May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Protecting Data Using Microsoft Technologies Kurt...
-
Upload
ada-mcdowell -
Category
Documents
-
view
215 -
download
0
Transcript of May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Protecting Data Using Microsoft Technologies Kurt...
May 30May 30thth – 31 – 31stst, 2007, 2007Chateau Laurier Chateau Laurier OttawaOttawa
May 30May 30thth – 31 – 31stst, 2007, 2007Chateau Laurier Chateau Laurier OttawaOttawa
Protecting Data Using Protecting Data Using Microsoft Microsoft TechnologiesTechnologies
Protecting Data Using Protecting Data Using Microsoft Microsoft TechnologiesTechnologiesKurt DillardKurt [email protected]@microsoft.comUS Federal DistrictUS Federal DistrictMicrosoftMicrosoft
Why Encrypt?Why Encrypt?
Encrypting File SystemEncrypting File System
Rights Management ServicesRights Management Services
BitLocker Drive EncryptionBitLocker Drive Encryption
Scenarios: Stolen PCs, Data Leaks, etc…Scenarios: Stolen PCs, Data Leaks, etc…
Wrap-up & QuestionsWrap-up & Questions
AgendaAgenda
Why Are We Talking About Why Are We Talking About This?This?
““When should I use ____________?”When should I use ____________?”EFSEFS
RMSRMS
S/MIMES/MIME
BitLockerBitLocker
CAPICOMCAPICOM
““What is the What is the right right encryption to use?”encryption to use?”
““Give me a strategic direction!”Give me a strategic direction!”
Where is your Data Where is your Data Stored?Stored?
SQL
Domain Controller
What Technologies Can Be What Technologies Can Be Used?Used?
Access Control Lists (ACLs)Access Control Lists (ACLs)
Encrypting File System (EFS)Encrypting File System (EFS)
Rights Management Services (RMS)Rights Management Services (RMS)
Role-based AccessRole-based Access
BitLocker Drive EncryptionBitLocker Drive Encryption
Application encryptionApplication encryption
ACLsACLs
Classic approachClassic approach
Configured using:Configured using:Windows Explorer, cacls.exe, xcacls.exeWindows Explorer, cacls.exe, xcacls.exe
Group Policy/SeceditGroup Policy/Secedit
Good: protect against online/remote Good: protect against online/remote attackersattackers
Bad: protecting against local AdminsBad: protecting against local Admins
Ugly: protecting against offline attacksUgly: protecting against offline attacks
Roles-based access Roles-based access (RBAC)(RBAC)
Idealized approachIdealized approach
Must combine with other techMust combine with other techACLsACLs
EncryptionEncryption
Rights ManagementRights Management
App-specific authorization (e.g. SQL, Exchange)App-specific authorization (e.g. SQL, Exchange)
Issues: Issues: Every Windows app has a different approachEvery Windows app has a different approach
Still no better against offline attacksStill no better against offline attacks
ADAD
The Encrypting File System (EFS) provides The Encrypting File System (EFS) provides encryption for all of a user’s files and encryption for all of a user’s files and folders and is offered in both, folders and is offered in both, Windows XP Professional desktop Windows XP Professional desktop operating System and Windows 2003 operating System and Windows 2003 server operating systemserver operating system
Microsoft Windows Encrypting File Microsoft Windows Encrypting File SystemSystem
Microsoft Windows Encrypting File Microsoft Windows Encrypting File SystemSystem
Ideal for protecting sensitive data and documents from unauthorized accessIdeal for protecting sensitive data and documents from unauthorized access
Features for recovering data due to lost encryption keys are built-inFeatures for recovering data due to lost encryption keys are built-in
Uses the FIPS 140 compliant algorithms included with Windows 2000 & laterUses the FIPS 140 compliant algorithms included with Windows 2000 & later
Can be managed with existing tools, such as Active Directory Group PoliciesCan be managed with existing tools, such as Active Directory Group Policies
Bad: Doesn’t protect against user errorBad: Doesn’t protect against user error
Ugly: Doesn’t protect across multiple systemsUgly: Doesn’t protect across multiple systems
Whitepaper: Encrypting File System in Windows XP and Whitepaper: Encrypting File System in Windows XP and Windows Server 2003Windows Server 2003http://www.microsoft.com/technet/prodtechnol/winxppro/http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx deploy/cryptfs.mspx
Microsoft Windows Encrypting File Microsoft Windows Encrypting File SystemSystem
