May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Protecting Data Using Microsoft Technologies Kurt...

May 30May 30thth – 31 – 31stst, 2007, 2007Chateau Laurier Chateau Laurier OttawaOttawa

May 30May 30thth – 31 – 31stst, 2007, 2007Chateau Laurier Chateau Laurier OttawaOttawa

Protecting Data Using Protecting Data Using Microsoft Microsoft TechnologiesTechnologies

Protecting Data Using Protecting Data Using Microsoft Microsoft TechnologiesTechnologiesKurt DillardKurt [email protected]@microsoft.comUS Federal DistrictUS Federal DistrictMicrosoftMicrosoft

Why Encrypt?Why Encrypt?

Encrypting File SystemEncrypting File System

Rights Management ServicesRights Management Services

BitLocker Drive EncryptionBitLocker Drive Encryption

Scenarios: Stolen PCs, Data Leaks, etc…Scenarios: Stolen PCs, Data Leaks, etc…

Wrap-up & QuestionsWrap-up & Questions

AgendaAgenda

Why Are We Talking About Why Are We Talking About This?This?

““When should I use ____________?”When should I use ____________?”EFSEFS

RMSRMS

S/MIMES/MIME

BitLockerBitLocker

CAPICOMCAPICOM

““What is the What is the right right encryption to use?”encryption to use?”

““Give me a strategic direction!”Give me a strategic direction!”

Where is your Data Where is your Data Stored?Stored?

SQL

Domain Controller

What Technologies Can Be What Technologies Can Be Used?Used?

Access Control Lists (ACLs)Access Control Lists (ACLs)

Encrypting File System (EFS)Encrypting File System (EFS)

Rights Management Services (RMS)Rights Management Services (RMS)

Role-based AccessRole-based Access


Application encryptionApplication encryption

ACLsACLs

Classic approachClassic approach

Configured using:Configured using:Windows Explorer, cacls.exe, xcacls.exeWindows Explorer, cacls.exe, xcacls.exe

Group Policy/SeceditGroup Policy/Secedit

Good: protect against online/remote Good: protect against online/remote attackersattackers

Bad: protecting against local AdminsBad: protecting against local Admins

Ugly: protecting against offline attacksUgly: protecting against offline attacks

Roles-based access Roles-based access (RBAC)(RBAC)

Idealized approachIdealized approach

Must combine with other techMust combine with other techACLsACLs

EncryptionEncryption

Rights ManagementRights Management

App-specific authorization (e.g. SQL, Exchange)App-specific authorization (e.g. SQL, Exchange)

Issues: Issues: Every Windows app has a different approachEvery Windows app has a different approach

Still no better against offline attacksStill no better against offline attacks

ADAD

The Encrypting File System (EFS) provides The Encrypting File System (EFS) provides encryption for all of a user’s files and encryption for all of a user’s files and folders and is offered in both, folders and is offered in both, Windows XP Professional desktop Windows XP Professional desktop operating System and Windows 2003 operating System and Windows 2003 server operating systemserver operating system

Microsoft Windows Encrypting File Microsoft Windows Encrypting File SystemSystem


Ideal for protecting sensitive data and documents from unauthorized accessIdeal for protecting sensitive data and documents from unauthorized access

Features for recovering data due to lost encryption keys are built-inFeatures for recovering data due to lost encryption keys are built-in

Uses the FIPS 140 compliant algorithms included with Windows 2000 & laterUses the FIPS 140 compliant algorithms included with Windows 2000 & later

Can be managed with existing tools, such as Active Directory Group PoliciesCan be managed with existing tools, such as Active Directory Group Policies

Bad: Doesn’t protect against user errorBad: Doesn’t protect against user error

Ugly: Doesn’t protect across multiple systemsUgly: Doesn’t protect across multiple systems

Whitepaper: Encrypting File System in Windows XP and Whitepaper: Encrypting File System in Windows XP and Windows Server 2003Windows Server 2003http://www.microsoft.com/technet/prodtechnol/winxppro/http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx deploy/cryptfs.mspx


