Windows 7 BitLocker: Configuration and Deployment

Paul A. Cooke - CISSPDirectorMicrosoftSession Code: CLI311

Windows Vista BitLocker

Encrypts the OS volumeHelps prevent the unauthorized disclosure of data when it is at restDesigned to utilize a Trusted Platform Module (TPM) v1.2

Secure key storageBoot Integrity

Vista SP1 added support for multi-volume/drive protection!

Windows 7 BitLockerWhat’s New• BitLocker Enhancements

Automatic 100 Mb hidden boot partition

New Key Protectors

Domain Recovery Agent (DRA)

Passwords

Smart card

Auto-Unlock

Windows 7 BitLockerWhat’s New

BitLocker To Go

Support for FAT*

Protectors: DRA, passphrase, smart card and/or auto-unlock

Management: protector configuration, encryption enforcement

Read-only access on Windows Vista & Windows XP

Architectural Overview

Disk Layout and Key StorageOperating system volume contains:

Encrypted OSEncrypted page fileEncrypted temp filesEncrypted dataEncrypted hibernation file

Where’s the encryption key?SRK (Storage Root Key) contained in TPM SRK encrypts the VMK (Volume Master Key)VMK encrypts FVEK (Full Volume Encryption Key) – used for the actual data encryptionFVEK and VMK are stored encrypted on the Operating System Volume

Operating System Volume

SystemSystem volume contains:

MBR Boot Manager Boot Utilities

FVEKSRK

VMK

TMP Only“What it is.”

Dongle Only“What you have.”

TPM + PIN“What you know.”

TPM + Dongle“Two what I

have’s.”

OS Volume Key ProtectorsEa

se o

f Use

BitLocker offers a spectrum of protection allowing customers to balance ease-of-use against the threats they are most concerned with

Protects against: SW-only attacks

Vulnerable to: HW attacks (including

potential “easy” HW attacks)

Security

Protects against: All HW attacks

Vulnerable to: Losing dongle Pre-OS attacks

XXXXX

Protects against: Many HW attacks

Vulnerable to: TPM breaking

attacks

Protects against: Many HW attacks

Vulnerable to: HW attacks

XXXXX

All Boot Blobs

unlocked

Volume Blob of Target OS unlocked

Trusted Platform Module (TPM)Static root of trust measurement of early boot components

PreOS Static OS

TMP Init

BIOS

MBR

BootSector

BootBlock

BootManager

OS Loader

StartOS

Windows Vista BitLocker Volume

Boot Sector Boot Sector

Encrypted Volume Data

BitLocker Metadata Copies

Pointer to Primary Metadata Copy

Pointers to other metadata copies

Windows 7 BitLocker Volume

Virtual Boot Sector

Virtual Boot Sector

Encrypted Volume Data

BitLocker Metadata Copies

Pointer to Primary Metadata Copy

Pointers to other metadata copies

Boot Sector

Infrastructure PreparationOperating system partition

Hardware RequirementsTrusted Platform Module

Trusted Platform Module (TPM) v1.2Trusted Platform Module (TPM) Compatible BIOS

USB Flash DriveThe system BIOS must support both reading and writing small files on a USB flash drive in the pre-operating system environment

Disk PartitioningSeparate reserved system partition using NTFSSystem partition minimum size of at least 100MBChoosing the right partitioning is key for a successful deploymentSystem partition is a Windows 7 requirement not specific to BitLocker

Note: An additional 50MB is required on the recovery partition for volume snapshots during Complete PC backups

Disk Partitioning RequirementsPossible examples

Windows RE250 MB

NTFS

System Partition100 MB

NTFS

OS - EncryptedRemaining Disk

NTFS

System Partition/Windows RE300 MB

NTFS

OS - EncryptedRemaining Disk

NTFS

RecommendationsStandardize the hardware

Hardware pre-build configuration (OEM)BIOS settingsEnable and Activate the TPMBIOS passwords

Minimize the number of reboots for your usersWorst scenario – 4 rebootsBest scenario – 1 rebootNumber of reboots is key in a successful deployment of BitLocker

RecommendationsWhat requires reboots?