EFS: How it WorksEFS: How it Works
Encrypted data
Encrypted with public key of
recovery agent
FEK
Encrypted with public key of
user
FEK Data Recovery
Field (DRF)
EFS-protected file
FEK encrypted with public key
of data recovery agent
FEK encrypted with public key
of user File Header
Data Decryption
Field (DDF)
User creates and saves a file to
an EFS-protected folder
1 A unique File Encryption
Key (FEK) is created for symmetrically
encrypting the new file
2 FEK is asymmetrically
encrypted with thepublic keys of the
user and DRA
3 The EFS-protected file is stored with
the encrypted text, DDF, and DRFs
4
RSA 1024
DESX (2000, XP Gold)
3DES - If FIPS required(2000, XP Gold)
AES 256(XP SP1, 2003)
EFS – it’s all about secure recoveryEFS – it’s all about secure recovery
Only three things you have to do:Only three things you have to do:1.1. All users logon to an AD domainAll users logon to an AD domain
2.2. Define EFS DRA keys & certs via Group PolicyDefine EFS DRA keys & certs via Group Policy
3.3. Backup the user’s private key from their Backup the user’s private key from their certificate storecertificate store
NOTE: none of this requires a PKINOTE: none of this requires a PKI
PKI is one of the biggest PKI is one of the biggest blockersblockers of EFS of EFS deploymentdeployment
Keys to EFS Bliss…Keys to EFS Bliss…
““Reboot into local Admin, you get full access”Reboot into local Admin, you get full access”Change Windows 2000 default configuration via group Change Windows 2000 default configuration via group policypolicy
““EFS only uses NT passwords, so LM hash = EFS only uses NT passwords, so LM hash = instant hack”instant hack”
EFS is only as strong as the user’s password, but there’s EFS is only as strong as the user’s password, but there’s no ‘instant hack’ if deployed properlyno ‘instant hack’ if deployed properly
““Users can turn it off, so no data is guaranteed Users can turn it off, so no data is guaranteed encrypted”encrypted”
Require encryption via group policyRequire encryption via group policy
Don’t give users adminDon’t give users admin
““EFS kills performance”EFS kills performance”On modern systems the impact is negligible once the On modern systems the impact is negligible once the initial encryption is completeinitial encryption is complete
EFS mythsEFS myths
Microsoft Windows Rights Management Microsoft Windows Rights Management ServicesServices
Microsoft Windows Rights Management Microsoft Windows Rights Management Services (RMS) for Windows Server 2003 Services (RMS) for Windows Server 2003 is information protection technology that is information protection technology that works with RMS-enabled applications to works with RMS-enabled applications to help safeguard digital information from help safeguard digital information from unauthorized use - both online & offline, unauthorized use - both online & offline, inside and outside of the firewallinside and outside of the firewall
Microsoft Windows Rights Management Microsoft Windows Rights Management ServicesServices
Rights Management Service (RMS) is ideal for protecting shared data Rights Management Service (RMS) is ideal for protecting shared data and helps enforce organizational policies on content by encrypting and helps enforce organizational policies on content by encrypting individual files and emailsindividual files and emails
Data is even protected while transiting networkData is even protected while transiting network
Can be managed with existing tools, such as Active Directory Group PoliciesCan be managed with existing tools, such as Active Directory Group Policies
Data is protected regardless of where it goes: users can email files, Data is protected regardless of where it goes: users can email files, copy them onto thumb drives, Smartphone, or write them to CD ROM copy them onto thumb drives, Smartphone, or write them to CD ROM and the data will continue to be encryptedand the data will continue to be encrypted
Features for recovering data due to lost encryption keys are built-inFeatures for recovering data due to lost encryption keys are built-in
Uses the FIPS 140 compliant algorithms included with WindowsUses the FIPS 140 compliant algorithms included with Windows
Microsoft Windows Rights Management Microsoft Windows Rights Management ServicesServices
Bad: Protecting against brilliant usersBad: Protecting against brilliant users
Ugly: Protecting against traitorous adminsUgly: Protecting against traitorous admins
