Paul A. Cooke - CISSP Director Microsoft Session Code: CLI311

Windows Vista BitLocker

Encrypts the OS volume Helps prevent the unauthorized disclosure of data when it is at rest Designed to utilize a Trusted Platform Module (TPM) v1.2

Secure key storage Boot Integrity Vista SP1 added support for multi volume/drive protection!

•

Windows 7 BitLocker What’s New

BitLocker Enhancements Automatic 100 Mb hidden boot partition New Key Protectors Domain Recovery Agent (DRA) Passwords Smart card Auto-Unlock

Windows 7 BitLocker What’s New

BitLocker To Go Support for FAT* Protectors: DRA, passphrase, smart card and/or auto-unlock Management: protector configuration, encryption enforcement Read-only access on Windows Vista & Windows XP

Disk Layout and Key Storage

Operating system volume contains:

Encrypted OS Encrypted page file Encrypted temp files Encrypted data Encrypted hibernation file

Where’s the encryption key?

SRK (Storage Root Key) contained in TPM SRK encrypts the VMK (Volume Master Key) VMK encrypts FVEK (Full Volume Encryption Key) – used for the actual data encryption FVEK and VMK are stored encrypted on the Operating System Volume

FVEK VMK SRK

Operating System Volume System System volume contains: MBR Boot Manager Boot Utilities

OS Volume Key Protectors

BitLocker offers a spectrum of protection allowing customers to balance ease-of-use against the threats they are most concerned with

TMP Only

“What it is.”

Dongle Only

“What you have.” XXXXX XXXXX Protects against: SW-only attacks

TPM + PIN

“What you know.” Vulnerable to: HW attacks (including potential “easy” HW attacks) Protects against: All HW attacks Vulnerable to: Losing dongle Pre-OS attacks Protects against: Many HW attacks Vulnerable to: TPM breaking attacks

TPM + Dongle

“Two what I have’s.” Protects against: Many HW attacks Vulnerable to: HW attacks Security

Trusted Platform Module (TPM)

Static root of trust measurement of early boot components

PreOS

TMP Init

Static OS All Boot Blobs unlocked Volume Blob of Target OS unlocked

BIOS MBR BootSector BootBlock BootManager Start OS OS Loader

Windows Vista BitLocker Volume

Boot Sector Boot Sector Pointers to other metadata copies Pointer to Primary Metadata Copy Encrypted Volume Data BitLocker Metadata Copies

Windows 7 BitLocker Volume

Virtual Boot Sector Boot Sector Virtual Boot Sector Pointers to other metadata copies Pointer to Primary Metadata Copy Encrypted Volume Data BitLocker Metadata Copies

Hardware Requirements

Trusted Platform Module Trusted Platform Module (TPM) v1.2

Trusted Platform Module (TPM) Compatible BIOS USB Flash Drive The system BIOS must support both reading and writing small files on a USB flash drive in the pre-operating system environment Disk Partitioning Separate reserved system partition using NTFS System partition minimum size of at least 100MB Choosing the right partitioning is key for a successful deployment System partition is a Windows 7 requirement not specific to BitLocker

Disk Partitioning Requirements Possible examples

Windows RE 250 MB NTFS System Partition 100 MB NTFS OS - Encrypted Remaining Disk NTFS System Partition/Windows RE 300 MB NTFS OS - Encrypted Remaining Disk NTFS Note: An additional 50MB is required on the recovery partition for volume snapshots during Complete PC backups

Recommendations

Standardize the hardware Hardware pre-build configuration (OEM) BIOS settings Enable and Activate the TPM BIOS passwords Minimize the number of reboots for your users Worst scenario – 4 reboots Best scenario – 1 reboot Number of reboots is key in a successful deployment of BitLocker

Recommendations

What requires reboots?

Repartitioning TPM initialization TPM ownership – requires physical presence BitLocker System Check Improve the user experience Deploy Windows with the recommended drive partitions Ask your OEM to enable the TPM Standardize the hardware to remove the requirement of the compatibility wizard

Group Policy Preparation

BitLocker Group Policy settings can Turn on BitLocker backup to Active Directory Enable advanced startup options, recovery options, etc.

Configure encryption method and strength Enable FIPS compliance before setting up BDE keys!