EFS: How it WorksEFS: How it Works

Encrypted data

Encrypted with public key of

recovery agent

FEK

Encrypted with public key of

user

FEK Data Recovery

Field (DRF)

EFS-protected file

FEK encrypted with public key

of data recovery agent

FEK encrypted with public key

of user File Header

Data Decryption

Field (DDF)

User creates and saves a file to

an EFS-protected folder

1 A unique File Encryption

Key (FEK) is created for symmetrically

encrypting the new file

2 FEK is asymmetrically

encrypted with thepublic keys of the

user and DRA

3 The EFS-protected file is stored with

the encrypted text, DDF, and DRFs

4

RSA 1024

DESX (2000, XP Gold)

3DES - If FIPS required(2000, XP Gold)

AES 256(XP SP1, 2003)

EFS – it’s all about secure recoveryEFS – it’s all about secure recovery

Only three things you have to do:Only three things you have to do:1.1. All users logon to an AD domainAll users logon to an AD domain

2.2. Define EFS DRA keys & certs via Group PolicyDefine EFS DRA keys & certs via Group Policy

3.3. Backup the user’s private key from their Backup the user’s private key from their certificate storecertificate store

NOTE: none of this requires a PKINOTE: none of this requires a PKI

PKI is one of the biggest PKI is one of the biggest blockersblockers of EFS of EFS deploymentdeployment

Keys to EFS Bliss…Keys to EFS Bliss…

““Reboot into local Admin, you get full access”Reboot into local Admin, you get full access”Change Windows 2000 default configuration via group Change Windows 2000 default configuration via group policypolicy

““EFS only uses NT passwords, so LM hash = EFS only uses NT passwords, so LM hash = instant hack”instant hack”

EFS is only as strong as the user’s password, but there’s EFS is only as strong as the user’s password, but there’s no ‘instant hack’ if deployed properlyno ‘instant hack’ if deployed properly

““Users can turn it off, so no data is guaranteed Users can turn it off, so no data is guaranteed encrypted”encrypted”

Require encryption via group policyRequire encryption via group policy

Don’t give users adminDon’t give users admin

““EFS kills performance”EFS kills performance”On modern systems the impact is negligible once the On modern systems the impact is negligible once the initial encryption is completeinitial encryption is complete

EFS mythsEFS myths

Microsoft Windows Rights Management Microsoft Windows Rights Management ServicesServices

Microsoft Windows Rights Management Microsoft Windows Rights Management Services (RMS) for Windows Server 2003 Services (RMS) for Windows Server 2003 is information protection technology that is information protection technology that works with RMS-enabled applications to works with RMS-enabled applications to help safeguard digital information from help safeguard digital information from unauthorized use - both online & offline, unauthorized use - both online & offline, inside and outside of the firewallinside and outside of the firewall


Rights Management Service (RMS) is ideal for protecting shared data Rights Management Service (RMS) is ideal for protecting shared data and helps enforce organizational policies on content by encrypting and helps enforce organizational policies on content by encrypting individual files and emailsindividual files and emails

Data is even protected while transiting networkData is even protected while transiting network

Can be managed with existing tools, such as Active Directory Group PoliciesCan be managed with existing tools, such as Active Directory Group Policies

Data is protected regardless of where it goes: users can email files, Data is protected regardless of where it goes: users can email files, copy them onto thumb drives, Smartphone, or write them to CD ROM copy them onto thumb drives, Smartphone, or write them to CD ROM and the data will continue to be encryptedand the data will continue to be encrypted

Features for recovering data due to lost encryption keys are built-inFeatures for recovering data due to lost encryption keys are built-in

Uses the FIPS 140 compliant algorithms included with WindowsUses the FIPS 140 compliant algorithms included with Windows


Bad: Protecting against brilliant usersBad: Protecting against brilliant users

Ugly: Protecting against traitorous adminsUgly: Protecting against traitorous admins

In Laptop scenario, RMS unique In Laptop scenario, RMS unique contribution = Expirationcontribution = Expiration

““On every access” – not usable for On every access” – not usable for laptopslaptops

““Every <xx> days” is better for laptop Every <xx> days” is better for laptop usersusers

