bitlocker™ drive encryption a look under the covers steve lamb technical security advisor,...
TRANSCRIPT
![Page 1: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/1.jpg)
BitLocker™ Drive EncryptionA look under the covers
Steve LambTechnical Security Advisor, Microsoft UKhttp://blogs.technet.com/[email protected]
![Page 2: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/2.jpg)
Agenda• Is EFS Dead?• A quick review• What threats does it mitigate?• What threats ARE NOT mitigated• Enhancements @ Vista SP1• To Gain Access We Need• Deployment Considerations• Resources
![Page 3: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/3.jpg)
Is EFS Dead?
?
![Page 4: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/4.jpg)
A Quick Review
BitLocker
![Page 5: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/5.jpg)
What threats does it mitigate?
• Data @ rest• Over-riding Access Controls
![Page 6: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/6.jpg)
What threats ARE NOT mitigated?
• Stupid User!• Stupid Admin!• Removable Media• Weak Passwords
![Page 7: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/7.jpg)
Enhancements @ SP1
• Multi-volume support• Key Rolling
![Page 8: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/8.jpg)
What Is A Trusted Platform Module ?
TPM 1.2 spec: www.trustedcomputinggroup.org
![Page 9: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/9.jpg)
Secure the pre-boot environment
• Measure EVERYTHING
![Page 10: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/10.jpg)
What do we measure?Volume Blob of Target OS
unlockedAll Boot Blobs
unlockedStatic OS
BootSector
BootManager
Start OS
OS Loader
BootBlock
PreOS
BIOS
MBR
TPM Init
![Page 11: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/11.jpg)
To gain access we need
• Full Volume Encryption Key• Volume Master Key
• Multiple places to store it
![Page 12: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/12.jpg)
Volume Master Key – option 1
TPM
Access
![Page 13: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/13.jpg)
Volume Master Key – option 2
TPM
PIN
Access
![Page 14: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/14.jpg)
Volume Master Key – option 3
TPM
Startup
Key
Access
![Page 15: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/15.jpg)
Volume Master Key – option 4
Recovery Key
Startup
Key
Access
![Page 16: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/16.jpg)
Volume Master Key – option 5
Recovery Password
Access
![Page 17: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/17.jpg)
Keys and Protectors (“Authenticators”)
DATA
1
FVEK
2
VMK
3
TPM
4
TPM+USB
TPM+PIN
USB Key(Recovery or Non-
TPM)
123456-789012-345678-
Recovery Password(48 Digits)
Where’s the Encryption Key?1. Data is encrypted with the FVEK2. The FVEK is encrypted with the VMK and
then stored in the volume metadata.3. The VMK is encrypted by one or more key
protectors, then stored in the volume metadata.
4. The Trusted Platform Module will not decrypt the VMK if the system integrity check fails.
![Page 18: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/18.jpg)
Disk Configuration• Partitioning guidelines:
Disk Configuration Partition 1 Partition 2 Partitions 3
WinRE and BitLocker on separate partitions
BitLockerType 0x71.5GB (Active)
Windows REType 0x271GB
Windows VistaType 0x7
Windows RE and BitLocker on same partition
Windows RE/BitLockerType 0x71.5GB (Active)
Windows VistaType 0x7
Not needed
![Page 19: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/19.jpg)
You can measure the BIOS too
![Page 20: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/20.jpg)
Deployment Considerations
![Page 21: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/21.jpg)
Windows Vista Security Guide provides customers with best practices and automated tools to help them quickly and easily deploy Windows Vista, and provides tested guidance to balance their needs for security and functionality
SOLUTIONACCELERATORS Act faster. Go further.
Tested guidance by Windows Vista Security Experts
Preconfigured, customizable security settings
Unique GPO Accelerator tool deploys security configurations
in minutes vs. hours
Understanding the Options with the Windows Vista Security Guide
![Page 22: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/22.jpg)
Please fill in your Evaluation Form
![Page 23: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/23.jpg)
Resources
• Data Encryption Toolkit for Mobile PCs• Bitlocker Drive Encryption Technical Overview• Keys to Protecting Data with Bitlocker Drive Encryption• Developing Credential Providers for Windows Vista• Create Custom Login Experiences With Credential Providers For
Windows Vista
![Page 24: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/24.jpg)
Resources
Visit TechNet in the ATE Pavilion and get a FREE 60-day subscription to TechNet Plus!
Technical Communities, Webcasts, Blogs, Chats & User Groupshttp://www.microsoft.com/communities/default.mspx
Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx
Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn http://microsoft.com/technet
Trial Software and Virtual Labshttp://www.microsoft.com/technet/downloads/trials/default.mspx
![Page 25: BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK Stephen.lamb@microsoft.com](https://reader036.vdocument.in/reader036/viewer/2022062308/56649cad5503460f9496fc2e/html5/thumbnails/25.jpg)
© 2007 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.