sudhir rao technology specialist microsoft corporation
Post on 18-Dec-2015
262 Views
Preview:
TRANSCRIPT
BitLocker: deep details, improvements and benifitsSudhir RaoTechnology SpecialistMicrosoft Corporation
AgendaBitLocker Drive Encryption Overview
Recovery, Threats, and MitigationDeployment Planning
Deployment ScenariosWMI Management Interfaces and ToolsGroup Policy and Recovery
Maintaining BitLocker SystemsThings to ConsiderAdditional Resources
BitLocker Drive Encryption Overview
BitLocker™ Drive Encryption
BitLocker Drive Encryption fully encrypts the entire Windows Vista volume.
Enhanced in Windows Vista SP1 and Windows Server 2008 to provide multi-volume/drive protection!
Designed specifically to prevent the unauthorized disclosure of data when it is at rest.
Provides data protection on your Windows client systems, even when the system is in unauthorized hands.
Designed to utilize a v1.2 Trusted Platform Module (TPM) for secure key storage and boot environment authentication
BitLocker
What Is A Trusted Platform Module (TPM)?
Smartcard-like module on the motherboardProtects secretsTPM is made up of a set of entry points called PCR’s. Holds Platform Measurements (hashes).Performs cryptographic functions
RSA, SHA-1, RNGCreates, stores and manages keys
Provides a unique Endorsement Key (EK)Provides a unique Storage Root Key (SRK)
Anchors chain of trust for keys and credentialsProtects itself against attacks
TPM 1.2 spec: www.trustedcomputinggrou
p.org
BitLocker™ Partition Layout
Disk partition requirements for BitLocker are unique make sure you consider this from the beginning of your deployment design.
Two partitions are required.
System Partition (Primary, NTFS, Active, 1.5Gb, Type 7)Why so large? – The minimum partition size recommendation was made for the following reasons:
BitLocker requires 50mb of spaceWinRE requires 550mb of spaceServicing requires 900mb of space
OS Partition (Primary, NTFS, Type 7, Any size)
Encryption Key StorageOS Volume Contains:• Encrypted OS• Encrypted Page File• Encrypted Temp Files• Encrypted Data• Encrypted Hibernation
File
System Volume Contains:(All Unencrypted)• MBR• Boot manager• Boot Utilities
Where’s the Encryption Key?1. SRK (Storage Root Key) contained in TPM
2. SRK encrypts FVEK (Full Volume Encryption Key) protected by TPM/PIN/USB Storage Device
3. FVEK stored (encrypted by SRK) on hard drive in the OS Volume
FVEK
SRK
1
2
3
BitLocker Protectors
Security
To
tal C
ost
o f O
wne
rshi
p
TPM Only“What it is.”
Protects against: Most SW attacks
Vulnerable to: “Easy” HW
attacks
TPM + PIN“What it is + what
you know.”Protects against: Many HW attacks
Vulnerable to: Hardware attacks
USB Only“What you have.”
Protects against: HW attacks
Vulnerable to: Lost USB key
No boot validation
The security depends entirely
on user practices!
TPM + USB“What it is + what
you have”Protects against:
HW attacksVulnerable to: Lost USB key
The security depends entirely
on user practices!
BitLocker™ offers a spectrum of protection allowing an organization to customize according to its requirements.
*******
BitLocker™ Drive Encryption ArchitectureStatic Root of Trust Measurement of boot components
Volume Blob of Target OS unlocked
All Boot Blobs unlocked
Static OS
BootSector
BootManager
Start OS
OS Loader
BootBlock
PreOS
BIOS
MBR
TPM Init
BitLocker™ Recovery ScenariosLost/Forgotten Key Protectors
Lost USB key, user forgets PINUpgrade to Core Files
Planned change to pre-OS files (BIOS upgrade, etc…)
Broken HardwareHard drive moved to a new system
Deliberate AttackModified or missing pre-OS files (Hacked BIOS, MBR, etc…)
BitLocker™ Recovery OptionsBitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. · Recovery passwordA 48-digit recovery password used to recover a BitLocker-protected volume. Users enter this password to unlock a volume when BitLocker enters recovery mode.· Key package data With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package will only work with the volume it was created on, which can be identified by the corresponding volume ID. · TPM owner password hashWhen ownership of the TPM is taken a hash of the ownership password can be taken and stored in AD DS. This information can then be used to reset ownership of the TPM.