RepartitioningTPM initializationTPM ownership – requires physical presenceBitLocker System Check

Improve the user experienceDeploy Windows with the recommended drive partitionsAsk your OEM to enable the TPMStandardize the hardware to remove the requirement of the compatibility wizard

Management and Recovery Preparations

Group Policy PreparationBitLocker Group Policy settings can

Turn on BitLocker backup to Active DirectoryEnable advanced startup options, recovery options, etc.Configure encryption method and strengthEnable FIPS compliance - before setting up BDE keys!Enforce or disable specific protectorsEnforce a minimum PIN length

TPM Services Group Policy canTurn on TPM owner authorization backup to Active Directory Domain ServicesConfigure the list of blocked TPM commands

Develop a Recovery StrategyDefine the process end-users will follow when recovery of a BitLocker system is needed

Anticipate the recovery scenariosHow to handle lost or forgotten Key Protectors?Reset PIN, lost startup keyHow are disk drive failures recovered?How are TPM hardware failures treated?Recover from core files or pre-OS file (BIOS upgrade, etc…) updates which are not plannedRecovering and diagnosing a deliberate attack

Active Directory Based RecoveryBy default, no recovery information is backed up to AD

Administrators can configure GP to enable backup of BitLocker or TPM owner authorization recovery info

Schema needs to be extended Windows Server 2008 and 2008 R2 are “BitLocker Ready”All domain controllers in the domain must be at least Windows Server 2003 SP1

Recovery data saved for each computer objectRecovery passwords - a 48-digit recovery passwordKey package data (optional) - helps recovery if the disk is severely damagedThere is only one TPM owner password per computer

There can be more than one recovery password per computerO/S VolumeData Volumes

Data Recovery Agent New Recovery Mechanism

Certificate-based key protectorA certificate containing a public key is distributed through Group Policy and is applied to any drive that mountsThe corresponding private key is held by a data recovery agent in the IT department

Allows IT department to have a way to unlock all protected drives in an enterpriseSaves space in AD – same Key Protector on all drives

Windows Recovery EnvironmentSet of tools for troubleshooting startup problems

In Windows RE environment, user will be prompted for recovery credential on a BitLocker-enabled machineContains the necessary drivers and tools to unlock and repair if necessary a BDE-protected volume

WinRE boot image needs to reside on a non-encrypted volumeBitLocker setup is now Windows RE “aware” and will move Windows RE to a proper partition if required.

Manage-BDE and Repair-BDE are now installed per defaultIn Windows 7In Windows PE and in the Windows Recovery Environment (Windows RE)

RecommendationsGroup Policies

Ensure that the group policies are configured before your deploymentMost BitLocker GPOs are not retroactiveTPM + PIN offers the best balance between security and user experienceRecovery and authentication policies are specific to Vista and Windows 7Leverage the group policy targeting mechanism for granularity

Recovery ScenariosWinRE should be deployed in its own partition or on the system partitionTest all your recovery scenariosUse Active Directory if you want to build custom recovery solutionsUse Data Recovery Agents if you have a requirement for FIPS compliance

BitLocker DeploymentOperating system partition

BitLocker DeploymentDeployment options

During build processPost-build processUser initiated

Deployment methodsManage-BDEWMISCCM

Windows Deployment Tools

Windows 7 Upgrade Scenario

Deployment Options

Configuration during build processEnabling and activating a TPM during this process will require user interaction to meet the physical presence requirement If backup of recovery info to AD is required, BDE must be enabled after the computer has joined your AD domainStarting encryption during the build process has performance impact, for example if there are additional tasks to be performed (install apps, etc) Consider starting encryption at the very end of the build process

Deployment Options Post-build configuration

Triggered immediately after the system build process completes Or triggered at a later time after the computer is delivered to the end user

Software distribution tool (SCCM)GP scriptingLogon scripts

Very flexible and can be accomplished using numerous methods

User initiated configurationAllow users to selectively enroll and configure their machines for BDENot recommended if BitLocker is mandatory

Deployment MethodsManage-BDE.exe command-line tool

Provides configuration / administration on individual and remote machinesLocation: %systemdrive%\Windows\system32Leverages the BitLocker and TPM WMI providers

Create scripts with BitLocker and TPM WMI providers Useful when integrating support of BitLocker machines into your help desk environment, or user initiated configuration type of deploymentSample script (EnableBitLocker.vbs) availableRecommendation: Use for large enterprise deployments

Deployment MethodsBitLocker WMI Methods allows to

Enable/activate TPM, take ownership and generate random owner passEnable BitLocker protection using supported authentication methodsCreate additional recovery key and recovery passwordReset TPM owner information

Use and modify existing sample script Manage-BDE.wsfLocation: %systemdrive%\Windows\system32Only provided as an example

Scripts can generate a rich log file, WMI exit codes are logged

Microsoft recommends Using BitLocker and TPM WMI providers for enterprise deploymentUsing manage-bde for administration of BitLocker enabled machines

Deployment Methods

Systems Center Configuration Manager 2007Unify the deployment toolsets for both client and serverDeliver an end-to-end process for deploymentProvide high degrees of flexibility to accommodate complex enterprise requirementsUse native toolsets found in WindowsSupports BitLocker natively

