Upload
lumension
View
3.384
Download
1
Tags:
Embed Size (px)
Citation preview
BitLocker Drive Encryption: How it Works and How it Compares
Made possible by:
© 2011 Monterey Technology Group Inc.
Brought to you by
SpeakersChris MerrittDirector, Solutions Marketing
http://www.lumension.com/Solutions/Intelligent-Whitelisting.aspx
Preview of Key Points
How BitLocker worksImplementation stepsCaveats!
© 2011 Monterey Technology Group Inc.
How BitLocker Works
BitLockerFor fixed diskFull volume encryption
BitLocker To GoFor removable disks
Trusted Platform Module (TPM)Secure, tamper resistant key storageTakes system measurements and can prevent system booting if possible tampering detected
How BitLocker Works
Risks addressedBitLocker on system volume
• Protect data stored there-in• Protect OS from tampering
BitLocker to Go• Prevent data leakage to removable drives• Combine with group policies that prevent writing
to unprotected removable drives
How BitLocker Works
Entire volume encrypted with an AES symmetric key
AES key encrypted with Start up keyRecovery key(s)
How BitLocker Works
Startup key optionsStored in the TPM (Trusted Platform Module)Stored on USB drive
Optional additional protectionPIN
Most common scenariosTPM onlyUSB drive with PIN
Don’t do this!• USB drive without PIN
How BitLocker Works
Data recovery optionsRecovery password (48 digit)
• Can be printed or saved as text file to shared folder• Better: can be backed up to that computer’s account in AD
Best for remote, phone based support
Recovery key• 256-bit key saved to USB drive• Many keys can be stored on one USB flash drive which is then
physically secured
Data recovery agent• Data recovery certificate pushed to all systems via group policy• Volume encryption key encrypted with public key of certificate• Can be recovered by someone with the private key
How BitLocker Works
Data recovery optionsRecovery method Advantages Disadvantages
Recovery password Can be backed up to AD DSDoes not require IT physical presence48-digit password can be read over the phone by a help desk attendantUsers can print or save recovery passwords to a file, or this functionality can be disabled by Group Policy
Not FIPS compliant
Recovery key FIPS compliant Cannot be backed up to AD DSUsers may store USB drives with their computerIf the key to unlock the operating system drive is stored with the computer, the protection is rendered uselessUSB drives could be lostIf users lose the USB drive with their recovery key, they will not have a recovery method
Data recovery agent FIPS compliant
Automatically applied to drives
IT department personnel must be physically presentThe private key must be used to recover the driveThe operating system drive must be installed on another computer running Windows 7 as a data drive
- From TechNet: BitLocker Drive Encryption Design Guide for Windows 7
Implementation Steps
Prep AD schema if Win2003Configure group policyEach PC
Enable TPM in BIOS (physical touch?)Activate TPMEnable BitLocker
VerifyRecovery
Implementation Steps
Configure group policyComputer Configuration\Administrative
Templates\Windows Components\BitLocker Drive Encryption
User restrictions• PIN requirements
• Can user configure BitLocker and/or recover data?
Key backup and data recovery options• Require successful backup to AD before locking
drives
TPM options
Implementation Steps
Each PCEnable, activate TPM, take ownership, generate random password
Enable BitLockerBy script
• Manage-bde• EnableBitLocker.vbs
Options• Startup script pushed out by group policy• SCOM• Et al
Implementation Steps
VerifyCheck individual PCs via WMI GetProtectionStatus
Recovery and trouble shootingUse BitLocker Recovery Password Viewer for Active Directory (part of RSAT)
Repair-bde
Caveats
Win7 Ultimate and Enterprise only Read only access of BitLocker to go on pre-Win7
Things that can mess up the TPM and prevent booting Docking stations CD ROMs Smart batteries Moving the BitLocker-protected drive into a new computer. Installing a new motherboard with a new TPM. Turning off, disabling, or clearing the TPM. Changing any boot configuration settings. Changing the BIOS, master boot record, boot sector, boot
manager, option ROM, or other early boot components or boot configuration data
BitLocker To Go
Removable storage encryptionNo support for DVD/CDs
Authentication OptionsPasswordSmartcard
Policies to prohibit usage of unencrypted devices but can’t force encryption
Read only support for pre Win7 with BitLocker To Go Reader
Caveats
Hardware TPM 1.2BIOS configuration
Trusted Computing Group (TCG)-compliant BIOS
The BIOS must be set to start first from the hard disk, and not the USB or CD drives
The BIOS must be able to read from a USB flash drive during startup
Physical touch to enable?
Caveats
BitLocker To GoCannot force encryption for removable devices
Does not protect media (e.g., CDs / DVDs) as well as UFDs
Caveats
No centralized reporting or visibility in to usage and statusDeployment and monitoringSafe harbor – lost opportunity to reduce breach notifications and associated costs
2/3 all breaches reported• Lost devices or endpoints• 85% of records• Encryption would have negated huge chunk of
costs and vast majority of cases
Brought to you by
SpeakersChris MerrittDirector, Solutions Marketing
http://www.lumension.com/Solutions/Intelligent-Whitelisting.aspx