Why alone is not enough CenterTools Software GmbH 2011
Copyright Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. 2011 CenterTools Software GmbH. All rights reserved. CenterTools and and others are either registered trademarks or trademarks of CenterTools GmbH or its subsidiaries in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 2
Introduction Microsoft Window 7 represents a big advance in the Windows family of operating systems. Many of the new features in will help organizations with the tasks of administering and securing their network environments. However, some of new security features in only provide basic protection and are difficult to administer. When evaluating, most organizations will find that alone does not provide the protection they need. For effective data encryption, device control and application control, organizations will still need to depend on third-party solutions, such as CenterTools. This whitepaper compares the limited protection that is included in with the comprehensive protection mechanisms of. This includes the following functionality: Full Disk Encryption (BitLocker) Device control Removable media encryption (BitLocker To Go) Application control (AppLocker) Antivirus / Antimalware Security Management Full Disk Encryption BitLocker is the Full Disk Encryption feature that is included with certain versions of Windows Vista and. When configured correctly, BitLocker provides strong and effective protection for confidential data on internal hard drives. However, deployment is only feasible if all computers meet certain system requirements. Windows provides no central monitoring capabilities for BitLocker, and the sharing of pre-boot credentials among all users of a protected computer can significantly lower the security of data on shared computers. The following table describes the most important differences between BitLocker and Full Disk Encryption. Hardware requirements Supported client operating systems Smart card and token support For effective use of BitLocker the computer must contain a Trusted Platform Module (TPM) chip. While BitLocker can be used without a TPM chip, such configurations are not recommended by Microsoft, are difficult to use and are less secure. Only included with certain expensive editions of Windows Vista and. Smartcard and token authentication is not available during the pre-boot phase. requires no special hardware for Full Disk Encryption. Supported on all editions of Windows XP, Windows Vista and. supports many types of smart cards and tokens for pre-boot authentication. 3
Hardware changes Pre-boot security Single sign-on to Windows. Emergency logon Dealing with corrupted disks With BitLocker and a TPM chip, interrupts the boot process when certain hardware changes are detected. This may even include removing a laptop computer from a docking station. An administrator must manually reconfigure TPM settings to reenable the normal boot process. The disk encryption key is stored on a TPM chip and protected using a PIN that is specific to the computer. A user must enter the PIN before the disk can be accessed. Users who use multiple BitLocker-protected computers must remember several PINs. Any person who knows the PIN, including former employees, can access the computer indefinitely. requires users to authenticate twice, first during the pre-boot phase and then again at the Windows logon prompt. When a user has lost access to the computer, temporary access can be granted using a 40-character key until an administrator changes the PIN for the TPM. Any person who knows this key will be able to access the computer indefinitely. Many types of disk corruption can result in data that is permanently inaccessible or that requires lengthy and difficult procedures to decrypt the disk and restore access. Recovery is not possible if certain elements of the disk structure can no longer be read. can alert users to certain hardware changes that may indicate compromised security. If the hardware change was legitimate, administrators can centrally disable these warnings and update the configuration to the current state of the hardware. supports up to 200 distinct users on each computer for pre-boot authentication. Users only need to remember their Windows credentials to authenticate. When employees leave the organization, pre-boot accounts can be removed to prevent further access to protected computers. enables single sign-on. Users authenticate during the preboot phase using their Windows credentials and are then automatically logged on to Windows using the same credentials. Using a challenge/response mechanism, an administrator can provide one-time logon credentials to a user who forgot a password. Once the user changes his or her password, regular logon procedures can be used again. lets administrators remove encryption even from badly damaged disks to allow access to any data that can still be read from the physical disk. Fast Recovery lets administrators save important files from a damaged disk to removable media within minutes. The data can be copied to a different computer to allow users to continue their work quickly. 4
Central administration Administrators can centrally configure some basic BitLocker settings using Group Policy. Configuring exceptions for some computers can be very difficult. Even if BitLocker is centrally administered, a local administrator must still manually configure the TPM for each computer and initiate the disk encryption. Central storage of recovery keys An upgrade of the Active Directory operational mode and schema extensions may be required to store recovery keys in Active Directory. Helpdesk personnel must use domain administration tools to retrieve these keys. Monitoring Windows contains no tools for efficiently monitoring the status of encrypted drives across the network. Remote Wipe Windows provides no mechanism for remotely wiping a computer. settings can be easily centrally configured using Group Policy. At the same time, it is very easy to create exceptions for some computers. Disk encryption can be initiated from a central location without requiring local access to the computer. Recovery keys can be stored in the Enterprise Service and retrieved using intuitive helpdesk tools. No changes to Active Directory are required. The Control Center provides visibility for the encryption status across the enterprise. Administrators can mark a computer to be wiped. At the next connection of this computer to the Enterprise Service, all user logon data is purged and the computer is shut down. A remote wipe prevents any use of the computer, even by individuals who know a valid user name and password, except for administrators with access to a recovery certificate can use the computer. Full Disk Encryption Scenarios Not Supported By The following list contains just a few examples of common Full Disk Encryption requirements that can easily enable, but that are impossible or impractical to configure with : Single sign-on using Windows credentials. Sharing of computers with an encrypted hard disk by multiple users, while maintaining separate credentials for each user that can be revoked when a user leaves the organization. One-time passwords for emergency logon. Remote wiping of a computer 5