““Expires after <date>” is best for laptop Expires after <date>” is best for laptop usersusers

Leveraging RMS Templates will Leveraging RMS Templates will increase use of this mitigationincrease use of this mitigation

RMS expirationRMS expiration

Add usersAdd userswith with ReadRead

and and ChangeChangepermissionspermissions Verify aliasesVerify aliases

& DLs via AD& DLs via AD

Add Add advanced advanced

permissionspermissions

Set expiration Set expiration datedate

EnableEnableprint, copyprint, copy

permissionspermissions

Add/removeAdd/removeadditional usersadditional users

Contact forContact forpermissionpermissionrequestsrequests

Enable Enable viewing viaviewing via

RMARMA

RMS at MicrosoftRMS at MicrosoftExample of RMS TemplatesExample of RMS Templates

Corporate RMS Corporate RMS templates available templates available from the from the Permission Permission menu of Outlook, Word, menu of Outlook, Word, PowerPoint, and ExcelPowerPoint, and Excel

Do Not Reply AllRecipients can View, Reply, Save, Edit, and Forward but can not Reply All

Microsoft ConfidentialOnly Microsoft employees can access the message. Allows for View, Reply, Reply All, Save, Edit, and Forward

Microsoft Confidential Read Only

Only Microsoft employees can access the message. Allows for View, Reply, Reply All

Microsoft FTE Confidential Only Microsoft full-time employees can access the message. Allows for View, Reply, Reply All, Save, Edit, and Forward

Microsoft FTE Confidential Read Only

Only Microsoft full-time employees can access the message. Allows for View, Reply, and Reply All.

RMS Technology PartnersRMS Technology PartnersLiquid Machines – www.liquidmachines.com Liquid Machines – www.liquidmachines.com

Enables RMS for Office XP & 2000Enables RMS for Office XP & 2000

Adds support for PDF, Visio and many other file formatsAdds support for PDF, Visio and many other file formats

Enables RMS for BlackberriesEnables RMS for Blackberries

GigaTrust – www.gigatrust.com GigaTrust – www.gigatrust.com Enables RMS for Office XP & 2000Enables RMS for Office XP & 2000

Adds support for many more file types Adds support for many more file types (PDF, WPD, JPG, TXT, HTML, etc)(PDF, WPD, JPG, TXT, HTML, etc)

Enables RMS for BlackberriesEnables RMS for Blackberries

Titus - Titus - www.titus.com www.titus.com Provide RMS consulting and training servicesProvide RMS consulting and training services

Windows Vista Enterprise features a number of Windows Vista Enterprise features a number of enhancements that help protect sensitive data, enhancements that help protect sensitive data, including Windows BitLocker™ Drive Encryption including Windows BitLocker™ Drive Encryption to better protect data on lost, stolen or to better protect data on lost, stolen or decommissioned PCs, expanded Windows Rights decommissioned PCs, expanded Windows Rights Management Services that help organizations Management Services that help organizations control who has access to sensitive data, and control who has access to sensitive data, and improvements to the Encrypting File Systemimprovements to the Encrypting File System

Windows Vista BitLockerWindows Vista BitLocker

Windows BitLocker™ Drive Encryption is hardware-enabled data protection Windows BitLocker™ Drive Encryption is hardware-enabled data protection that helps protect data on a PC when the machine is in unauthorized hands. that helps protect data on a PC when the machine is in unauthorized hands. By encrypting the entire Windows volume, it prevents unauthorized users By encrypting the entire Windows volume, it prevents unauthorized users from accessing data by breaking Windows file and system protections or from accessing data by breaking Windows file and system protections or attempting the offline viewing of information on the secured driveattempting the offline viewing of information on the secured drive

BitLocker configuration policies can be managed through Active Directory BitLocker configuration policies can be managed through Active Directory Group Policies and is designed to leverage the Trusted Platform Module Group Policies and is designed to leverage the Trusted Platform Module (TPM)(TPM)


CaveatsCaveats

Computers protected with BitLocker could Computers protected with BitLocker could become inaccessible if users loose their become inaccessible if users loose their USB storage device or if they forget their USB storage device or if they forget their BitLocker passwordBitLocker password

