System E X P E R T S
LEADERSHIP IN SECURITY & COMPLIANCE
w w w. s y s t e m e x p e r t s . c o m 1 . 8 8 8 . 7 4 9 . 9 8 0 0 info@systemexperts.com
Using BitLocker As Part Of A Customer Data Protection Program: Part 1
Tech Tip
by Philip Cox
Source: searchsecuritychannel.com
© Copyright 2011 SystemExperts Corporation. All rights reserved.
System E X P E R T S
LEADERSHIP IN SECURITY & COMPLIANCE
w w w. s y s t e m e x p e r t s . c o m 1 . 8 8 8 . 7 4 9 . 9 8 0 0 info@systemexperts.com
Using BitLocker As Part Of A Customer Data Protection Program: Part 1
As an information security consultant, one of my
jobs is to help my clients protect their data, which
often involves utilizing BitLocker, Encrypting File
Systems, and NTFS file system permissions to
protect data at rest. This tip will provide on an overall
understanding of the three Windows technologies
and how they complement each other to protect data
at rest, as well as providing some details about
BitLocker’s particular functions. The goal of this tip
is to establish a foundation to enable you, the
security consultant, to use these technologies as part
of your customer data protection services portfolio to
help your clients in architecture designs or
implementations. These technologies enable you to
enhance your offerings by leveraging functionality
you do not have to develop yourself.
Underlying concepts
The terms “off-line” and “run-time” are two critical
concepts that must be understood and will be used
heavily throughout the rest of this tip. For the
purposes of this tip, off-line will mean “not being
actively used by the operating system for which it
was intended.” Think of an attacker pulling a disk
out of a system, placing it into another system and
attempting to attack it. For our purposes, that would
be a disk that is “off-line.” Run-time will mean
“being used by the operating system it was
originally meant for.” This is when the system is
booted and the disk is mounted, accessible, and
operating normally. It will be important, because
each of the technologies we talk about provide
protection under those different modes.
The pieces
The following is a short introduction to each of the
technologies and their primary role in protecting
data at rest.
BitLocker: Provides full-disk encryption. It is an
integrated Windows feature (part of Enterprise and
Ultimate editions of Windows Vista and Windows 7,
as well as Windows Server 2008) that encrypts at
the volume level, which can include part of a disk,
the entire disk or multiple disks. BitLocker
2
protection happens at a low level in the operating
system and is effectively transparent to the user as
well as any programs or applications being run on
the system. To use BitLocker, you will just have to
enable it on a volume.
From a practical standpoint, BitLocker provides
protection for off-line data, not run-time. Once the
system is booted and running, BitLocker already has
the keys it needs to encrypt and decrypt the drive.
A quick note on BitLocker-To-Go (BTG). BTG takes
the functionality of BitLocker and applies it to
removable storage. In particular, BTG can and should
be used to protect data that is stored on external
USB drives, most notably USB thumb drives.
Encrypting File System (EFS): Provides file and
folder level encryption in Windows operating
systems. Protection is enforced by EFS driver in the
Windows operating system. Any user or program
that wants to access the file/folder must have the
appropriate key. A combination of public key and
symmetric key cryptography make decrypting the
files very difficult without the correct keys.
EFS provides protection for both off-line and runtime modes. In off-line mode, the files/folders are
encrypted as they sit on the disk. In run-time mode,
the Windows operating system does not have the
keys needed to decrypt the information; the user
does in his profile. The protection is provided by
operating system libraries as well as the use of
cryptographic keys that a user must possess in order
to access the data.
NTFS (new technology file system): Provides is
access control (i.e., permissions) for data at rest.
NTFS is a file system first introduced in Windows
NT and still supported on later versions of
Windows. It provides the ability to protect data
based on specifying individual user or group rights
to specific files/folders.
NTFS file permissions provide run-time protection
in the form of access control on files and folders.
NTFS does not provide any form of off-line
protection of data.
© Copyright 2011 SystemExperts Corporation. All rights reserved.
System E X P E R T S
LEADERSHIP IN SECURITY & COMPLIANCE
w w w. s y s t e m e x p e r t s . c o m 1 . 8 8 8 . 7 4 9 . 9 8 0 0 info@systemexperts.com
Using BitLocker As Part Of A Customer Data Protection Program: Part 1
There are a couple of other points that are
important to understand:
BitLocker: As long as data stays on the disk,
wherever that disk goes, the data is protected.
Encryption goes with the disk.
EFS: Encryption of the file/folder is only on the
system EFS is applied on. If you move or copy
the file to another system (say a remote file
share), the encryption is removed. Protection is
specific to the system.
NTFS permissions: When copying or moving a
file or folder, the permissions may change
depending on where you move the file or folder.
For all intents and purposes protection is specific
to the system.
If used correctly, the combination of NTFS, EFS and
BitLocker can provide comprehensive off-line and
run-time data at rest protection.
BitLocker details
BitLocker basically sees volumes in two different
flavors: operating system volumes and data volumes.
Operating system volume can be secured using one
or more of the following modes:
Transparent: Uses the capabilities of the trusted
platform module 1.2 or higher to store encryption
keys, thus enabling a transparent system boot, and
that the system boots normally to the user. The keys
needed to access the data are pulled from the TPM.
The TPM provides a hardware based mechanism to
securely generate and store cryptographic keys,
generate pseudo-random numbers, and provide
remote attestation (cryptographic summary of the
hardware and software/BIOS configuration) and
sealed storage (encrypt data and specifies a state in
which the TPM must be in order for the data to be
decrypted).
