe AutoLogon For First-time Users - Installing and Running the Software. Published: February 2013 Software version: 5.

When enterprise mobility strategies are discussed, security is usually one of the first topics

MS-50292: Administering and Maintaining Windows 7. Course Objectives. Required Exam(s) Price. Duration. Methods of Delivery.

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

The Benefits of an Industry Standard Platform for Enterprise Sign-On

SafeGuard Enterprise User help. Product version: 6.1

Whitepaper. DriveLock. Endpoint Security for IGEL Thin-Clients

RSA Authentication Agent 7.1 for Microsoft Windows Installation and Administration Guide

ACER ProShield. Table of Contents

Troubleshooting and Supporting Windows 7 in the Enterprise

Mobile Device Security and Encryption Standard and Guidelines

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Windows Server 2008 (Domain Member Servers and Domain Controllers)

Sophos Disk Encryption License migration guide. Product version: 5.61 Document date: June 2012

How To Manage Hard Disk Partitioning In Windows (Windows 8) (Windows 7) (Powerbook) (For Windows 8) And Windows 8 (Pro) (Winstone) (Probation) (Perl

Password Manager Windows Desktop Client

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

ScoMIS Encryption Service

Configuring and Administering Windows 7

Security and Compliance. Robert Nottoli Principal Technology Specialist Microsoft Corporation

Managing Remote Access

NE-2273B Managing and Maintaining a Microsoft Windows Server 2003 Environment

Course 50322B: Configuring and Administering Windows 7

PGP Desktop Version 10.2 for Windows Maintenance Pack Release Notes

Administering and Maintaining Windows 7 Course 50292C; 5 Days, Instructor-led

Navigating Endpoint Encryption Technologies

Administrator s Guide for Microsoft BitLocker Administration and Monitoring 1.0

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Sophos SafeGuard Disk Encryption, Sophos SafeGuard Easy Demo guide

IBM Security Access Manager for Enterprise Single Sign-On Version User Guide IBM SC

ScoMIS Encryption Service

SafeGuard Easy Administrator help. Product version: 6 Document date: February 2012

Trusted Platform Module (TPM) Quick Reference Guide

Two-factor authentication Free portable encryption for USB drive Hardware disk encryption Face recognition logon

Transcription:

Why alone is not enough CenterTools Software GmbH 2013

Copyright Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. 2013 CenterTools Software GmbH. All rights reserved. CenterTools and and others are either registered trademarks or trademarks of CenterTools GmbH or its subsidiaries in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 2

Introduction Microsoft Window 8 represents a big advance in the Windows family of operating systems. Many of the new features in will help organizations with the tasks of administering and securing their network environments. However, some of new security features in only provide basic protection and are difficult to administer. When evaluating, most organizations will find that alone does not provide the protection they need. For effective data encryption, device control and application control, organizations will still need to depend on third-party solutions, such as CenterTools. This whitepaper compares the limited protection that is included in with the comprehensive protection mechanisms of. This includes the following functionality: Full Disk Encryption (BitLocker) Device control Removable media encryption (BitLocker To Go) Folder encryption (Encrypting File System, EFS) Application control (AppLocker) Antivirus / Antimalware Security Management Full Disk Encryption BitLocker is the Full Disk Encryption feature that is included with certain versions of Windows since Windows Vista. When configured correctly, BitLocker provides strong and effective protection for confidential data on internal hard drives. However, deployment is only feasible if all computers meet certain system requirements. Out of the box Windows provides no central monitoring capabilities for BitLocker, and the sharing of pre-boot credentials among all users of a protected computer can significantly lower the security of data on shared computers. The following table describes the most important differences between BitLocker and Full Disk Encryption. Hardware requirements Supported client operating systems For effective use of BitLocker the computer must contain a Trusted Platform Module (TPM) chip. While BitLocker can be used without a TPM chip, such configurations are not recommended by Microsoft, are difficult to use and are less secure. Only included with certain expensive editions of Windows. requires no special hardware for Full Disk Encryption. Supported on all editions of Windows XP, Windows Vista, Windows 7 and. 3