Enforce or disable specific protectors Enforce a minimum PIN length TPM Services Group Policy can Turn on TPM owner authorization backup to Active Directory Domain Services Configure the list of blocked TPM commands

Develop a Recovery Strategy

Define the process end-users will follow when recovery of a BitLocker system is needed Anticipate the recovery scenarios How to handle lost or forgotten Key Protectors?

Reset PIN, lost startup key How are disk drive failures recovered?

How are TPM hardware failures treated?

Recover from core files or pre-OS file (BIOS upgrade, etc…) updates which are not planned Recovering and diagnosing a deliberate attack

Active Directory Based Recovery

By default, no recovery information is backed up to AD Administrators can configure GP to enable backup of BitLocker or TPM owner authorization recovery info Schema needs to be extended Windows Server 2008 and 2008 R2 are “BitLocker Ready” All domain controllers in the domain must be at least Windows Server 2003 SP1 Recovery data saved for each computer object Recovery passwords - a 48-digit recovery password Key package data (optional) - helps recovery if the disk is severely damaged There is only one TPM owner password per computer There can be more than one recovery password per computer O/S Volume Data Volumes

Data Recovery Agent New Recovery Mechanism

Certificate-based key protector A certificate containing a public key is distributed through Group Policy and is applied to any drive that mounts The corresponding private key is held by a data recovery agent in the IT department Allows IT department to have a way to unlock all protected drives in an enterprise Saves space in AD – same Key Protector on all drives

Windows Recovery Environment

Set of tools for troubleshooting startup problems In Windows RE environment, user will be prompted for recovery credential on a BitLocker-enabled machine Contains the necessary drivers and tools to unlock and repair if necessary a BDE-protected volume WinRE boot image needs to reside on a non-encrypted volume BitLocker setup is now Windows RE “aware” and will move Windows RE to a proper partition if required.

Manage-BDE and Repair-BDE are now installed per default In Windows 7 In Windows PE and in the Windows Recovery Environment (Windows RE)

Recommendations

Group Policies Ensure that the group policies are configured before your deployment Most BitLocker GPOs are not retroactive TPM + PIN offers the best balance between security and user experience Recovery and authentication policies are specific to Vista and Windows 7 Leverage the group policy targeting mechanism for granularity Recovery Scenarios WinRE should be deployed in its own partition or on the system partition Test all your recovery scenarios Use Active Directory if you want to build custom recovery solutions Use Data Recovery Agents if you have a requirement for FIPS compliance

BitLocker Deployment

Deployment options During build process Post-build process User initiated Deployment methods Manage-BDE WMI SCCM Windows Deployment Tools Windows 7 Upgrade Scenario

Deployment Options

Configuration during build process Enabling and activating a TPM during this process will require user interaction to meet the physical presence requirement If backup of recovery info to AD is required, BDE must be enabled after the computer has joined your AD domain Starting encryption during the build process has performance impact, for example if there are additional tasks to be performed (install apps, etc) Consider starting encryption at the very end of the build process

Deployment Options

Post-build configuration Triggered immediately after the system build process completes Or triggered at a later time after the computer is delivered to the end user Software distribution tool (SCCM) GP scripting Logon scripts Very flexible and can be accomplished using numerous methods User initiated configuration Allow users to selectively enroll and configure their machines for BDE Not recommended if BitLocker is mandatory

Deployment Methods

Manage-BDE.exe command-line tool Provides configuration / administration on individual and remote machines Location: %systemdrive%\Windows\system32 Leverages the BitLocker and TPM WMI providers Create scripts with BitLocker and TPM WMI providers Useful when integrating support of BitLocker machines into your help desk environment, or user initiated configuration type of deployment Sample script (EnableBitLocker.vbs) available Recommendation: Use for large enterprise deployments

Deployment Methods

BitLocker WMI Methods allows to Enable/activate TPM, take ownership and generate random owner pass Enable BitLocker protection using supported authentication methods Create additional recovery key and recovery password Reset TPM owner information Use and modify existing sample script Manage-BDE.wsf

Location: %systemdrive%\Windows\system32 Only provided as an example Scripts can generate a rich log file, WMI exit codes are logged Microsoft recommends Using BitLocker and TPM WMI providers for enterprise deployment Using manage-bde for administration of BitLocker enabled machines

Deployment Methods

Systems Center Configuration Manager 2007 Unify the deployment toolsets for both client and server Deliver an end-to-end process for deployment Provide high degrees of flexibility to accommodate complex enterprise requirements Use native toolsets found in Windows Supports BitLocker natively