Whitepaper: Microsoft Windows Vista Security Whitepaper: Microsoft Windows Vista Security AdvancementsAdvancementshttp://download.microsoft.com/download/c/2/9/http://download.microsoft.com/download/c/2/9/c2935f83-1a10-4e4a-a137-c1db829637f5/c2935f83-1a10-4e4a-a137-c1db829637f5/WindowsVistaSecurityWP.docWindowsVistaSecurityWP.doc


OEMs having challenges (BIOS)OEMs having challenges (BIOS)

Customers don’t have wide Customers don’t have wide deployment (TPM)deployment (TPM)

USB, PIN aren’t magic bulletsUSB, PIN aren’t magic bulletsA little bit like SYSKEYA little bit like SYSKEY

However, centrally recoverableHowever, centrally recoverable

Only protects system volumeOnly protects system volumeEFS needed for additional partitionsEFS needed for additional partitions


BitLocker™ Drive BitLocker™ Drive Encryption Encryption Designed specifically to Designed specifically to

prevent malicious users prevent malicious users from breaking Windows from breaking Windows file and system file and system protectionsprotections

Provides data protection Provides data protection on Windows systems, on Windows systems, even when the system is even when the system is in unauthorized hands or in unauthorized hands or is running a different or is running a different or exploiting Operating exploiting Operating SystemSystem

A Trusted Platform A Trusted Platform Module (TPM) or USB Module (TPM) or USB flash drive is used for flash drive is used for key storagekey storage

BitLockerBitLocker

Trusted Platform ModuleTrusted Platform ModuleSmartcard-like module on system motherboardSmartcard-like module on system motherboard

Helps protect secrets Helps protect secrets

Performs cryptographic Performs cryptographic functionsfunctions

Can create, store and Can create, store and manage keysmanage keys

Performs digital signature Performs digital signature operationsoperations

Holds Platform Holds Platform Measurements (hashes)Measurements (hashes)

Anchors chain of trust for Anchors chain of trust for keys and credentialskeys and credentials

Protects itself against attacksProtects itself against attacks

TPM 1.2 spec: TPM 1.2 spec: www.trustedcomputinggroup.orgwww.trustedcomputinggroup.org

Only protects until Winlogon Only protects until Winlogon

Weakest password lets you in Weakest password lets you in AdminAdmin

Service accountsService accounts

Backup accountsBackup accounts

Bottom Line: DON'T wait for BitLocker Bottom Line: DON'T wait for BitLocker before encrypting laptops before encrypting laptops

BitLocker™BitLocker™

Comparing TechnologiesComparing TechnologiesFeature EFS RMS BitLocker S/MIME ACLs

Differentiates permissions by consumer

No Yes No No Yes

Prevents unauthorized access Yes Yes Yes Yes Yes

Encrypts protected content Yes Yes Yes Yes No

Offers content expiration No Yes No No No

Offers use license expiration No Yes No No No

Controls content access to reading, forwarding, saving, modifying, or printing by consumer

No Yes No No Yes **

Extends protection beyond initial publication location

Yes * Yes No Yes No

* Since Windows XP it has been possible to manually grant other users the ability to decrypt individual files protected with EFS, but its not an * Since Windows XP it has been possible to manually grant other users the ability to decrypt individual files protected with EFS, but its not an intuitive procedureintuitive procedure•** Only protects against only attacks** Only protects against only attacks

ScenariosScenarios

Essential:Essential:Loss or theft of mobile PCLoss or theft of mobile PC

Aka “left in taxi”Aka “left in taxi”

Important:Important:Reduced data leaksReduced data leaks

Aka “Oops, I sent it to The Register (and /., Aka “Oops, I sent it to The Register (and /., MSNBC, CNN…MSNBC, CNN…

Removable mediaRemovable mediaAka USB/thumb/jump/flash drives, CDsAka USB/thumb/jump/flash drives, CDs

Loss or Theft of a PC: Loss or Theft of a PC: Where’s the Data?Where’s the Data?ClientsClients

DocumentsDocumentsWhere do Where do your your users users keep their documents?keep their documents?

