Using BitLocker As Part Of A Customer Data Protection Program: Part 1



Similar documents
Encrypting with BitLocker for disk volumes under Windows 7

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

How to Encrypt your Windows 7 SDS Machine with Bitlocker

Introduction to BitLocker FVE

In order to enable BitLocker, your hard drive must be partitioned in a particular manner.

Disk Encryption. Aaron Howard IT Security Office

EMBASSY Remote Administration Server (ERAS) BitLocker Deployment Guide

Managing BitLocker Encryption

DriveLock and Windows 7

Windows BitLocker Drive Encryption Step-by-Step Guide

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

DriveLock and Windows 8

BitLocker/Active Directory Encryption Procedure Department: Information Security Office Version: 1.0 Last Revised: 09/26/2011

Do "standard tools" meet your needs when it comes to providing security for mobile PCs and data media?

Configuring and Administering Windows 7

Course 50322B: Configuring and Administering Windows 7

Administering and Maintaining Windows 7 Course 50292C; 5 Days, Instructor-led

Course Outline. ttttttt

Mobile Device Security and Encryption Standard and Guidelines

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

Guidelines on use of encryption to protect person identifiable and sensitive information

MS-50292: Administering and Maintaining Windows 7. Course Objectives. Required Exam(s) Price. Duration. Methods of Delivery.

Innovative Secure Boot System (SBS) with a smartcard.

ICT Professional Optional Programmes

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

Windows 7. Qing Liu Michael Stevens

Windows BitLocker TM Drive Encryption Design Guide

70-685: Enterprise Desktop Support Technician

Why Endpoint Encryption Can Fail to Deliver

How To Manage Hard Disk Partitioning In Windows (Windows 8) (Windows 7) (Powerbook) (For Windows 8) And Windows 8 (Pro) (Winstone) (Probation) (Perl

Windows 7, Enterprise Desktop Support Technician

How to enable Disk Encryption on a laptop

MS 50292: Administering and Maintaining Windows 7

Managing Applications, Services, Folders, and Libraries

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

Microsoft Windows Server 2008: Data Protection

Hiva-network.com. Microsoft_70-680_v _Kat. Exam A

Implementing and Supporting Microsoft Windows XP Professional

Secure Storage. Lost Laptops

Encrypting stored data. Tuomas Aura T Information security technology

Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory

How Endpoint Encryption Works

GoldKey Product Info. Do not leave your Information Assets at risk Read On... Detailed Product Catalogue for GoldKey

Technical Note. Installing Micron SEDs in Windows 8 and 10. Introduction. TN-FD-28: Installing Micron SEDs in Windows 8 and 10.

Encrypting the Private Files on Your Computer Presentation by Eric Moore, CUGG June 12, 2010

Configuring Windows Server 2008 Active Directory

SimplySecure TM Architecture & Security

Designing and Deploying Connected Device Solutions for Small and Medium Business

BitLocker Drive Encryption Hardware Enhanced Data Protection. Shon Eizenhoefer, Program Manager Microsoft Corporation

Client side. DESlock + Data Encryption

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016

Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology

How Drive Encryption Works

Training Guide: Configuring Windows8 8

Windows BitLocker and Paragon s Backup Solutions

Full Drive Encryption Security Problem Definition - Encryption Engine

Table of Contents. TPM Configuration Procedure Configuring the System BIOS... 2

Introduction to Windows 7 (Brought to you by RMRoberts.com)

Security. TestOut Modules

BitLocker Encryption for non-tpm laptops

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Windows 7, Enterprise Desktop Support Technician

Course 20688A: Managing and Maintaining Windows 8

CRYPTAS it-security GmbH

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

Excerpt of Cyber Security Policy/Standard S Information Security Standards

MS MCITP: Windows 7 Enterprise Desktop Support Technician Boot Camp

Check Point FDE integration with Digipass Key devices

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 12

Understanding Northwestern University s contract with Symantec. Symantec Solutions for Cost Reduction & Optimization

Cautions When Using BitLocker Drive Encryption on PRIMERGY

Full Disk Encryption Agent Reference

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

SecureD Technical Overview

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Get Success in Passing Your Certification Exam at first attempt!

