Agenda. BitLocker Drive. BitLocker Drive Encryption Hardware Enhanced Data Protection. BitLocker And TPM Features

Similar documents
BitLocker Drive Encryption Hardware Enhanced Data Protection. Shon Eizenhoefer, Program Manager Microsoft Corporation

Protect Sensitive Data Using Encryption Technologies. Ravi Sankar Technology Evangelist Microsoft Corporation

Introduction to BitLocker FVE

Penetration Testing Windows Vista TM BitLocker TM

Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

Do "standard tools" meet your needs when it comes to providing security for mobile PCs and data media?

Opal SSDs Integrated with TPMs

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

DriveLock and Windows 8

Disk Encryption. Aaron Howard IT Security Office

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Encrypting stored data. Tuomas Aura T Information security technology

Windows BitLocker TM Drive Encryption Design Guide

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

TPM Key Backup and Recovery. For Trusted Platforms

How to Encrypt your Windows 7 SDS Machine with Bitlocker

DriveLock and Windows 7

Windows Server 2008 R2 Boot Manager Security Policy For FIPS Validation

EMBASSY Remote Administration Server (ERAS) BitLocker Deployment Guide

How Endpoint Encryption Works

UEFI Implications for Windows Server

Using BitLocker As Part Of A Customer Data Protection Program: Part 1

Windows 7 BitLocker Drive Encryption Security Policy For FIPS Validation

BitLocker Encryption for non-tpm laptops

How to enable Disk Encryption on a laptop

Managing BitLocker Encryption

Trusted Platforms for Homeland Security

Windows BitLocker Drive Encryption Step-by-Step Guide

Encrypting with BitLocker for disk volumes under Windows 7

Factory-Installed, Standards-Based Hardware Security. Steven K. Sprague President & CEO, Wave Systems Corp.

TPM. (Trusted Platform Module) Installation Guide V for Windows Vista

Microsoft Windows Server 2008: Data Protection

Enhancing Organizational Security Through the Use of Virtual Smart Cards

How Drive Encryption Works

Mobile Device Security and Encryption Standard and Guidelines

MS 50292: Administering and Maintaining Windows 7

In order to enable BitLocker, your hard drive must be partitioned in a particular manner.

Embedded Trusted Computing on ARM-based systems

TPM. (Trusted Platform Module) Installation Guide V2.1

Session ID: Session Classification:

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Secure Storage. Lost Laptops

Guidelines on use of encryption to protect person identifiable and sensitive information

Self-Encrypting Drives

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 12

PGP Whole Disk Encryption Training

Disk encryption... (not only) in Linux. Milan Brož

Security and Compliance. Robert Nottoli Principal Technology Specialist Microsoft Corporation

Trustworthy Computing

Windows 7, Enterprise Desktop Support Technician

Cautions When Using BitLocker Drive Encryption on PRIMERGY

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

Management of Hardware Passwords in Think PCs.

Making Data at Rest Encryption Easy

Innovative Secure Boot System (SBS) with a smartcard.

Intel Desktop Board D975XBX2

White Paper: Whole Disk Encryption

Protecting Your Business from Costly Data Theft: Why Hardware-Based Encryption Is the Answer

Using the TPM: Data Protection and Storage

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

Installing and Upgrading to Windows 7

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

ACER ProShield. Table of Contents

User Manual. Copyright Rogev LTD

Data At Rest Protection

Commercially Proven Trusted Computing Solutions RSA 2010

A+ Practical Applications Solution Key

Windows 7, Enterprise Desktop Support Technician

Dell Client BIOS: Signed Firmware Update

Solid-State Drives with Self-Encryption: Solidly Secure

Hiva-network.com. Microsoft_70-680_v _Kat. Exam A

Pointsec Enterprise Encryption and Access Control for Laptops and Workstations

Kaspersky Lab s Full Disk Encryption Technology

Patterns for Secure Boot and Secure Storage in Computer Systems

70-685: Enterprise Desktop Support Technician

A M D DA S 1. 0 For the Manageability, Virtualization and Security of Embedded Solutions

Module 3: Resolve Software Failure This module explains how to fix problems with applications that have problems after being installed.