In Laptop scenario, RMS unique In Laptop scenario, RMS unique contribution = Expirationcontribution = Expiration
““On every access” – not usable for On every access” – not usable for laptopslaptops
““Every <xx> days” is better for laptop Every <xx> days” is better for laptop usersusers
““Expires after <date>” is best for laptop Expires after <date>” is best for laptop usersusers
Leveraging RMS Templates will Leveraging RMS Templates will increase use of this mitigationincrease use of this mitigation
RMS expirationRMS expiration
Add usersAdd userswith with ReadRead
and and ChangeChangepermissionspermissions Verify aliasesVerify aliases
& DLs via AD& DLs via AD
Add Add advanced advanced
permissionspermissions
Set expiration Set expiration datedate
EnableEnableprint, copyprint, copy
permissionspermissions
Add/removeAdd/removeadditional usersadditional users
Contact forContact forpermissionpermissionrequestsrequests
Enable Enable viewing viaviewing via
RMARMA
RMS at MicrosoftRMS at MicrosoftExample of RMS TemplatesExample of RMS Templates
Corporate RMS Corporate RMS templates available templates available from the from the Permission Permission menu of Outlook, Word, menu of Outlook, Word, PowerPoint, and ExcelPowerPoint, and Excel
Do Not Reply AllRecipients can View, Reply, Save, Edit, and Forward but can not Reply All
Microsoft ConfidentialOnly Microsoft employees can access the message. Allows for View, Reply, Reply All, Save, Edit, and Forward
Microsoft Confidential Read Only
Only Microsoft employees can access the message. Allows for View, Reply, Reply All
Microsoft FTE Confidential Only Microsoft full-time employees can access the message. Allows for View, Reply, Reply All, Save, Edit, and Forward
Microsoft FTE Confidential Read Only
Only Microsoft full-time employees can access the message. Allows for View, Reply, and Reply All.
RMS Technology PartnersRMS Technology PartnersLiquid Machines – www.liquidmachines.com Liquid Machines – www.liquidmachines.com
Enables RMS for Office XP & 2000Enables RMS for Office XP & 2000
Adds support for PDF, Visio and many other file formatsAdds support for PDF, Visio and many other file formats
Enables RMS for BlackberriesEnables RMS for Blackberries
GigaTrust – www.gigatrust.com GigaTrust – www.gigatrust.com Enables RMS for Office XP & 2000Enables RMS for Office XP & 2000
Adds support for many more file types Adds support for many more file types (PDF, WPD, JPG, TXT, HTML, etc)(PDF, WPD, JPG, TXT, HTML, etc)
Enables RMS for BlackberriesEnables RMS for Blackberries
Titus - Titus - www.titus.com www.titus.com Provide RMS consulting and training servicesProvide RMS consulting and training services
Windows Vista Enterprise features a number of Windows Vista Enterprise features a number of enhancements that help protect sensitive data, enhancements that help protect sensitive data, including Windows BitLocker™ Drive Encryption including Windows BitLocker™ Drive Encryption to better protect data on lost, stolen or to better protect data on lost, stolen or decommissioned PCs, expanded Windows Rights decommissioned PCs, expanded Windows Rights Management Services that help organizations Management Services that help organizations control who has access to sensitive data, and control who has access to sensitive data, and improvements to the Encrypting File Systemimprovements to the Encrypting File System
Windows Vista BitLockerWindows Vista BitLocker
Windows BitLocker™ Drive Encryption is hardware-enabled data protection Windows BitLocker™ Drive Encryption is hardware-enabled data protection that helps protect data on a PC when the machine is in unauthorized hands. that helps protect data on a PC when the machine is in unauthorized hands. By encrypting the entire Windows volume, it prevents unauthorized users By encrypting the entire Windows volume, it prevents unauthorized users from accessing data by breaking Windows file and system protections or from accessing data by breaking Windows file and system protections or attempting the offline viewing of information on the secured driveattempting the offline viewing of information on the secured drive
BitLocker configuration policies can be managed through Active Directory BitLocker configuration policies can be managed through Active Directory Group Policies and is designed to leverage the Trusted Platform Module Group Policies and is designed to leverage the Trusted Platform Module (TPM)(TPM)