User ProfileUser ProfileOutlook, Sharepoint, Outlook, Sharepoint, Desktop, TempDesktop, Temp

per-machine dataper-machine dataSearch index, file Search index, file cachecache

ServersServers

File SharesFile Shares

Collaboration store Collaboration store (e.g. Sharepoint)(e.g. Sharepoint)

RDBMS (e.g. SQL)RDBMS (e.g. SQL)

Mail (e.g. Exchange)Mail (e.g. Exchange)

SANSAN

Enterprise backupEnterprise backup

Where ISN’T Data Where ISN’T Data stored?stored?

Loss or Theft of PCLoss or Theft of PC

Threat: Attackers with time, tools, well-Threat: Attackers with time, tools, well-documented attack techniquesdocumented attack techniques

Goal: reduce (NOT eliminate) the risk of data Goal: reduce (NOT eliminate) the risk of data exposureexposureGoodGood

EFSEFSBetterBetter

Minimize the stored dataMinimize the stored data

Combine EFS + RMSCombine EFS + RMS

BestBestBitLocker + EFS + RMSBitLocker + EFS + RMS

Don't bother with ACLs, RBACDon't bother with ACLs, RBAC

Loss or Theft of PCLoss or Theft of PCEFSEFS

Mitigates offline attacks except against user accountMitigates offline attacks except against user account

Prevents online attacks (on encrypted files)Prevents online attacks (on encrypted files)

Threats focus on user’s passwordThreats focus on user’s password

BitLocker with TPM or USB (Vista)BitLocker with TPM or USB (Vista)Prevents offline attacks (replace passwords, copy hashes, Prevents offline attacks (replace passwords, copy hashes, change system files)change system files)

Threats focus on user logonsThreats focus on user logons

Ideal: BitLocker with TPM + EFS with Smart Card Ideal: BitLocker with TPM + EFS with Smart Card (Vista)(Vista)

Attacker with notebook + Smart Card needs PIN (not password)Attacker with notebook + Smart Card needs PIN (not password)

After “x” bad tries, Smart Card locked FOREVERAfter “x” bad tries, Smart Card locked FOREVER

RMS (XP, Vista)RMS (XP, Vista)Similar offline protection as EFSSimilar offline protection as EFS

Except only supported file formats (Office, HTML)Except only supported file formats (Office, HTML)

What about stolen What about stolen Desktops, Servers?Desktops, Servers?

First things first: laptopsFirst things first: laptopsLaptops are Laptops are usuallyusually less physically secure less physically secure

Get that part of house in orderGet that part of house in order

Next: PCs not behind locked doorsNext: PCs not behind locked doorsPCs in front officePCs in front office

Branch servers in the break roomBranch servers in the break room

Similar mitigations apply, plus:Similar mitigations apply, plus:Could disable cached logonsCould disable cached logons

Could enforce “on every access” with RMSCould enforce “on every access” with RMS

Loss or Theft of PCLoss or Theft of PC

Reality check: Windows XP todayReality check: Windows XP today

Attack focus: user passwords, cleartext Attack focus: user passwords, cleartext datadata

Tactics:Tactics:BetterBetter passphrases passphrases

Encrypt significant sets of dataEncrypt significant sets of dataEFS for Documents, email, desktop, TIF, server cachesEFS for Documents, email, desktop, TIF, server caches

Smartcard logon Smartcard logon

Residual risk: pagefile fragments, hiberfile, Residual risk: pagefile fragments, hiberfile, cached logon verifierscached logon verifiers

Reduced data leaksReduced data leaks

Threat: Authorized users with legit Threat: Authorized users with legit access giving data to othersaccess giving data to others

Goal: Mitigate the risk of leaksGoal: Mitigate the risk of leaksGoodGood

ACLs, Role-based AccessACLs, Role-based AccessBetterBetter

DRM, Application encryptionDRM, Application encryption

Don't bother with Don't bother with system encryptionsystem encryption

Reduced data leaksReduced data leaks

1.1. ACL shared files on servers with RBAC ACL shared files on servers with RBAC groupsgroups

Prevents users from granting each other Prevents users from granting each other permissionspermissions