Device Control only provides rudimentary device control, which is difficult and tedious to administer. Rather than dynamically locking and unlocking devices for users based on a set of rules, restricts the installation of device drivers. This means that all required device drivers must be installed before device control is activated. Modifying rules at a later point is difficult or impossible. Also, granular rules are not available. Most rules apply broadly to certain device classes and the whitelisting of specific devices requires tedious editing of registry and Group Policy settings. The following table compares device control to the more advanced removable capabilities of. Allow users to install only authorized devices Prevent installation of prohibited devices. Control read and write permissions for removable media Requires administrators to manually create a list of allowed devices by installing them on a computer, recording hardware settings for each device, and then copying these settings into a GPO. This is not practical in an environment where multiple computer configurations are in use. Devices can only be controlled by model, but not based on device type or a specific serial number. can accomplish this, but excluding specific devices from a network is not a common scenario and is not practical. Devices that have already been installed can t be controlled. Only allows administrators to allow or deny all access to several types of removable devices. can scan computers for installed devices and then allows administrators to use this data to create white list policies. Administrators normally don t have to track down hardware identifiers of each allowed device. More important, can allow or deny access to entire device classes or allow access to a unique device based on its serial number. As with rules that allow access, can block access by device class, device serial number and user or group. Blocking takes effect even for devices that were installed before the policy is applied. Device information about prohibited drives can be collected from the Device Scanner database, so an administrator doesn t need to install the device on a computer and manually record the device information. recognizes more types of devices and provides more granular control. Read or Write access can be controlled based on user, file type or even a specific device. 6
Auditing of device usage Temporary unlocking of devices to enable exceptions can t do this s Device Scanner, Control Center and file shadowing capabilities satisfy the needs of most organizations for auditing device usage and collecting forensic evidence. can t do this enables online and offline unlocking of devices for a fixed period of time. This enables help desk personnel to respond in situations where legitimate access to removable devices is needed even if the currently active policy denies this access. Device Control Scenarios Not Supported By The following list contains just a few examples of common device control requirements that can easily enable, but that are impossible or impractical to configure with : All users may use any USB-connected mouse or keyboard, but not removable storage devices. Only administrators and help desk personnel are allowed to use removable storage devices. No executable files may be copied from removable media to a corporate computer, except by administrators. All data copied to USB flash drives must be encrypted. Administrators need to be alerted when a user uses a removable device contrary to company policy. Help desk personnel must be able to let a remote user copy a file to a USB flash drive even when the current policy normally prevents this. Users should only be allowed to use company-issued USB flash drives. Users should be allowed to listen to music CDs but they may not access CDs that contain data. Removable Media Encryption BitLocker To Go provides users with an easy method for encrypting all data on certain removable devices. However, other media, such as CDs and DVDs, cannot be encrypted, and access to data on encrypted drives is read-only on computers running earlier versions of windows. Encryption can be centrally enforced using Group Policy. Administrators can configure encryption enforcement and central backup of recovery information for encrypted drives. When enforcing encryption settings, organizations have to use a one size fits all approach because BitLocker does not allow exceptions to the policy settings. The recovery process for lost passwords by a recovery agent requires physical access to an 7
encrypted device. For end-user recovery, the user needs a recovery key that can be used to access a device indefinitely, even after the user has left the company. Encrypted device use cannot be monitored for compliance purposes. The following table compares BitLocker To Go to the more advanced removable media encryption capabilities of. Encryption of mobile data BitLocker To Go can transparently encrypt data on USB flash drives. But there are some limitations, such as the only supported file system on the USB flash drive is FAT. Universal access Only read access of encrypted devices is possible on a Windows XP or Vista client. can transparently encrypt all data copied to and from USB flash drives and other removable devices. can also enforce that only encrypted devices can be used on a computer. lets users create and access encrypted devices on computers running Windows XP or higher. With Mobile it is possible to use an encrypted USB drive also outside of a installation e.g. at Home. Device support Only USB media can be encrypted can encrypt any type of removable media and includes a wizard to burn encrypted CDs and DVDs. Encrypted containers can also be created on internal hard drives. Password recovery When a user forgets the encryption password, a designated recovery agent can access the data. If recovery information was stored in Active Directory, a 40 character password recovery key can also be retrieved and provided to the user. Any person who knows this key will be able to access the computer indefinitely. Monitoring has no meaningful method for monitoring the use of storage devices, whether they are encrypted and what data is copied to these devices. When a user forgets an encryption password, helpdesk personnel who have been provided with a recovery certificate can access the data. Using a challenge/response mechanism, an administrator can also provide a onetime code to allow a user to reset the password. includes extensive monitoring of encryption status, device use and file operations using the Control Center. Removable Media Encryption Scenarios Not Supported By The following list contains just a few examples of common removable media encryption scenarios that makes possible, but that are impossible or impractical to configure with : 8