Windows Vista BitLockerWindows Vista BitLocker
CaveatsCaveats
Computers protected with BitLocker could Computers protected with BitLocker could become inaccessible if users loose their become inaccessible if users loose their USB storage device or if they forget their USB storage device or if they forget their BitLocker passwordBitLocker password
Whitepaper: Microsoft Windows Vista Security Whitepaper: Microsoft Windows Vista Security AdvancementsAdvancementshttp://download.microsoft.com/download/c/2/9/http://download.microsoft.com/download/c/2/9/c2935f83-1a10-4e4a-a137-c1db829637f5/c2935f83-1a10-4e4a-a137-c1db829637f5/WindowsVistaSecurityWP.docWindowsVistaSecurityWP.doc
Windows Vista BitLockerWindows Vista BitLocker
OEMs having challenges (BIOS)OEMs having challenges (BIOS)
Customers don’t have wide Customers don’t have wide deployment (TPM)deployment (TPM)
USB, PIN aren’t magic bulletsUSB, PIN aren’t magic bulletsA little bit like SYSKEYA little bit like SYSKEY
However, centrally recoverableHowever, centrally recoverable
Only protects system volumeOnly protects system volumeEFS needed for additional partitionsEFS needed for additional partitions
BitLocker Drive EncryptionBitLocker Drive Encryption
BitLocker™ Drive BitLocker™ Drive Encryption Encryption Designed specifically to Designed specifically to
prevent malicious users prevent malicious users from breaking Windows from breaking Windows file and system file and system protectionsprotections
Provides data protection Provides data protection on Windows systems, on Windows systems, even when the system is even when the system is in unauthorized hands or in unauthorized hands or is running a different or is running a different or exploiting Operating exploiting Operating SystemSystem
A Trusted Platform A Trusted Platform Module (TPM) or USB Module (TPM) or USB flash drive is used for flash drive is used for key storagekey storage
BitLockerBitLocker
Trusted Platform ModuleTrusted Platform ModuleSmartcard-like module on system motherboardSmartcard-like module on system motherboard
Helps protect secrets Helps protect secrets
Performs cryptographic Performs cryptographic functionsfunctions
Can create, store and Can create, store and manage keysmanage keys
Performs digital signature Performs digital signature operationsoperations
Holds Platform Holds Platform Measurements (hashes)Measurements (hashes)
Anchors chain of trust for Anchors chain of trust for keys and credentialskeys and credentials
Protects itself against attacksProtects itself against attacks
TPM 1.2 spec: TPM 1.2 spec: www.trustedcomputinggroup.orgwww.trustedcomputinggroup.org
Only protects until Winlogon Only protects until Winlogon
Weakest password lets you in Weakest password lets you in AdminAdmin
Service accountsService accounts
Backup accountsBackup accounts
Bottom Line: DON'T wait for BitLocker Bottom Line: DON'T wait for BitLocker before encrypting laptops before encrypting laptops
BitLocker™BitLocker™
Comparing TechnologiesComparing TechnologiesFeature EFS RMS BitLocker S/MIME ACLs
Differentiates permissions by consumer
No Yes No No Yes
Prevents unauthorized access Yes Yes Yes Yes Yes
Encrypts protected content Yes Yes Yes Yes No
Offers content expiration No Yes No No No
Offers use license expiration No Yes No No No
Controls content access to reading, forwarding, saving, modifying, or printing by consumer
No Yes No No Yes **
Extends protection beyond initial publication location
Yes * Yes No Yes No
* Since Windows XP it has been possible to manually grant other users the ability to decrypt individual files protected with EFS, but its not an * Since Windows XP it has been possible to manually grant other users the ability to decrypt individual files protected with EFS, but its not an intuitive procedureintuitive procedure•** Only protects against only attacks** Only protects against only attacks
ScenariosScenarios
Essential:Essential:Loss or theft of mobile PCLoss or theft of mobile PC
Aka “left in taxi”Aka “left in taxi”
Important:Important:Reduced data leaksReduced data leaks
Aka “Oops, I sent it to The Register (and /., Aka “Oops, I sent it to The Register (and /., MSNBC, CNN…MSNBC, CNN…
Removable mediaRemovable mediaAka USB/thumb/jump/flash drives, CDsAka USB/thumb/jump/flash drives, CDs
Loss or Theft of a PC: Loss or Theft of a PC: Where’s the Data?Where’s the Data?ClientsClients
DocumentsDocumentsWhere do Where do your your users users keep their documents?keep their documents?
