Paul A. Cooke - CISSP Director Microsoft Session Code: CLI311 Windows Vista BitLocker Encrypts the OS volume Helps prevent the unauthorized disclosure of data when it.
Download ReportTranscript Paul A. Cooke - CISSP Director Microsoft Session Code: CLI311 Windows Vista BitLocker Encrypts the OS volume Helps prevent the unauthorized disclosure of data when it.
Paul A. Cooke - CISSP Director Microsoft Session Code: CLI311
Windows Vista BitLocker
Encrypts the OS volume Helps prevent the unauthorized disclosure of data when it is at rest Designed to utilize a Trusted Platform Module (TPM) v1.2
Secure key storage Boot Integrity Vista SP1 added support for multi volume/drive protection!
•
Windows 7 BitLocker What’s New
BitLocker Enhancements Automatic 100 Mb hidden boot partition New Key Protectors Domain Recovery Agent (DRA) Passwords Smart card Auto-Unlock
Windows 7 BitLocker What’s New
BitLocker To Go Support for FAT* Protectors: DRA, passphrase, smart card and/or auto-unlock Management: protector configuration, encryption enforcement Read-only access on Windows Vista & Windows XP
Disk Layout and Key Storage
Operating system volume contains:
Encrypted OS Encrypted page file Encrypted temp files Encrypted data Encrypted hibernation file
Where’s the encryption key?
SRK (Storage Root Key) contained in TPM SRK encrypts the VMK (Volume Master Key) VMK encrypts FVEK (Full Volume Encryption Key) – used for the actual data encryption FVEK and VMK are stored encrypted on the Operating System Volume
FVEK VMK SRK
Operating System Volume System System volume contains: MBR Boot Manager Boot Utilities
OS Volume Key Protectors
BitLocker offers a spectrum of protection allowing customers to balance ease-of-use against the threats they are most concerned with
TMP Only
“What it is.”
Dongle Only
“What you have.” XXXXX XXXXX Protects against: SW-only attacks
TPM + PIN
“What you know.” Vulnerable to: HW attacks (including potential “easy” HW attacks) Protects against: All HW attacks Vulnerable to: Losing dongle Pre-OS attacks Protects against: Many HW attacks Vulnerable to: TPM breaking attacks
TPM + Dongle
“Two what I have’s.” Protects against: Many HW attacks Vulnerable to: HW attacks Security
Trusted Platform Module (TPM)
Static root of trust measurement of early boot components
PreOS
TMP Init
Static OS All Boot Blobs unlocked Volume Blob of Target OS unlocked
BIOS MBR BootSector BootBlock BootManager Start OS OS Loader
Windows Vista BitLocker Volume
Boot Sector Boot Sector Pointers to other metadata copies Pointer to Primary Metadata Copy Encrypted Volume Data BitLocker Metadata Copies
Windows 7 BitLocker Volume
Virtual Boot Sector Boot Sector Virtual Boot Sector Pointers to other metadata copies Pointer to Primary Metadata Copy Encrypted Volume Data BitLocker Metadata Copies
Hardware Requirements
Trusted Platform Module Trusted Platform Module (TPM) v1.2
Trusted Platform Module (TPM) Compatible BIOS USB Flash Drive The system BIOS must support both reading and writing small files on a USB flash drive in the pre-operating system environment Disk Partitioning Separate reserved system partition using NTFS System partition minimum size of at least 100MB Choosing the right partitioning is key for a successful deployment System partition is a Windows 7 requirement not specific to BitLocker
Disk Partitioning Requirements Possible examples
Windows RE 250 MB NTFS System Partition 100 MB NTFS OS - Encrypted Remaining Disk NTFS System Partition/Windows RE 300 MB NTFS OS - Encrypted Remaining Disk NTFS Note: An additional 50MB is required on the recovery partition for volume snapshots during Complete PC backups
Recommendations
Standardize the hardware Hardware pre-build configuration (OEM) BIOS settings Enable and Activate the TPM BIOS passwords Minimize the number of reboots for your users Worst scenario – 4 reboots Best scenario – 1 reboot Number of reboots is key in a successful deployment of BitLocker
Recommendations
What requires reboots?
Repartitioning TPM initialization TPM ownership – requires physical presence BitLocker System Check Improve the user experience Deploy Windows with the recommended drive partitions Ask your OEM to enable the TPM Standardize the hardware to remove the requirement of the compatibility wizard
Group Policy Preparation
BitLocker Group Policy settings can Turn on BitLocker backup to Active Directory Enable advanced startup options, recovery options, etc.