2.2. Leverage RMSLeverage RMSReduces the amount of unprotected filesReduces the amount of unprotected files

3.3. Ideal: Enforce RMS protection according to Ideal: Enforce RMS protection according to business rules (RMS partners)business rules (RMS partners)

Bonus: encryption on physical mediaBonus: encryption on physical media

Bonus: removable media policy (Vista)Bonus: removable media policy (Vista)

Removable mediaRemovable media

Threat: Authorized users with legit Threat: Authorized users with legit access copying “secure” data to access copying “secure” data to removable media, then losing itremovable media, then losing itGoal: mitigate the loss of unprotected Goal: mitigate the loss of unprotected datadataGoodGood

Block access to removable devicesBlock access to removable devicesRMSRMS

BetterBetterBlock writes to removable devicesBlock writes to removable devicesEncrypt removable devicesEncrypt removable devices

Removable mediaRemovable media

XP removable media policyXP removable media policy

Vista removable media policyVista removable media policy

EFS on flash mediaEFS on flash media

All of these encryption technologies take advantage All of these encryption technologies take advantage of Microsoft’s directory service because they can be of Microsoft’s directory service because they can be managed through Group Policymanaged through Group Policy

There’s no need to deploy additional There’s no need to deploy additional management infrastructuremanagement infrastructure

As with other features that can be controlled through As with other features that can be controlled through group policies, organizations can decide to either group policies, organizations can decide to either centralize or decentralize policy management based on centralize or decentralize policy management based on their IT landscape and resourcestheir IT landscape and resources

Prepare for TomorrowPrepare for TomorrowPrepare and assessPrepare and assess

What Can You Do Today What Can You Do Today

Implement EFS or RMS through the use of Windows XP Implement EFS or RMS through the use of Windows XP Professional with Service Pack 2 on the desktop or Professional with Service Pack 2 on the desktop or Windows 2003 ServerWindows 2003 Server

Implement a multi-layer approach to significantly Implement a multi-layer approach to significantly decrease risk and potential exposuredecrease risk and potential exposureTodayToday - Utilize both, EFS and RMS, simultaneously - Utilize both, EFS and RMS, simultaneouslyTomorrowTomorrow – The most power combination will combine – The most power combination will combine EFS, RMS, and BitLocker to protect the data across a wide EFS, RMS, and BitLocker to protect the data across a wide range of attack scenariosrange of attack scenarios

Utilize other features built into our platform such as Utilize other features built into our platform such as S-MIME; IPSec for both on-the-wire encryption and S-MIME; IPSec for both on-the-wire encryption and isolation of systems; and TLS/SSLisolation of systems; and TLS/SSL

Windows Mobile uses FIPS 140 compliant algorithms Windows Mobile uses FIPS 140 compliant algorithms (http://csrc.nist.gov/cryptval/140-1/1401val2005.htm#560)(http://csrc.nist.gov/cryptval/140-1/1401val2005.htm#560)

Windows Mobile policies can be managed using SMS 2003, 3rd parties Windows Mobile policies can be managed using SMS 2003, 3rd parties have developed additional technologies to help secure and manage have developed additional technologies to help secure and manage Windows-based mobile devices.Windows-based mobile devices.

Third party solutions for encrypting data or for RMS integration are available, Third party solutions for encrypting data or for RMS integration are available, see: http://www.microsoft.com/windowsmobile/resources/providers/search.aspsee: http://www.microsoft.com/windowsmobile/resources/providers/search.asp

A detailed whitepaper on securing Windows Mobile is available internallyA detailed whitepaper on securing Windows Mobile is available internally

Windows MobileWindows Mobile

Technology is only a part of the solutionTechnology is only a part of the solution

Poor end-user behavior and ambiguous policies Poor end-user behavior and ambiguous policies are a dangerous combinationare a dangerous combination

User education is a critical part of the solutionUser education is a critical part of the solution

Security is Not Just Security is Not Just TechnologyTechnology

May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Protecting Data Using Microsoft Technologies Kurt...

Documents

Transcript of May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Protecting Data Using Microsoft Technologies Kurt...