Installing and Upgrading to Windows 7

Sending Files to a Social Security Laptop

HP ProtectTools Embedded Security Guide

Drive encryption with Microsoft BitLocker

ACER ProShield. Table of Contents

Using Microsoft Windows Encrypted File System (EFS)

MICROSOFT BITLOCKER ADMINISTRATION AND MONITORING (MBAM)

White Paper: Whole Disk Encryption

YubiKey Integration for Full Disk Encryption

EMBASSY Remote Administration Server (ERAS) Administrator Manual

Firmware security features in HP Compaq business notebooks

Windows Embedded 7 E versus Windows Embedded 7 P

Information Systems Services. SafeGuard Enterprise. enc. Device Encryption (DE) Installation V /11/2010

Smart TPM. User's Manual. Rev MD-STPM-1001R

Crystal Practice Management Encrypting the Database

GoldKey Software. User s Manual. Revision WideBand Corporation Copyright WideBand Corporation. All Rights Reserved.

A Guide to Managing Microsoft BitLocker in the Enterprise

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

SafeGuard Enterprise User help. Product version: 6.1

Transcription:

Using BitLocker As Part Of A Customer Data Protection Program: Part 1 Tech Tip by Philip Cox Source: searchsecuritychannel.com

As an information security consultant, one of my jobs is to help my clients protect their data, which often involves utilizing BitLocker, Encrypting File Systems, and NTFS file system permissions to protect data at rest. This tip will provide on an overall understanding of the three Windows technologies and how they complement each other to protect data at rest, as well as providing some details about BitLocker s particular functions. The goal of this tip is to establish a foundation to enable you, the security consultant, to use these technologies as part of your customer data protection services portfolio to help your clients in architecture designs or implementations. These technologies enable you to enhance your offerings by leveraging functionality you do not have to develop yourself. Underlying concepts The terms off-line and run-time are two critical concepts that must be understood and will be used heavily throughout the rest of this tip. For the purposes of this tip, off-line will mean not being actively used by the operating system for which it was intended. Think of an attacker pulling a disk out of a system, placing it into another system and attempting to attack it. For our purposes, that would be a disk that is off-line. Run-time will mean being used by the operating system it was originally meant for. This is when the system is booted and the disk is mounted, accessible, and operating normally. It will be important, because each of the technologies we talk about provide protection under those different modes. The pieces The following is a short introduction to each of the technologies and their primary role in protecting data at rest. BitLocker: Provides full-disk encryption. It is an integrated Windows feature (part of Enterprise and Ultimate editions of Windows Vista and Windows 7, as well as Windows Server 2008) that encrypts at the volume level, which can include part of a disk, the entire disk or multiple disks. BitLocker protection happens at a low level in the operating system and is effectively transparent to the user as well as any programs or applications being run on the system. To use BitLocker, you will just have to enable it on a volume. From a practical standpoint, BitLocker provides protection for off-line data, not run-time. Once the system is booted and running, BitLocker already has the keys it needs to encrypt and decrypt the drive. A quick note on BitLocker-To-Go (BTG). BTG takes the functionality of BitLocker and applies it to removable storage. In particular, BTG can and should be used to protect data that is stored on external USB drives, most notably USB thumb drives. Encrypting File System (EFS): Provides file and folder level encryption in Windows operating systems. Protection is enforced by EFS driver in the Windows operating system. Any user or program that wants to access the file/folder must have the appropriate key. A combination of public key and symmetric key cryptography make decrypting the files very difficult without the correct keys. EFS provides protection for both off-line and runtime modes. In off-line mode, the files/folders are encrypted as they sit on the disk. In run-time mode, the Windows operating system does not have the keys needed to decrypt the information; the user does in his profile. The protection is provided by operating system libraries as well as the use of cryptographic keys that a user must possess in order to access the data. NTFS (new technology file system): Provides is access control (i.e., permissions) for data at rest. NTFS is a file system first introduced in Windows NT and still supported on later versions of Windows. It provides the ability to protect data based on specifying individual user or group rights to specific files/folders. NTFS file permissions provide run-time protection in the form of access control on files and folders. NTFS does not provide any form of off-line protection of data. 2