Windows Deployment Tools

Systems Center Configuration Manager 2007 http://www.microsoft.com/systemcenter/ Microsoft Deployment Toolkit 2008 http://technet.microsoft.com/en-us/solutionaccelerators/dd407791.aspx

Windows Deployment Services Unattended Installation Imaging with ImageX

Windows 7 Upgrade Scenario

Upgrade from a BitLocker machine No decryption required but you need to suspend BitLocker Current partitioning will be preserved System partition will be 1.5 GB Drive letter will not be removed Upgrade from a non-BitLocker machine Current partitioning will be preserved (single partition) BitLocker will automatically create a system partition System partition will be 300MB with no drive letter

BitLocker Server Scenarios

BitLocker is a feature on Windows Server (optional component) The feature needs to be installed through Server Manager All the recommendations made in this presentation apply to the server scenario BitLocker provides great value in branch office scenarios Branch Office TechCenter http://technet.microsoft.com/en-us/branchoffice/default.aspx

Recommendations

Bare Metal install ≠ Clean install Make sure to partition the disk File base imaging does not partition the disk per default Turn on BitLocker in the post build process Provides the most flexibility Do not partition the disk post installation Deploy Windows 7 using the right partitions Only Shrink the O/S volume when no other options are available If you need to shrink the disk use bdehdcfg.exe post installation or the BitLocker Setup Wizard Do not shrink from Vista for large deployments

Data Drive Key Storage

BitLocker offers a spectrum of protection allowing customers to balance ease-of-use against the threats they are most concerned with XXXXX

Password

Pros: Ease of use backward compatibility BitLocker to go reader Cons: Less secure vulnerable to brute force and dictionary attacks

Auto-Unlock

Pros: Uses a stronger key Cons: Specific to a single machine

Smartcards

Pros: Uses much stronger keys Cons: Requires hardware not backward compatible Security

Data Drive Specific Group Policy

BitLocker Group Policy settings can Turn on BitLocker backup to Active Directory Enable, enforce or disable password or smartcard protectors Enforce a minimum password length Enforce password complexity Deny write access to drives not encrypted with BitLocker Do not allow write access to devices from other organizations

BitLocker Enforcement

Requiring BitLocker for data drives When this policy is enforced, all data drives will require BitLocker protection in order to have write access As soon as a drive is plugged into a machine, a dialog is displayed to the user to either enable BitLocker on the device or only have read-only access The user gets full RW access only after encryption is completed Users can alternatively enable BitLocker at a later time

BitLocker Enforcement

BitLocker Cross-Organization

This policy will help enterprises manage compliance when a requirement exists to not allow devices to roam outside of the enterprise When the "Deny write access to devices configured in another organization" policy is enabled Only drives with identification fields matching the computer's identification fields will be given write access When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields These fields are defined by the "Provide the unique identifiers for your organization" policy setting

Certificate Requirements

Possible deployment scenarios Leverage an existing certificate Leverage a generic certificate Deploy a new BitLocker certificate The BitLocker Object Identifier (OID) Associate a certificate to BitLocker (Certificate Application Policies) Default value: 1.3.6.1.4.1.311.67.1.1

The BitLocker OID can be modified using Group Policies

Certificate Requirements

Supported certificates for smart card authentication A certificate is considered valid for BitLocker if the following conditions are met for Key Usage: No KU is present KU is present and contains one of the following keyEncipherment bits: CERT_DATA_ENCIPHERMENT_KEY_USAGE CERT_KEY_AGREEMENT_KEY_USAGE CERT_KEY_ENCIPHERMENT_KEY_USAGE A certificate is considered valid for BitLocker if the following conditions are met for Extended Key Usage: No EKU is present EKU is present and contains BitLocker OID EKU is set to anyExtendedKeyUsage

Recommendations

Identification fields Should be set before your deployment if you are planning to use DRAs or the cross-organization policy Are automatically set during encryption Can be set after encryption using Manage-BDE or WMI but this requires Administrator rights Certificates Deploy the required certificates before enabling BitLocker on data drives BitLocker To Go Reader Installed per default but can be managed through group policies Requires the use of a password Can be deployed separately using a software distribution tool

BitLocker & BitLocker To Go

Resources

www.microsoft.com/teched Sessions On-Demand & Community www.microsoft.com/learning Microsoft Certification & Training Resources http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.