Platform Threats & Mitigations
BIOS ModificationTHREAT --- Lost Core Root of Trust for MeasurementMITIGATION --- Secure CRTM UpdateMITIGATION --- Provide extra protection with PIN or USB
Physical MemoryTHREAT --- Key exposure in physical memoryMITIGATION --- Memory Overwrite on ResetMITIGATION --- Provide extra protection with PIN or USB
Dictionary Attack Against PINTHREAT --- Key exposureMITIGATION --- Anti-hammering countermeasures
End UsersTHREAT --- Unsafe practices (PIN nearby, USB in laptop case)MITIGATION --- User education, corporate security policy
BitLocker Deployment
Prepare to Deploy – Part 1
Define support structure and processes. Who will do What, When, and How?
Extend active directory to support escrow of BitLocker recovery information (TPM owner pass, recovery pass).
Delegate rights to allow support personnel to recover machines. DA + Confidential Attribute by default.
If users are local admin apply other GP to prohibit users from changing BitLocker settings.
Use GP to configure power management settings.
Prepare to Deploy – Part 2
Use GP to configure power management settings.
Work with the OEM to determine default ship state of TPM.If possible ship with TPM enabled.
Choose a deployment tools and methodologies.Enable BitLocker after joining domain
Decide what BitLocker protectors will be used.TPM only least user impactTPM+USB or PIN high user impact high support cost
Decide whether or not to use WinRE in conjunction with BitLocker.
Group Policy and BitLockerBitLocker group policy exists for drive encryption and TPM management.
Can be configured and the domain level or via local policy.Used to control backup of recovery information to Active Directory.Control user experience in UI and prohibit use of certain protectors.Can be used to set a mandatory encryption method.BitLocker setting are controlled at the computer level not user.
GP Deployment ConsiderationsAlways require backup of recovery passwords and TPM owner auth to AD.On BitLocker machines limit the use of sleep and hybrid sleep. Setup power plan in GP to configure prohibit.Limit user access to power management functions to prevent change.Remove sleep options from start menu. Limit user access to BitLocker control panel unless needed to reset PIN’s or create additional protectors.Consider hiding the system partition using GP to keep user from seeing the drive.
Deployment Scenarios
Deploying Bit Locker ready machines with the following deployment tools
Windows Deployment ServicesSMS 2003 OSDUnattended InstallationImaging with ImageXSystem Center Configuration ManagerBDD 2007/MDT
Maintaining a BitLocker Enabled System
Disabling BitLocker does not decrypt the disk and encryption still occurs.When disabled a key is written to the disk that is in the clear and is used to access the VMK.Disabling can be automated through WMI and removes two-factor authentication allowing unobstructed reboots.Re-enabling BitLocker re-keys and re-encrypts the VMK. Any two-factor options are restored.MS provided SP’s, patches, and upgrades that update BitLocker or sealed boot components automatically call FVEUpdate so no disabling is needed.BitLocker must be disabled before updating system BIOS.
Things to ConsiderOnly recovery passwords not recovery keys are escrowed to AD.Recovery password escrow is only done when password is created cannot be re-escrowed.Managing recovery passwords and keys post deployment requires scripting, manage-bde, or GUI.No single application for post deployment management of machines.PIN’s are only stored on the TPM and not escrowed anywhere for recovery.No status information in WMI that can be queried by inventory tools.
Additional ResourcesTrusted Computing Group (TCG)
www.trustedcomputinggroup.org
Windows Hardware & Driver Central (WHDC)www.microsoft.com/whdc/default.mspx
BitLocker MSDN Contenthttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/secprov/security/security_wmi_providers_reference.asp
Questions
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
top related