Table of Contents. TPM Configuration Procedure Configuring the System BIOS... 2

An Improved Trusted Full Disk Encryption Model

CONTENTS. Windows To Go: Empower And Secure The Mobile Workforce

Encrypting the Private Files on Your Computer Presentation by Eric Moore, CUGG June 12, 2010

Windows BitLocker and Paragon s Backup Solutions

Secure Data Management in Trusted Computing

Administering and Maintaining Windows 7 Course 50292C; 5 Days, Instructor-led

Excerpt of Cyber Security Policy/Standard S Information Security Standards

Windows 7. Qing Liu Michael Stevens

Trusted Platform Module

ICT Professional Optional Programmes

Course Outline. ttttttt

(Exam ): Configuring

Property Based TPM Virtualization

MBR and EFI Disk Partition Systems

Training Guide: Configuring Windows8 8

MS-50292: Administering and Maintaining Windows 7. Course Objectives. Required Exam(s) Price. Duration. Methods of Delivery.

Cisco Trust Anchor Technologies

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Firmware security features in HP Compaq business notebooks

Encrypted File Systems. Don Porter CSE 506

End User Devices Security Guidance: Apple OS X 10.10

Transcription:

BitLocker Drive Encryption Hardware Enhanced Data Protection Shon Eizenhoefer, Program Manager Microsoft Corporation Agenda Security Background BitLocker Drive Encryption TPM Overview Building a BitLocker Capable System Additional Resources BitLocker Drive Encryption BitLocker And TPM Features BitLocker Drive Encryption gives you improved data protection on your Windows Vista and Windows Server codenamed Longhorn systems Notebooks Often stolen, easily lost in transit Desktops Often stolen, difficult to safely decommission Servers High value targets, often kept in insecure locations All three can contain very sensitive IP and customer data Designed to provide a transparent user experience that requires little to no interaction on a protected system Prevents thieves from using another OS or software hacking tool to break OS file and system protections Prevents offline viewing of user data and OS files Provides enhanced data protection and boot validation through use of a Trusted Platform Module (TPM) v1.2 BitLocker Drive Encryption Encrypts entire volume Uses Trusted Platform Module (TPM) v1.2 to validate pre-os components Customizable protection and authentication methods Pre-OS Protection USB startup key, PIN, and TPM-backed authentication Single Microsoft TPM Driver Improved stability and security TPM Base Services (TBS) Enables third party applications Active Directory Backup Automated key backup to AD server Group Policy support Scriptable Interfaces TPM management BitLocker management Command-line tool

TPM Services Architecture (Simplified) What Is A Trusted Platform Module (TPM)? Feature Map Windows Vista Enterprise Ultimate Windows Vista All SKUs *TCG Software Stack BitLocker Trusted Platform Module (TPM) TPM Admin Tools TPM WMI Provider TPM Base Services TPM Driver Third Party Applications TSS* Smartcard-like module on the motherboard Protects secrets Performs cryptographic functions RSA, SHA-1, RNG Meets encryption export requirements Can create, store and manage keys Provides a unique Endorsement Key (EK) Provides a unique Storage Root Key (SRK) Performs digital signature operations Holds Platform Measurements (hashes) Anchors chain of trust for keys and credentials Protects itself against attacks TPM 1.2 spec: www.trustedcomputinggroup.org Why Use A TPM? BitLocker Drive Encryption Architecture Static Root of Trust Measurement of boot components Trusted Platforms use Roots-of-Trust A TPM is an implementation of a Root-of-Trust A hardware Root-of-Trust has distinct advantages Software can be hacked by Software Difficult to root trust in software that has to validate itself Hardware can be made to be robust against attacks Certified to be tamper resistant Hardware and software combined can protect root secrets better than software alone A TPM can ensure that keys and secrets are only available for use when the environment is appropriate Many specific hardware and software configurations TPM Init PreOS BIOS MBR Static OS BootSector BootBlock BootManager All Boot Blobs unlocked Volume Blob of Target OS unlocked OS Loader Start OS

Disk Layout And Key Storage OS Volume Contains Encrypted OS Encrypted Page File Encrypted Temp Files Encrypted Data Encrypted Hibernation File OS Volume 3 System Where s the Encryption Key? 1. SRK (Storage Root Key) contained in TPM 2. SRK encrypts FVEK (Full Volume Encryption Key) protected by TPM/PIN/USB Storage Device 3. FVEK stored (encrypted by SRK) on hard drive in the OS Volume 2 FVEK System Volume Contains: MBR, Boot manager, Boot Utilities (Unencrypted, small) 1 SRK Information Protection Threats Internal threats are just as prevalent as external threats Accidental Loss due to carelessness System disposal or repurposing without data wipe System physically lost in transit Intentional Data intentionally compromised Insider access to unauthorized data Offline attack on lost/stolen laptop Targeted Thief steals asset based on value of data Theft of branch office server (high value and volume of data) Theft of executive or government laptop Direct attacks with specialized hardware Spectrum of Protection BitLocker offers a spectrum of protection, allowing an organization to customize according to its own needs TPM + USB What it is + what you have HW attacks Stolen USB key Protect USB key USB Only What you have HW attacks Stolen USB key No boot validation Protect USB key TPM + PIN What it is + what you know Many HW attacks Hardware attacks Enter PIN to boot TPM Only What it is Most SW attacks Hardware attacks N/A No user impact o esae lo pe D f BitLocker Recovery Scenarios Lost/Forgotten Authentication Methods Lost USB key, user forgets PIN Upgrade to Core Files Unanticipated change to pre-os files (BIOS upgrade, etc ) Broken Hardware Hard drive moved to a new system Deliberate Attack Modified or missing pre-os files (Hacked BIOS, MBR, etc )

