SECCT10:BitLocker™ Drive EncryptionDeployment
Russell Humphries
Senior Product Manager – Window Vista Security
Disclaimer
• This presentation contains preliminary information that may be changed substantially prior to final commercial release of the software described herein.
• The information contained in this presentation represents the current view of Microsoft Corporation on the issues discussed as of the date of the presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of the presentation.
• This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
• Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this presentation. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this information does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
•© 2006 Microsoft Corporation. All rights reserved.
The U.S. Dept of Justice estimates that intellectual The U.S. Dept of Justice estimates that intellectual property theft cost enterprises $250 billion in 2004property theft cost enterprises $250 billion in 2004
Loss of revenue, market capitalization, and Loss of revenue, market capitalization, and competitive advantagecompetitive advantage
Leaked executive e-mails can be embarrassingLeaked executive e-mails can be embarrassing
Unintended forwarding of sensitive information can Unintended forwarding of sensitive information can adversely impact the company’s image and/or adversely impact the company’s image and/or credibilitycredibility
Increasing regulation: SOX, HIPAA, GLBAIncreasing regulation: SOX, HIPAA, GLBABringing a company into compliance can be Bringing a company into compliance can be complex and expensivecomplex and expensiveNon-compliance can lead to significant legal fees, Non-compliance can lead to significant legal fees, fines and/or settlementsfines and/or settlements
FinancialFinancialFinancialFinancial
Image & Image & CredibilityCredibilityImage & Image &
CredibilityCredibility
Legal & Legal & Regulatory Regulatory ComplianceCompliance
Legal & Legal & Regulatory Regulatory ComplianceCompliance
Information Loss Is CostlyInformation Loss Is CostlyInformation loss – whether via theft or accidental leakage – is Information loss – whether via theft or accidental leakage – is costly on several levelscostly on several levels
“BitLocker Drive Encryption provides stronger protection for data stored on your Windows Vista ™ systems – even
when the system is in unauthorized hands or is running a different or attacking OS. BitLocker does this by utilizing full volume encryption; this prevents a thief who boots another OS or runs a software disk inspection tool from breaking Vista file and system protections or even the
offline viewing of data files.”
BitLocker Drive Encryption
BitLocker Drive Encryption fully encrypts the entire Windows Vista volume.
Designed specifically to prevent the unauthorized disclosure of data when it is at rest.
Provides data protection on your Windows client systems, even when the system is in unauthorized hands.
Designed to utilize a v1.2 Trusted Platform Module (TPM) for secure key storage and boot environment authentication
BitLockerBitLocker
secure
usable affordable
Adapted from Jesper M. Johansson, “Security Management”, Microsoft TechNet
Security Management
7
Who are these people?
VandalVandal
TrespasserTrespasser
ThiefThief
SpySpy
AuthorAuthor
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddyScript-KiddyUndergraduateUndergraduate ExpertExpert SpecialistSpecialist
8
Who are these people?
VandalVandal
TrespasserTrespasser
ThiefThief
SpySpy
AuthorAuthor
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddyScript-KiddyUndergraduateUndergraduate ExpertExpert SpecialistSpecialistLargest area by volumeLargest area by volume
Largest area by $ lostLargest area by $ lost
Largest area by $ spentLargest area by $ spent
Fastest Fastest growing growing segmentsegment
Spectrum of Protection
Security
Ea
s e o
f U
s e TPM OnlyProtects against: SW-only attacksVulnerable to:
Some HW attacks
TPM + PINProtects against: Many HW attacks
Vulnerable to: Some HW attacks
Dongle OnlyProtects against: All HW attacksVulnerable to: Losing dongle
Pre-OS attacksDongle left with
device
TPM + DongleProtects against:
Software and HW attacks
Vulnerable to: Losing dongle
Dongle left with device
BitLocker offers a spectrum of protection allowing customers to balance ease-of-use
against the threats they are most concerned with.
BitLocker disk layout
Ease of DeploymentEase of DeploymentIntegration with existing Integration with existing infrastructureinfrastructureDeployment features
Functionality fully exposed by WMI
Supplied MMC plug-in
Integrates with Group Policy
Active Directory
Seamless integration with Longhorn Server
Schema extensions available for Server 2003 sp1 and higher
Auto-escrow of recovery keys enabled by defaultConfidential bit set on keys; read-only by admin only
BitLocker TPM Administration Storyboard – New Machine
Basic TPM Administration/DeploymentBasic TPM Administration/Deployment1.1. Machine arrives at enterprise in un-Machine arrives at enterprise in un-
initialized state.initialized state.2.2. Turn TPM OnTurn TPM On3.3. Check for physical presence by Check for physical presence by
rebooting the machine and rebooting the machine and prompting user at BIOS screen for prompting user at BIOS screen for key press.key press.