Full read/write access to encrypted drives and media on computers running older versions of Windows Encryption of writable optical media, such as CR-R and DVD-R One-time codes for data recovery Central monitoring and reporting of removable media encryption Enforced encryption for certain drives while allowing other drives to remain unencrypted Enforcing encryption for some users while allowing other users to access unencrypted media Application Control Application Control lets administrators control which applications users can start and prevents unauthorized applications from running on a computer. includes AppLocker, the much improved successor to the Software Restriction Policies that were available in earlier versions of Windows. When administrators define which applications are allowed to run on a computer, all other applications are automatically blocked. AppLocker can be effective for enforcing application use on highly standardized desktops that require only few applications to run. However, it is not practical to manage this feature in diverse computing environments that are typical of today s IT environments. The following table compares AppLocker to the more advanced removable media encryption capabilities of. System Requirements Defining which applications are allowed to run or prevented from running Works only with and requires at least one Domain Controller running Windows Server 2008 R2. An upgrade of the Active Directory operational mode and schema extensions may be required. Administrators can specify applications based on a software publisher, the hash of a specific file or a file location. Publisher rules are very flexible and can be used to allow all signed programs, all programs from the same software publisher, multiple software versions or just one specific version of one application. Application files in the same folder can be added to a rule in a single step. Works on Windows XP, windows Vista and. There is no Active Directory or domain controller version requirement. can use the same types of rules as. In addition, builtin rules for common files, such as all Windows files, can be used to quickly create whitelist rules. File owner rules make it easy to allow users to run all applications that were installed by an administrator or installation account. 9
Rule creation Maintaining application rules Granularity Auditing and Monitoring All applications must be added manually to whitelists or blacklists. Even in a small network this can be a lengthy and tedious task. Most new applications need to be manually added to the rules before users can run them. Software publisher rules can be configured so they don t need to be updated when a new version of the software is installed. Each set of AppLocker rules is enforced on all computers that a Group Policy Object applies to. The policy may contain separate permissions for different users and groups. Successful and denied blocked attempts to start an application are recorded in the local Windows Event Log only. can scan a reference computer for all applications that are currently installed and automatically create a whitelist template for that allows all of these applications to run. Applications can also be added from an online database containing hashes for over a million applications. rules that are based on software publisher certificates can also be configured to automatically allow updated versions of a program. In addition, file owner rules automatically allow newer application to run if they were installed by an administrator or other designated user. In addition to specifying permissions for users and groups, policies allow for much more granularity. For example, policies may apply only when a computer is connected to a certain network or during certain times of the day. The Control Center lets administrators centrally audit application use on all client computers and create detailed reports. Application Control Scenarios Not Supported By The following list contains just a few examples of common application control scenarios that makes possible, but that are impossible or impractical to configure with : Automatically whitelisting all application that are installed using designated administrators or service accounts Blacklist or whitelist rules based on a company-wide database of applications Rules based on an online database of millions of applications Rules based on whitelist templates that include all executable files that are part of complex applications Rule enforcement based on network location (office traveling, etc.) 10
Antivirus / Antimalware has no built-in protection against viruses and many other types of malicious software. To be protected, organizations need to purchase, install and administer a separate product. contains fully integrated protection against viruses and other malicious software. Antivirus requires minimal computer resources and has industry-leading detection rates. Administration and monitoring are tightly integrated with s other features. Security Management While each of the features described in this whitepaper can be centrally managed using Group Policy administrators will have to become familiar with the intricacies of component. Setting up the central storage of recovery keys is difficult and involves different steps for Full Disk Encryption and removable media encryption. Microsoft s tools for recovering these keys are unintuitive and limited. There is also no effective mechanism for central monitoring and reporting, uses an integrated console for configuring all settings and key recovery. This management console is intuitive and has been designed to guide administrators through most common tasks to prevent errors that could impact user productivity. The management console also contains powerful tools for troubleshooting policy enforcement. The Control Center lets administrators create comprehensive reports on user activity and contains sophisticated drill-down functionality that enables forensic analysis. Conclusion Organizations that are very small or have an extremely limited hardware base may find that is sufficient for controlling device usage. However, CenterTools believes that does not address the device control and security requirements of the vast majority of companies and organizations, Furthermore, when using the features built into, granular device control requires an inordinate amount of administrative resources. Organizations that migrate to will find that additional software is required to provide effective and meaningful control of mobile devices. provides granular and comprehensive device control. It is easy to implement, easy to administer and easy to use. 11