BitLocker Recovery Methods Recommended method for domain-joined machines Automate key backups through BitLocker Setup Configure group policy to store keys in Active Directory Provides centralized storage and management of keys Recommended methods for non domain-joined machines Back up to a USB flash device Back up to a web-based key storage service Windows Ultimate Extras Provides a free key storage service for home users or unmanaged environments Potential OEM or 3rd-party service for key storage Back up to a file Print or record to physical media Building BitLocker Systems Windows Vista Logo Program Performance, quality, and feature metrics that help consumers understand and seek out the best computing experience that Windows Vista has to offer http://www.microsoft.com/whdc/winlogo/hwrequirements.mspx whdc/winlogo/hwrequirements.mspx Trusted Platform Module SYSFUND-0030 TPM Main Specification, Version 1.2 (or later) Memory Mapped I/O, Locality 0 https://www.trustedcomputinggroup.org www.trustedcomputinggroup.org/specs/tpm TPM PC Client Interface Specification, Version 1.2 (or later) https://www.trustedcomputinggroup.org/specs/pcclient BIOS SYSFUND-0031 TCG BIOS Specification Physical Presence Interface Specification Memory Overwrite on Reset Specification Immutable CRTM or Secure Update https://www.trustedcomputinggroup.org/specs/pcclient Platform Threats And Mitigations BIOS Modification THREAT Lost Core Root of Trust for Measurement MITIGATION Secure CRTM Update MITIGATION Provide extra protection with PIN or USB Physical Memory THREAT Key exposure in physical memory MITIGATION Memory Overwrite on Reset MITIGATION Provide extra protection with PIN or USB Dictionary Attack Against PIN THREAT Key exposure MITIGATION Anti-hammering countermeasures End Users THREAT Unsafe practices (PIN nearby, USB in laptop case) MITIGATION User education, corporate security policy Building BitLocker Systems Hard Disk SYSFUND-0032 BitLocker requires at least two partitions System partition ( Active, NTFS, minimum 1.5GB) OS must be installed on separate partition OS and other partition(s) can be of any size for more information USB SYSFUND-0069-0070 System boot from USB 1.x and 2.x USB USB read/write in pre-os environment FAT16, FAT32, or NTFS file system for BitLocker and TPM Admin BIOS and Platform Requirements

Enterprise Customer Needs Call To Action Remote Deployment Considerations Think through large-scale deployment of BitLocker Provide solutions for remote initialization of TPMs Provide a secure BIOS update mechanism Support Encrypted Volumes in Recovery Environment Include WinRE scripting components Ship Systems with an Endorsement Key (EK) EK generation in the field is time consuming Industry security best practice TCG Guidelines Build BitLocker -ready Systems TPM v1.2 Consider the deployment experience, make it easy BIOS Don t ship systems without secure CRTM/BIOS update! Hard Disk Ship your platforms with two or more partitions USB Verify read/write/boot from USB in pre-os environment Consider Enterprise Customer Needs Provide ability to initialize TPM remotely Ship with Endorsement Key (EK) Test Your Platforms! Test with latest Windows Vista releases WDK test suite http://www.microsoft.com/ whdc/driver/wdk/aboutwdk.mspx Work with us to get your reference platforms tested! for more information Additional Resources Web Resources Specs and Whitepapers http://www.microsoft.com/whdc/system/platform/hwsecurity/default.mspx Windows Logo Program Testing http://www.microsoft.com/whdc/getstart/testing.mspx whdc/getstart/testing.mspx TCG http://www.trustedcomputinggroup.org Related Sessions Enterprise and Server Use of Microsoft BitLocker Drive Encryption (CPA027) Windows Vista and Windows Server Longhorn Security Platform Enhancements (CPA127) BitLocker Questions or Ideas Bdeinfo @ microsoft.com BitLocker Blog http://blogs.msdn.com/si_team/default.aspx

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information