There are a couple of other points that are important to understand: BitLocker: As long as data stays on the disk, wherever that disk goes, the data is protected. Encryption goes with the disk. EFS: Encryption of the file/folder is only on the system EFS is applied on. If you move or copy the file to another system (say a remote file share), the encryption is removed. Protection is specific to the system. NTFS permissions: When copying or moving a file or folder, the permissions may change depending on where you move the file or folder. For all intents and purposes protection is specific to the system. If used correctly, the combination of NTFS, EFS and BitLocker can provide comprehensive off-line and run-time data at rest protection. BitLocker details BitLocker basically sees volumes in two different flavors: operating system volumes and data volumes. Operating system volume can be secured using one or more of the following modes: Transparent: Uses the capabilities of the trusted platform module 1.2 or higher to store encryption keys, thus enabling a transparent system boot, and that the system boots normally to the user. The keys needed to access the data are pulled from the TPM. The TPM provides a hardware based mechanism to securely generate and store cryptographic keys, generate pseudo-random numbers, and provide remote attestation (cryptographic summary of the hardware and software/bios configuration) and sealed storage (encrypt data and specifies a state in which the TPM must be in order for the data to be decrypted). Use this mode when: You want minimal user interaction, and you trust the hardware the disk is inserted in. The primary protection this mode provides is if someone removes the disk from the device and tries to attack it in another off-line mode (i.e., plugging it into another system and attempting to access the data). User authentication: Requires that the user provide a PIN during the pre-boot, which will be used to decrypt the keys needed to access the data. This is used in conjunction with a TPM. Use this mode when: You don t trust the physical protection of the hardware (i.e., a laptop that can be stolen vice a system in a locked office) and want to require some type of user interaction for the additional protection it provides, and are satisfied with just the knowledge of the password/pin being entered at boot time as the additional security mechanism. This enhances the protection of the transparent mode by adding a layer of security that requires user interaction. USB key: Requires that the user insert a USB device that contains a startup key during the pre-boot. The USB key will then be used to decrypt the keys needed to access the data. This can be used standalone or in conjunction with PIN and/or TPM. Use this mode when: You don t trust the hardware and want to require some type of user interaction for the additional protection it provides, and are satisfied with just the knowledge of the password/ PIN being entered at boot time as the additional security mechanism. This enhances the protection of the transparent mode by adding a layer of security that requires user interaction. You can use the following different combinations of the above authentication mechanisms with BitLocker when enabling it for the volume that contains the currently running operating system: USB Key only TPM only PIN only TPM + PIN TPM + USB Key TPM + PIN + USB Key 3

For data volumes, you have 3 different options: Automatic: Will protect volume s encryption key with a key protected on the Widows disk (effectively the TPM or USB Key). To be able to automatically unlock fixed data drives, the drive that Windows is installed on must also be encrypted by BitLocker. Smartcard: A BitLocker certificate on the smartcard protects the volume s encryption key. To unlock the drive, you will insert the smart card and enter the smart card PIN. Password: The user s password secures the volume s encryption key. To unlock the drive, you ll enter the password. TPM validation By default, when the system starts, the TPM checks for a number of things to see if there are changes to a number of items, but the biggest ones I care about are: BIOS Master Boot Record Code and Partition Table NTFS Boot Sector and Boot Block Boot Manager BitLocker Access Control If any changes have been made to these while BitLocker protection has been enabled, the TPM will not release the volume s encryption key and the system will enter the BitLocker recovery mode. From there you will need to: Enter the 48-digit numerical recovery password (Note: This is not available in FIPS-compliance mode) Insert a USB flash drive containing a 256-bit recovery key Access to backup of keys in Active Directory Domain Services (if configured) Using BitLocker for customer data protection Getting back to our vantage point, here are my recommendations for using BitLocker as part of a resale offering or in a generic architecture for your client: Use a newer system with a compatible TPM chip, and use the following authentication modes Laptop: TPM + PIN I don t want a stolen laptop to only rely on the TPM for protection. General Desktop or Server in datacenter: Transparent Protection level seems to be commensurate with the risk. I want systems to be able to reboot automatically after maintenance. Secure Desktop, or Server not in datacenter: TPM + USB or TPM + PIN These are important systems, deserving of special consideration due to lack of more stringent physical controls. Print the recovery key and provide it with the physical machine if applicable Require a minimum 8 digit PIN Allow the use of passwords on removable drives (Passwords cannot be used if FIPS compliance is enabled) Using BitLocker and these three recommendations will give you the ability to provide your clients added security for their data without significant heartache. For example, if I were deploying a software package that needed secure storage of configuration files that may contain sensitive information or keys, I would configure the system to use BitLocker for off-line protection. Another example would be to ensure that any removable USB drive was encrypted prior to storing any sensitive data to it. 4

About The Author Philip Cox is Director, Security and Compliance at SystemExperts Corporation, a consulting firm that specializes in system security and management. He is a well-known authority in the areas of system integration and security. His experience includes Windows, UNIX, and IP-based networks integration, firewall design and implementation and ISO 17799 and PCI compliance. Phil frequently writes and lectures on issues dealing with heterogeneous system integration and compliance with PCI-DSS. He is the lead author of Windows 2000 Security Handbook Second Edition (Osborne McGraw-Hill) and contributing author for Windows NT/2000 Network Security (Macmillan Technical Publishing). 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information