Configure encryption method and strength Enable FIPS compliance before setting up BDE keys!
Enforce or disable specific protectors Enforce a minimum PIN length TPM Services Group Policy can Turn on TPM owner authorization backup to Active Directory Domain Services Configure the list of blocked TPM commands
Develop a Recovery Strategy
Define the process end-users will follow when recovery of a BitLocker system is needed Anticipate the recovery scenarios How to handle lost or forgotten Key Protectors?
Reset PIN, lost startup key How are disk drive failures recovered?
How are TPM hardware failures treated?
Recover from core files or pre-OS file (BIOS upgrade, etc…) updates which are not planned Recovering and diagnosing a deliberate attack
Active Directory Based Recovery
By default, no recovery information is backed up to AD Administrators can configure GP to enable backup of BitLocker or TPM owner authorization recovery info Schema needs to be extended Windows Server 2008 and 2008 R2 are “BitLocker Ready” All domain controllers in the domain must be at least Windows Server 2003 SP1 Recovery data saved for each computer object Recovery passwords - a 48-digit recovery password Key package data (optional) - helps recovery if the disk is severely damaged There is only one TPM owner password per computer There can be more than one recovery password per computer O/S Volume Data Volumes
Data Recovery Agent New Recovery Mechanism
Certificate-based key protector A certificate containing a public key is distributed through Group Policy and is applied to any drive that mounts The corresponding private key is held by a data recovery agent in the IT department Allows IT department to have a way to unlock all protected drives in an enterprise Saves space in AD – same Key Protector on all drives
Windows Recovery Environment
Set of tools for troubleshooting startup problems In Windows RE environment, user will be prompted for recovery credential on a BitLocker-enabled machine Contains the necessary drivers and tools to unlock and repair if necessary a BDE-protected volume WinRE boot image needs to reside on a non-encrypted volume BitLocker setup is now Windows RE “aware” and will move Windows RE to a proper partition if required.
Manage-BDE and Repair-BDE are now installed per default In Windows 7 In Windows PE and in the Windows Recovery Environment (Windows RE)
Recommendations
Group Policies Ensure that the group policies are configured before your deployment Most BitLocker GPOs are not retroactive TPM + PIN offers the best balance between security and user experience Recovery and authentication policies are specific to Vista and Windows 7 Leverage the group policy targeting mechanism for granularity Recovery Scenarios WinRE should be deployed in its own partition or on the system partition Test all your recovery scenarios Use Active Directory if you want to build custom recovery solutions Use Data Recovery Agents if you have a requirement for FIPS compliance
BitLocker Deployment
Deployment options During build process Post-build process User initiated Deployment methods Manage-BDE WMI SCCM Windows Deployment Tools Windows 7 Upgrade Scenario
Deployment Options
Configuration during build process Enabling and activating a TPM during this process will require user interaction to meet the physical presence requirement If backup of recovery info to AD is required, BDE must be enabled after the computer has joined your AD domain Starting encryption during the build process has performance impact, for example if there are additional tasks to be performed (install apps, etc) Consider starting encryption at the very end of the build process
Deployment Options
Post-build configuration Triggered immediately after the system build process completes Or triggered at a later time after the computer is delivered to the end user Software distribution tool (SCCM) GP scripting Logon scripts Very flexible and can be accomplished using numerous methods User initiated configuration Allow users to selectively enroll and configure their machines for BDE Not recommended if BitLocker is mandatory
Deployment Methods
Manage-BDE.exe command-line tool Provides configuration / administration on individual and remote machines Location: %systemdrive%\Windows\system32 Leverages the BitLocker and TPM WMI providers Create scripts with BitLocker and TPM WMI providers Useful when integrating support of BitLocker machines into your help desk environment, or user initiated configuration type of deployment Sample script (EnableBitLocker.vbs) available Recommendation: Use for large enterprise deployments
Deployment Methods
BitLocker WMI Methods allows to Enable/activate TPM, take ownership and generate random owner pass Enable BitLocker protection using supported authentication methods Create additional recovery key and recovery password Reset TPM owner information Use and modify existing sample script Manage-BDE.wsf
Location: %systemdrive%\Windows\system32 Only provided as an example Scripts can generate a rich log file, WMI exit codes are logged Microsoft recommends Using BitLocker and TPM WMI providers for enterprise deployment Using manage-bde for administration of BitLocker enabled machines
Deployment Methods