Smart card and token support Hardware changes Pre-boot security Single sign-on to Windows. Emergency logon Dealing with corrupted disks Smartcard and token authentication is not available during the pre-boot phase. With BitLocker and a TPM chip, interrupts the boot process when certain hardware changes are detected. This may even include removing a laptop computer from a docking station. An administrator must manually reconfigure TPM settings to reenable the normal boot process. The disk encryption key is stored on a TPM chip and protected using a PIN that is specific to the computer. A user must enter the PIN before the disk can be accessed. Users who use multiple BitLocker-protected computers must remember several PINs. Any person who knows the PIN, including former employees, can access the computer indefinitely. requires users to authenticate twice, first during the pre-boot phase and then again at the Windows logon prompt. When a user has lost access to the computer, temporary access can be granted using a 40-character key until an administrator changes the PIN for the TPM. Any person who knows this key will be able to access the computer indefinitely. Many types of disk corruption can result in data that is permanently inaccessible or that requires lengthy and difficult procedures to decrypt the disk and restore access. Recovery is not possible if certain elements of the disk structure can no longer be read. supports many types of smart cards and tokens for pre-boot authentication. can alert users to certain hardware changes that may indicate compromised security. If the hardware change was legitimate, administrators can centrally disable these warnings and update the configuration to the current state of the hardware. supports up to 200 distinct users on each computer for pre-boot authentication. Users only need to remember their Windows credentials to authenticate. When employees leave the organization, pre-boot accounts can be removed to prevent further access to protected computers. enables single sign-on. Users authenticate during the preboot phase using their Windows credentials and are then automatically logged on to Windows using the same credentials. Using a challenge/response mechanism, an administrator can provide one-time logon credentials to a user who forgot a password. Once the user changes his or her password, regular logon procedures can be used again. lets administrators remove encryption even from badly damaged disks to allow access to any data that can still be read from the physical disk. Fast Recovery lets administrators save important files from a damaged disk to removable media within minutes. The data can be copied to a different computer to allow users to continue their work quickly. 4

Central administration Administrators can centrally configure some basic BitLocker settings using Group Policy. Configuring exceptions for some computers can be very difficult. Even if BitLocker is centrally administered, a local administrator must still manually configure the TPM for each computer and initiate the disk encryption. Effective central administration requires additional licenses (Microsoft System Center). Central storage of recovery keys An upgrade of the Active Directory operational mode and schema extensions may be required to store recovery keys in Active Directory. Helpdesk personnel must use domain administration tools to retrieve these keys. Monitoring Windows contains no tools for efficiently monitoring the status of encrypted drives across the network. Monitoring requires additional licenses (Microsoft System Center). Remote Wipe Windows provides no mechanism for remotely wiping a computer. settings can be easily centrally configured using Group Policy. At the same time, it is very easy to create exceptions for some computers. Disk encryption can be initiated from a central location without requiring local access to the computer. Central administration is part of. Recovery keys can be stored in the Enterprise Service and retrieved using intuitive helpdesk tools. No changes to Active Directory are required. The Control Center provides visibility for the encryption status across the enterprise. Administrators can mark a computer to be wiped. At the next connection of this computer to the Enterprise Service, all user logon data is purged and the computer is shut down. A remote wipe prevents any use of the computer, even by individuals who know a valid user name and password, except for administrators with access to a recovery certificate can use the computer. Full Disk Encryption Scenarios Not Supported By The following list contains just a few examples of common Full Disk Encryption requirements that can easily enable, but that are impossible or impractical to configure with : Single sign-on using Windows credentials. Sharing of computers with an encrypted hard disk by multiple users, while maintaining separate credentials for each user that can be revoked when a user leaves the organization. 5

One-time passwords for emergency logon. Remote wiping of a computer Device Control only provides rudimentary device control, which is difficult and tedious to administer. Rather than dynamically locking and unlocking devices for users based on a set of rules, restricts the installation of device drivers. This means that all required device drivers must be installed before device control is activated. Modifying rules at a later point is difficult or impossible. Also, granular rules are not available. Most rules apply broadly to certain device classes and the whitelisting of specific devices requires tedious editing of registry and Group Policy settings. The following table compares device control to the more advanced removable capabilities of. Allow users to install only authorized devices Prevent installation of prohibited devices. Control read and write permissions for removable media Requires administrators to manually create a list of allowed devices by installing them on a computer, recording hardware settings for each device, and then copying these settings into a GPO. This is not practical in an environment where multiple computer configurations are in use. Devices can only be controlled by model, but not based on device type or a specific serial number. can accomplish this, but excluding specific devices from a network is not a common scenario and is not practical. Devices that have already been installed can t be controlled. Only allows administrators to allow or deny all access to several types of removable devices. can scan computers for installed devices and then allows administrators to use this data to create white list policies. Administrators normally don t have to track down hardware identifiers of each allowed device. More important, can allow or deny access to entire device classes or allow access to a unique device based on its serial number. As with rules that allow access, can block access by device class, device serial number and user or group. Blocking takes effect even for devices that were installed before the policy is applied. Device information about prohibited drives can be collected from the Device Scanner database, so an administrator doesn t need to install the device on a computer and manually record the device information. recognizes more types of devices and provides more granular control. Read or Write access can be controlled based on user, file type or even a specific device. 6