User ProfileUser ProfileOutlook, Sharepoint, Outlook, Sharepoint, Desktop, TempDesktop, Temp
per-machine dataper-machine dataSearch index, file Search index, file cachecache
ServersServers
File SharesFile Shares
Collaboration store Collaboration store (e.g. Sharepoint)(e.g. Sharepoint)
RDBMS (e.g. SQL)RDBMS (e.g. SQL)
Mail (e.g. Exchange)Mail (e.g. Exchange)
SANSAN
Enterprise backupEnterprise backup
Where ISN’T Data Where ISN’T Data stored?stored?
Loss or Theft of PCLoss or Theft of PC
Threat: Attackers with time, tools, well-Threat: Attackers with time, tools, well-documented attack techniquesdocumented attack techniques
Goal: reduce (NOT eliminate) the risk of data Goal: reduce (NOT eliminate) the risk of data exposureexposureGoodGood
EFSEFSBetterBetter
Minimize the stored dataMinimize the stored data
Combine EFS + RMSCombine EFS + RMS
BestBestBitLocker + EFS + RMSBitLocker + EFS + RMS
Don't bother with ACLs, RBACDon't bother with ACLs, RBAC
Loss or Theft of PCLoss or Theft of PCEFSEFS
Mitigates offline attacks except against user accountMitigates offline attacks except against user account
Prevents online attacks (on encrypted files)Prevents online attacks (on encrypted files)
Threats focus on user’s passwordThreats focus on user’s password
BitLocker with TPM or USB (Vista)BitLocker with TPM or USB (Vista)Prevents offline attacks (replace passwords, copy hashes, Prevents offline attacks (replace passwords, copy hashes, change system files)change system files)
Threats focus on user logonsThreats focus on user logons
Ideal: BitLocker with TPM + EFS with Smart Card Ideal: BitLocker with TPM + EFS with Smart Card (Vista)(Vista)
Attacker with notebook + Smart Card needs PIN (not password)Attacker with notebook + Smart Card needs PIN (not password)
After “x” bad tries, Smart Card locked FOREVERAfter “x” bad tries, Smart Card locked FOREVER
RMS (XP, Vista)RMS (XP, Vista)Similar offline protection as EFSSimilar offline protection as EFS
Except only supported file formats (Office, HTML)Except only supported file formats (Office, HTML)
What about stolen What about stolen Desktops, Servers?Desktops, Servers?
First things first: laptopsFirst things first: laptopsLaptops are Laptops are usuallyusually less physically secure less physically secure
Get that part of house in orderGet that part of house in order
Next: PCs not behind locked doorsNext: PCs not behind locked doorsPCs in front officePCs in front office
Branch servers in the break roomBranch servers in the break room
Similar mitigations apply, plus:Similar mitigations apply, plus:Could disable cached logonsCould disable cached logons
Could enforce “on every access” with RMSCould enforce “on every access” with RMS
Loss or Theft of PCLoss or Theft of PC
Reality check: Windows XP todayReality check: Windows XP today
Attack focus: user passwords, cleartext Attack focus: user passwords, cleartext datadata
Tactics:Tactics:BetterBetter passphrases passphrases
Encrypt significant sets of dataEncrypt significant sets of dataEFS for Documents, email, desktop, TIF, server cachesEFS for Documents, email, desktop, TIF, server caches
Smartcard logon Smartcard logon
Residual risk: pagefile fragments, hiberfile, Residual risk: pagefile fragments, hiberfile, cached logon verifierscached logon verifiers
Reduced data leaksReduced data leaks
Threat: Authorized users with legit Threat: Authorized users with legit access giving data to othersaccess giving data to others
Goal: Mitigate the risk of leaksGoal: Mitigate the risk of leaksGoodGood
ACLs, Role-based AccessACLs, Role-based AccessBetterBetter
DRM, Application encryptionDRM, Application encryption
Don't bother with Don't bother with system encryptionsystem encryption
Reduced data leaksReduced data leaks
1.1. ACL shared files on servers with RBAC ACL shared files on servers with RBAC groupsgroups
Prevents users from granting each other Prevents users from granting each other permissionspermissions
2.2. Leverage RMSLeverage RMSReduces the amount of unprotected filesReduces the amount of unprotected files
3.3. Ideal: Enforce RMS protection according to Ideal: Enforce RMS protection according to business rules (RMS partners)business rules (RMS partners)
Bonus: encryption on physical mediaBonus: encryption on physical media