Systems Center Configuration Manager 2007 Unify the deployment toolsets for both client and server Deliver an end-to-end process for deployment Provide high degrees of flexibility to accommodate complex enterprise requirements Use native toolsets found in Windows Supports BitLocker natively
Windows Deployment Tools
Systems Center Configuration Manager 2007 http://www.microsoft.com/systemcenter/ Microsoft Deployment Toolkit 2008 http://technet.microsoft.com/en-us/solutionaccelerators/dd407791.aspx
Windows Deployment Services Unattended Installation Imaging with ImageX
Windows 7 Upgrade Scenario
Upgrade from a BitLocker machine No decryption required but you need to suspend BitLocker Current partitioning will be preserved System partition will be 1.5 GB Drive letter will not be removed Upgrade from a non-BitLocker machine Current partitioning will be preserved (single partition) BitLocker will automatically create a system partition System partition will be 300MB with no drive letter
BitLocker Server Scenarios
BitLocker is a feature on Windows Server (optional component) The feature needs to be installed through Server Manager All the recommendations made in this presentation apply to the server scenario BitLocker provides great value in branch office scenarios Branch Office TechCenter http://technet.microsoft.com/en-us/branchoffice/default.aspx
Recommendations
Bare Metal install ≠ Clean install Make sure to partition the disk File base imaging does not partition the disk per default Turn on BitLocker in the post build process Provides the most flexibility Do not partition the disk post installation Deploy Windows 7 using the right partitions Only Shrink the O/S volume when no other options are available If you need to shrink the disk use bdehdcfg.exe post installation or the BitLocker Setup Wizard Do not shrink from Vista for large deployments
Data Drive Key Storage
BitLocker offers a spectrum of protection allowing customers to balance ease-of-use against the threats they are most concerned with XXXXX
Password
Pros: Ease of use backward compatibility BitLocker to go reader Cons: Less secure vulnerable to brute force and dictionary attacks
Auto-Unlock
Pros: Uses a stronger key Cons: Specific to a single machine
Smartcards
Pros: Uses much stronger keys Cons: Requires hardware not backward compatible Security
Data Drive Specific Group Policy
BitLocker Group Policy settings can Turn on BitLocker backup to Active Directory Enable, enforce or disable password or smartcard protectors Enforce a minimum password length Enforce password complexity Deny write access to drives not encrypted with BitLocker Do not allow write access to devices from other organizations
BitLocker Enforcement
Requiring BitLocker for data drives When this policy is enforced, all data drives will require BitLocker protection in order to have write access As soon as a drive is plugged into a machine, a dialog is displayed to the user to either enable BitLocker on the device or only have read-only access The user gets full RW access only after encryption is completed Users can alternatively enable BitLocker at a later time
BitLocker Enforcement
BitLocker Cross-Organization
This policy will help enterprises manage compliance when a requirement exists to not allow devices to roam outside of the enterprise When the "Deny write access to devices configured in another organization" policy is enabled Only drives with identification fields matching the computer's identification fields will be given write access When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields These fields are defined by the "Provide the unique identifiers for your organization" policy setting
Certificate Requirements
Possible deployment scenarios Leverage an existing certificate Leverage a generic certificate Deploy a new BitLocker certificate The BitLocker Object Identifier (OID) Associate a certificate to BitLocker (Certificate Application Policies) Default value: 1.3.6.1.4.1.311.67.1.1
The BitLocker OID can be modified using Group Policies
Certificate Requirements
Supported certificates for smart card authentication A certificate is considered valid for BitLocker if the following conditions are met for Key Usage: No KU is present KU is present and contains one of the following keyEncipherment bits: CERT_DATA_ENCIPHERMENT_KEY_USAGE CERT_KEY_AGREEMENT_KEY_USAGE CERT_KEY_ENCIPHERMENT_KEY_USAGE A certificate is considered valid for BitLocker if the following conditions are met for Extended Key Usage: No EKU is present EKU is present and contains BitLocker OID EKU is set to anyExtendedKeyUsage
Recommendations
Identification fields Should be set before your deployment if you are planning to use DRAs or the cross-organization policy Are automatically set during encryption Can be set after encryption using Manage-BDE or WMI but this requires Administrator rights Certificates Deploy the required certificates before enabling BitLocker on data drives BitLocker To Go Reader Installed per default but can be managed through group policies Requires the use of a password Can be deployed separately using a software distribution tool
BitLocker & BitLocker To Go
Resources
www.microsoft.com/teched Sessions On-Demand & Community www.microsoft.com/learning Microsoft Certification & Training Resources http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.