Auditing of device usage Temporary unlocking of devices to enable exceptions can t do this s Device Scanner, Control Center and file shadowing capabilities satisfy the needs of most organizations for auditing device usage and collecting forensic evidence. can t do this enables online and offline unlocking of devices for a fixed period of time. This enables help desk personnel to respond in situations where legitimate access to removable devices is needed even if the currently active policy denies this access. Device Control Scenarios Not Supported By The following list contains just a few examples of common device control requirements that can easily enable, but that are impossible or impractical to configure with : All users may use any USB-connected mouse or keyboard, but not removable storage devices. Only administrators and help desk personnel are allowed to use removable storage devices. No executable files may be copied from removable media to a corporate computer, except by administrators. All data copied to USB flash drives must be encrypted. Administrators need to be alerted when a user uses a removable device contrary to company policy. Help desk personnel must be able to let a remote user copy a file to a USB flash drive even when the current policy normally prevents this. Users should only be allowed to use company-issued USB flash drives. Users should be allowed to listen to music CDs but they may not access CDs that contain data. Removable Media Encryption BitLocker To Go provides users with an easy method for encrypting all data on certain removable devices. However, other media, such as CDs and DVDs, cannot be encrypted, and access to data on encrypted drives is read-only on computers running earlier versions of windows. Encryption can be centrally enforced using Group Policy. Administrators can configure encryption enforcement and central backup of recovery information for encrypted drives. When enforcing encryption settings, organizations have to use a one size fits all approach because BitLocker does not allow exceptions to the policy settings. The recovery process for lost passwords by a recovery agent requires physical access to an 7

encrypted device. For end-user recovery, the user needs a recovery key that can be used to access a device indefinitely, even after the user has left the company. Encrypted device use cannot be monitored for compliance purposes. The following table compares BitLocker To Go to the more advanced removable media encryption capabilities of. Encryption of mobile data BitLocker To Go can transparently encrypt data on USB flash drives. Universal access Only read access of encrypted devices is possible on a Windows XP or Vista client and only if the file system on the USB flash drive is FAT. Non Microsoft Operating Systems are not supported. can transparently encrypt all data copied to and from USB flash drives and other removable devices. can also enforce that only encrypted devices can be used on a computer. lets users create and access encrypted devices on computers running Windows XP or higher. With Mobile it is possible to use an encrypted USB drive also outside of a installation e.g. at Home. Mobile also supports MacOS. Device support Only USB media can be encrypted can encrypt any type of removable media and includes a wizard to burn encrypted CDs and DVDs. Encrypted containers can also be created on internal hard drives. Password recovery When a user forgets the encryption password, a designated recovery agent can access the data. If recovery information was stored in Active Directory, a 40 character password recovery key can also be retrieved and provided to the user. Any person who knows this key will be able to access the computer indefinitely. Monitoring has no meaningful method for monitoring the use of storage devices, whether they are encrypted and what data is copied to these devices. When a user forgets an encryption password, helpdesk personnel who have been provided with a recovery certificate can access the data. Using a challenge/response mechanism, an administrator can also provide a onetime code to allow a user to reset the password. includes extensive monitoring of encryption status, device use and file operations using the Control Center. Removable Media Encryption Scenarios Not Supported By 8

The following list contains just a few examples of common removable media encryption scenarios that makes possible, but that are impossible or impractical to configure with : Full read/write access to encrypted drives and media on computers running older versions of Windows Encryption of writable optical media, such as CR-R and DVD-R One-time codes for data recovery Central monitoring and reporting of removable media encryption Enforced encryption for certain drives while allowing other drives to remain unencrypted Enforcing encryption for some users while allowing other users to access unencrypted media File and Folder Encryption Beside the encryption of containers (see Removable Media Encryption) the transparent encryption of folders is an important criterion of encryption products. Since Windows 2000 with NTFS, Microsoft offers the Encrypted File System (EFS) to encrypt single files and folders. Because EFS is complicated to setup and to administrate, in practice it did not show substantial success. Furthermore EFS is not suitable for removable media, as encryption only works within the same domain (username / password are not sufficient). With File Protection (DFP), CenterTools provides a universal solution to encrypt single folders or entire partitions on hard disk and removable media. Combinations of username / password, certificates or smartcards can be used for authentication. The following table compares EFS to the more advanced removable media encryption capabilities of. Encryption of data Cloud support EFS transparently encrypts data residing on NTFS partitions (locally and network) Data stored in cloud services like dropbox cannot be encrypted. DFP transparently encrypts folders on any partition (locally, removable media and network) DFP, out of the box, supports several cloud services to store encrypted files. Supported platforms Windows Windows, MacOS, ios 9