Bonus: removable media policy (Vista)Bonus: removable media policy (Vista)
Removable mediaRemovable media
Threat: Authorized users with legit Threat: Authorized users with legit access copying “secure” data to access copying “secure” data to removable media, then losing itremovable media, then losing itGoal: mitigate the loss of unprotected Goal: mitigate the loss of unprotected datadataGoodGood
Block access to removable devicesBlock access to removable devicesRMSRMS
BetterBetterBlock writes to removable devicesBlock writes to removable devicesEncrypt removable devicesEncrypt removable devices
Removable mediaRemovable media
XP removable media policyXP removable media policy
Vista removable media policyVista removable media policy
EFS on flash mediaEFS on flash media
All of these encryption technologies take advantage All of these encryption technologies take advantage of Microsoft’s directory service because they can be of Microsoft’s directory service because they can be managed through Group Policymanaged through Group Policy
There’s no need to deploy additional There’s no need to deploy additional management infrastructuremanagement infrastructure
As with other features that can be controlled through As with other features that can be controlled through group policies, organizations can decide to either group policies, organizations can decide to either centralize or decentralize policy management based on centralize or decentralize policy management based on their IT landscape and resourcestheir IT landscape and resources
Prepare for TomorrowPrepare for TomorrowPrepare and assessPrepare and assess
What Can You Do Today What Can You Do Today
Implement EFS or RMS through the use of Windows XP Implement EFS or RMS through the use of Windows XP Professional with Service Pack 2 on the desktop or Professional with Service Pack 2 on the desktop or Windows 2003 ServerWindows 2003 Server
Implement a multi-layer approach to significantly Implement a multi-layer approach to significantly decrease risk and potential exposuredecrease risk and potential exposureTodayToday - Utilize both, EFS and RMS, simultaneously - Utilize both, EFS and RMS, simultaneouslyTomorrowTomorrow – The most power combination will combine – The most power combination will combine EFS, RMS, and BitLocker to protect the data across a wide EFS, RMS, and BitLocker to protect the data across a wide range of attack scenariosrange of attack scenarios
Utilize other features built into our platform such as Utilize other features built into our platform such as S-MIME; IPSec for both on-the-wire encryption and S-MIME; IPSec for both on-the-wire encryption and isolation of systems; and TLS/SSLisolation of systems; and TLS/SSL
Windows Mobile uses FIPS 140 compliant algorithms Windows Mobile uses FIPS 140 compliant algorithms (http://csrc.nist.gov/cryptval/140-1/1401val2005.htm#560)(http://csrc.nist.gov/cryptval/140-1/1401val2005.htm#560)
Windows Mobile policies can be managed using SMS 2003, 3rd parties Windows Mobile policies can be managed using SMS 2003, 3rd parties have developed additional technologies to help secure and manage have developed additional technologies to help secure and manage Windows-based mobile devices.Windows-based mobile devices.
Third party solutions for encrypting data or for RMS integration are available, Third party solutions for encrypting data or for RMS integration are available, see: http://www.microsoft.com/windowsmobile/resources/providers/search.aspsee: http://www.microsoft.com/windowsmobile/resources/providers/search.asp
A detailed whitepaper on securing Windows Mobile is available internallyA detailed whitepaper on securing Windows Mobile is available internally
Windows MobileWindows Mobile
Technology is only a part of the solutionTechnology is only a part of the solution
Poor end-user behavior and ambiguous policies Poor end-user behavior and ambiguous policies are a dangerous combinationare a dangerous combination
User education is a critical part of the solutionUser education is a critical part of the solution
Security is Not Just Security is Not Just TechnologyTechnology
© 2006 - 2007 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.