4.4. Log back into Windows VistaLog back into Windows Vista5.5. Take Ownership of TPMTake Ownership of TPM6.6. Check for existence of Endorsement Check for existence of Endorsement
Key (Provided by OEM)Key (Provided by OEM)7.7. Create TPM Administration Create TPM Administration
Password.Password.8.8. Commit changes to TPM and Commit changes to TPM and
initialize.initialize.9.9. Publish TPM Administration Publish TPM Administration
Password to AD/FilePassword to AD/File10.10. TPM Initialization CompleteTPM Initialization Complete
User name:
Windows
Password:
Log on to:
Username
*********
Domain
OK Cancel Shut Down... Options <<
******************
******************
A configuration change was requested to enable, activate, and allow a user to take
ownership of this computer’s TPM (Trusted Platform Module)
NOTE: This action will switch on the TPM
Press [F10] to enable, activate, and allow a user to take ownership of the TPM
Press ESC to reject this change request and continue
Note: Steps 1-3 can be pre-config’ed Note: Steps 1-3 can be pre-config’ed (OEM, SP)(OEM, SP)
1111 22 33
44
55
667788
99 1010
BDE installation
1. Active Directory prepared for CS keys2. Windows Vista Install
a. BDE is only available in the Enterprise and Ultimate versions of Windows Vista.
b. BDE requires a partition separate from the Windows Vista OS partition with a min free space of 350Mb.
c. During installation the system is checked for correct version of TPM (v 1.2) and BIOS via Plug and Play.
d. TPM & BDE drivers are installed.3. BDE Initialization
a. Scripted initialization of TPM.b. TPM Ownership password saved to
Active Directory4. Remote executed Script BDE
a. Policy saves recovery key to ADb. System encrypted
5. Inspect audit logs for successful end to encryption.
BitLocker Enterprise Machine Deployment with TPM
BitLocker Enterprise Machine Deployment with TPM
Windows Vista InstallWindows Vista Install
TPM Script InitializationTPM Script Initialization
22
BDE script setupBDE script setup
Active Directory is prepared Active Directory is prepared for BDE Keysfor BDE Keys
Store BDE recovery keyStore BDE recovery key
Store TPM Ownership Store TPM Ownership PasswordPassword1
2
3
4
5
Example Recovery ScenarioExample Recovery Scenario1.1. Feature turned on.Feature turned on.2.2. AD access via network.AD access via network.3.3. Recovery key escrowed to AD Recovery key escrowed to AD
and/or USB dongle.and/or USB dongle.4.4. User drops laptop and breaks User drops laptop and breaks
motherboard.motherboard.5.5. HD from old broken machine put HD from old broken machine put
into new laptop with BDE enabled.into new laptop with BDE enabled.6.6. BDE can’t access HD because the BDE can’t access HD because the
TPM key in new laptop is different.TPM key in new laptop is different.7.7. User launches BDE recovery:User launches BDE recovery:
A.A. User uses USB dongle to User uses USB dongle to recover the drive. recover the drive.
-or--or-A.A. User calls admin and User calls admin and
Administrator authenticates Administrator authenticates user.user.
B.B. Admin gets correct recovery Admin gets correct recovery key from AD. key from AD.
C.C. Admin reads key to user over Admin reads key to user over the phone. the phone.
D.D. User types in recovery key.User types in recovery key.8.8. Recovery key is used to recover Recovery key is used to recover
the drivethe drive
22
11
88
Alert: Secure Startup Recovery
Secure Startup has failed.
Please insert your USB recovery device and reboot your computer , or call your administrator for your Secure Startup recovery key.
Close
x
Secure Startup Recovery Key
Please enter your Secure Startup Recovery Key.
CancelOk
x
**** **** **** ****
Secure Startup Recovery Mode
You have successfully recovered your data.
The recovery process is complete.
Close
x
33
77CC
77DD
11
22
33
44 55 66
7a7a
7b7b
7c7c7d7d7e7e
88
BitLocker BitLocker Recovery
Upgrading computers with Upgrading computers with BDEBDE1.1.Turn off BitLockerTurn off BitLocker
2.2.Upgrade systemUpgrade system
Updated BIOSUpdated BIOS
-- or ---- or --
Install Service PackInstall Service Pack
3.3.Turn On BitLocker – no Turn On BitLocker – no encryption requiredencryption required
* If doing an update using Windows Update Services, the hash of the new component will already be calculated, so BitLocker will not need to be disabled to do the update.
System Upgrade with System Upgrade with BitLocker™BitLocker™
11
22
33
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Top Related