Password recovery If a user forgets his password, a designated recovery agent can gain access. Recovery certificates can be stored securely in the central administration database. Either authorized helpdesk employees can gain access using the recovery certificate or provide a one-time code to the user. With the one-time code, the user can create a new password. File And Folder Encryption Scenarios Not Supported By The following list contains just a few examples of common file and folder encryption scenarios that makes possible, but that are impossible or impractical to configure with : Full read and write access to partitions and media in other domains and with Non-Windows operating system. Encryption of data in cloud services (Dropbox, Goole Drive, SkyDrive One-time codes for data recovery Enforces encryption for selected drives, while other drives remain unencrypted Application Control Application Control lets administrators control which applications users can start and prevents unauthorized applications from running on a computer. includes AppLocker, the much improved successor to the Software Restriction Policies that were available in earlier versions of Windows. When administrators define which applications are allowed to run on a computer, all other applications are automatically blocked. AppLocker can be effective for enforcing application use on highly standardized desktops that require only few applications to run. However, it is not practical to manage this feature in diverse computing environments that are typical of today s IT environments. The following table compares AppLocker to the more advanced removable media encryption capabilities of. System Requirements Works only with Windows 7 or higher and requires at least one Domain Controller running Windows Server 2008 R2. An upgrade of the Active Directory operational mode and schema extensions may be required. Works on Windows XP, windows Vista and. There is no Active Directory or domain controller version requirement. 10

Defining which applications are allowed to run or prevented from running Rule creation Maintaining application rules Granularity Auditing and Monitoring Administrators can specify applications based on a software publisher, the hash of a specific file or a file location. Publisher rules are very flexible and can be used to allow all signed programs, all programs from the same software publisher, multiple software versions or just one specific version of one application. Application files in the same folder can be added to a rule in a single step. All applications must be added manually to whitelists or blacklists. Even in a small network this can be a lengthy and tedious task. Most new applications need to be manually added to the rules before users can run them. Software publisher rules can be configured so they don t need to be updated when a new version of the software is installed. Each set of AppLocker rules is enforced on all computers that a Group Policy Object applies to. The policy may contain separate permissions for different users and groups. Successful and denied blocked attempts to start an application are recorded in the local Windows Event Log only. can use the same types of rules as. In addition, builtin rules for common files, such as all Windows files, can be used to quickly create whitelist rules. File owner rules make it easy to allow users to run all applications that were installed by an administrator or installation account. can scan a reference computer for all applications that are currently installed and automatically create a whitelist template for that allows all of these applications to run. Applications can also be added from an online database containing hashes for over a million applications. rules that are based on software publisher certificates can also be configured to automatically allow updated versions of a program. In addition, file owner rules automatically allow newer application to run if they were installed by an administrator or other designated user. In addition to specifying permissions for users and groups, policies allow for much more granularity. For example, policies may apply only when a computer is connected to a certain network or during certain times of the day. The Control Center lets administrators centrally audit application use on all client computers and create detailed reports. 11

Application Control Scenarios Not Supported By The following list contains just a few examples of common application control scenarios that makes possible, but that are impossible or impractical to configure with : Automatically whitelisting all application that are installed using designated administrators or service accounts Blacklist or whitelist rules based on a company-wide database of applications Rules based on an online database of millions of applications Rules based on whitelist templates that include all executable files that are part of complex applications Rule enforcement based on network location (office traveling, etc.) Antivirus / Antimalware has no built-in protection against viruses and many other types of malicious software. To be protected, organizations need to purchase, install and administer a separate product. contains fully integrated protection against viruses and other malicious software. Antivirus requires minimal computer resources and has industry-leading detection rates. Administration and monitoring are tightly integrated with s other features. Security Management While each of the features described in this whitepaper can be centrally managed using Group Policy administrators will have to become familiar with the intricacies of component. Setting up the central storage of recovery keys is difficult and involves different steps for Full Disk Encryption and removable media encryption. Microsoft s tools for recovering these keys are unintuitive and limited. There is also no effective mechanism for central monitoring and reporting, uses an integrated console for configuring all settings and key recovery. This management console is intuitive and has been designed to guide administrators through most common tasks to prevent errors that could impact user productivity. The management console also contains powerful tools for troubleshooting policy enforcement. The Control Center lets administrators create comprehensive reports on user activity and contains sophisticated drill-down functionality that enables forensic analysis. 12

Conclusion Organizations that are very small or have an extremely limited hardware base may find that is sufficient for controlling device usage. However, CenterTools believes that does not address the device control and security requirements of the vast majority of companies and organizations, Furthermore, when using the features built into, granular device control requires an inordinate amount of administrative resources. Organizations that migrate to will find that additional software is required to provide effective and meaningful control of mobile devices. provides granular and comprehensive device control. It is easy to implement, easy to administer and easy to use. 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information