Windows Deployment Tools

Systems Center Configuration Manager 2007http://www.microsoft.com/systemcenter/

Microsoft Deployment Toolkit 2008http://technet.microsoft.com/en-us/solutionaccelerators/dd407791.aspx

Windows Deployment Services

Unattended Installation

Imaging with ImageX

Windows 7 Upgrade Scenario

Upgrade from a BitLocker machineNo decryption required but you need to suspend BitLockerCurrent partitioning will be preservedSystem partition will be 1.5 GBDrive letter will not be removed

Upgrade from a non-BitLocker machineCurrent partitioning will be preserved (single partition)BitLocker will automatically create a system partitionSystem partition will be 300MB with no drive letter

BitLocker Server ScenariosBitLocker is a feature on Windows Server (optional component)

The feature needs to be installed through Server Manager

All the recommendations made in this presentation apply to the server scenario

BitLocker provides great value in branch office scenarios

Branch Office TechCenterhttp://technet.microsoft.com/en-us/branchoffice/default.aspx

RecommendationsBare Metal install ≠ Clean install

Make sure to partition the diskFile base imaging does not partition the disk per default

Turn on BitLocker in the post build processProvides the most flexibility

Do not partition the disk post installationDeploy Windows 7 using the right partitionsOnly Shrink the O/S volume when no other options are availableIf you need to shrink the disk use bdehdcfg.exe post installation or the BitLocker Setup WizardDo not shrink from Vista for large deployments

BitLocker DeploymentData Drive

Data Drive Key Storage

Password

Auto-Unlock

Smartcards

Ease

of U

seBitLocker offers a spectrum of protection allowing customers to balance ease-of-use against the threats they are most concerned with

Security

Pros:Ease of use backward

compatibility BitLocker to go reader

Cons:Less secure vulnerable

to brute force and dictionary attacks

Pros:Uses a stronger key

Cons:Specific to a

single machine

Pros:Uses much stronger keys

Cons:Requires hardware not backward compatible

XXXXX

Data Drive Specific Group Policy

BitLocker Group Policy settings canTurn on BitLocker backup to Active DirectoryEnable, enforce or disable password or smartcard protectorsEnforce a minimum password lengthEnforce password complexityDeny write access to drives not encrypted with BitLockerDo not allow write access to devices from other organizations

BitLocker Enforcement

Requiring BitLocker for data drivesWhen this policy is enforced, all data drives will require BitLocker protection in order to have write accessAs soon as a drive is plugged into a machine, a dialog is displayed to the user to either enable BitLocker on the device or only have read-only accessThe user gets full RW access only after encryption is completedUsers can alternatively enable BitLocker at a later time

BitLocker Enforcement

BitLocker Cross-OrganizationThis policy will help enterprises manage compliance when a requirement exists to not allow devices to roam outside of the enterprise

When the "Deny write access to devices configured in another organization" policy is enabled

Only drives with identification fields matching the computer's identification fields will be given write accessWhen a removable data drive is accessed it will be checked for valid identification field and allowed identification fieldsThese fields are defined by the "Provide the unique identifiers for your organization" policy setting

Certificate RequirementsPossible deployment scenarios

Leverage an existing certificateLeverage a generic certificateDeploy a new BitLocker certificate

The BitLocker Object Identifier (OID)Associate a certificate to BitLocker (Certificate Application Policies)Default value: 1.3.6.1.4.1.311.67.1.1The BitLocker OID can be modified using Group Policies

Certificate RequirementsSupported certificates for smart card authentication

A certificate is considered valid for BitLocker if the following conditions are met for Key Usage:

No KU is present KU is present and contains one of the following keyEncipherment bits:

CERT_DATA_ENCIPHERMENT_KEY_USAGECERT_KEY_AGREEMENT_KEY_USAGECERT_KEY_ENCIPHERMENT_KEY_USAGE

A certificate is considered valid for BitLocker if the following conditions are met for Extended Key Usage:

No EKU is presentEKU is present and contains BitLocker OIDEKU is set to anyExtendedKeyUsage

RecommendationsIdentification fields

Should be set before your deployment if you are planning to use DRAs or the cross-organization policyAre automatically set during encryptionCan be set after encryption using Manage-BDE or WMI but this requires Administrator rights

CertificatesDeploy the required certificates before enabling BitLocker on data drives

BitLocker To Go ReaderInstalled per default but can be managed through group policiesRequires the use of a passwordCan be deployed separately using a software distribution tool

BitLocker & BitLocker To Godemo

question & answer

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.