Use this mode when: You want minimal user
interaction, and you trust the hardware the disk is
inserted in. The primary protection this mode
provides is if someone removes the disk from the
3
device and tries to attack it in another off-line mode
(i.e., plugging it into another system and
attempting to access the data).
User authentication: Requires that the user provide
a PIN during the pre-boot, which will be used to
decrypt the keys needed to access the data. This is
used in conjunction with a TPM.
Use this mode when: You don’t trust the physical
protection of the hardware (i.e., a laptop that can
be stolen vice a system in a locked office) and want
to require some type of user interaction for the
additional protection it provides, and are satisfied
with just the knowledge of the password/PIN being
entered at boot time as the additional security
mechanism. This enhances the protection of the
transparent mode by adding a layer of security that
requires user interaction.
USB key: Requires that the user insert a USB device
that contains a startup key during the pre-boot. The
USB key will then be used to decrypt the keys
needed to access the data. This can be used
standalone or in conjunction with PIN and/or TPM.
Use this mode when: You don’t trust the hardware and
want to require some type of user interaction for
the additional protection it provides, and are
satisfied with just the knowledge of the password/
PIN being entered at boot time as the additional
security mechanism. This enhances the protection
of the transparent mode by adding a layer of
security that requires user interaction.
You can use the following different combinations of
the above authentication mechanisms with
BitLocker when enabling it for the volume that
contains the currently running operating system:
USB Key only
TPM only
PIN only
TPM + PIN
TPM + USB Key
TPM + PIN + USB Key
© Copyright 2011 SystemExperts Corporation. All rights reserved.
System E X P E R T S
LEADERSHIP IN SECURITY & COMPLIANCE
w w w. s y s t e m e x p e r t s . c o m 1 . 8 8 8 . 7 4 9 . 9 8 0 0 info@systemexperts.com
Using BitLocker As Part Of A Customer Data Protection Program: Part 1
For data volumes, you have 3 different options:
Automatic: Will protect volume’s encryption key
with a key protected on the Widows disk
(effectively the TPM or USB Key). To be able to
automatically unlock fixed data drives, the drive
that Windows is installed on must also be encrypted
by BitLocker.
Smartcard: A BitLocker certificate on the smartcard
protects the volume’s encryption key. To unlock the
drive, you will insert the smart card and enter the
smart card PIN.
Password: The user’s password secures the volume’s
encryption key. To unlock the drive, you’ll enter the
password.
TPM validation
By default, when the system starts, the TPM checks
for a number of things to see if there are changes to
a number of items, but the biggest ones I care
about are:
BIOS
Master Boot Record Code and Partition Table
NTFS Boot Sector and Boot Block
Boot Manager BitLocker Access Control
If any changes have been made to these while
BitLocker protection has been enabled, the TPM will
not release the volume’s encryption key and the
system will enter the BitLocker recovery mode.
From there you will need to:
Enter the 48-digit numerical recovery password
(Note: This is not available in FIPS-compliance
mode)
Insert a USB flash drive containing a 256-bit
recovery key
Access to backup of keys in Active Directory
Domain Services (if configured)
4
Using BitLocker for customer data
protection
Getting back to our vantage point, here are my
recommendations for using BitLocker as part of a
resale offering or in a generic architecture for your
client:
Use a newer system with a compatible TPM chip,
and use the following authentication modes
Laptop: TPM + PIN
I don’t want a stolen laptop to only rely on
the TPM for protection.
General Desktop or Server in datacenter:
Transparent
Protection level seems to be commensurate
with the risk. I want systems to be able to
reboot automatically after maintenance.
Secure Desktop, or Server not in datacenter:
TPM + USB or TPM + PIN
These are important systems, deserving of
special consideration due to lack of more
stringent physical controls.
Print the recovery key and provide it with the
physical machine if applicable
Require a minimum 8 digit PIN
Allow the use of passwords on removable drives
(Passwords cannot be used if FIPS compliance is
enabled)
Using BitLocker and these three recommendations
will give you the ability to provide your clients
added security for their data without significant
heartache. For example, if I were deploying a
software package that needed secure storage of
configuration files that may contain sensitive
information or keys, I would configure the system
to use BitLocker for off-line protection. Another
example would be to ensure that any removable
USB drive was encrypted prior to storing any
sensitive data to it.
© Copyright 2011 SystemExperts Corporation. All rights reserved.
System E X P E R T S
LEADERSHIP IN SECURITY & COMPLIANCE
w w w. s y s t e m e x p e r t s . c o m 1 . 8 8 8 . 7 4 9 . 9 8 0 0 info@systemexperts.com
Using BitLocker As Part Of A Customer Data Protection Program: Part 1
About The Author
Philip Cox is Director, Security and Compliance at
SystemExperts Corporation, a consulting firm that
specializes in system security and management. He
is a well-known authority in the areas of system
integration and security.
His experience includes Windows, UNIX, and
IP-based networks integration, firewall design and
implementation and ISO 17799 and PCI compliance.
Phil frequently writes and lectures on issues dealing
with heterogeneous system integration and
compliance with PCI-DSS. He is the lead author of
Windows 2000 Security Handbook Second Edition
(Osborne McGraw-Hill) and contributing author for
Windows NT/2000 Network Security (Macmillan
Technical Publishing).
5
© Copyright 2011 SystemExperts Corporation. All rights reserved.