System E X P E R T S LEADERSHIP IN SECURITY & COMPLIANCE w w w. s y s t e m e x p e r t s . c o m 1 . 8 8 8 . 7 4 9 . 9 8 0 0 info@systemexperts.com Using BitLocker As Part Of A Customer Data Protection Program: Part 1 Tech Tip by Philip Cox Source: searchsecuritychannel.com © Copyright 2011 SystemExperts Corporation. All rights reserved. System E X P E R T S LEADERSHIP IN SECURITY & COMPLIANCE w w w. s y s t e m e x p e r t s . c o m 1 . 8 8 8 . 7 4 9 . 9 8 0 0 info@systemexperts.com Using BitLocker As Part Of A Customer Data Protection Program: Part 1 As an information security consultant, one of my jobs is to help my clients protect their data, which often involves utilizing BitLocker, Encrypting File Systems, and NTFS file system permissions to protect data at rest. This tip will provide on an overall understanding of the three Windows technologies and how they complement each other to protect data at rest, as well as providing some details about BitLocker’s particular functions. The goal of this tip is to establish a foundation to enable you, the security consultant, to use these technologies as part of your customer data protection services portfolio to help your clients in architecture designs or implementations. These technologies enable you to enhance your offerings by leveraging functionality you do not have to develop yourself. Underlying concepts The terms “off-line” and “run-time” are two critical concepts that must be understood and will be used heavily throughout the rest of this tip. For the purposes of this tip, off-line will mean “not being actively used by the operating system for which it was intended.” Think of an attacker pulling a disk out of a system, placing it into another system and attempting to attack it. For our purposes, that would be a disk that is “off-line.” Run-time will mean “being used by the operating system it was originally meant for.” This is when the system is booted and the disk is mounted, accessible, and operating normally. It will be important, because each of the technologies we talk about provide protection under those different modes. The pieces The following is a short introduction to each of the technologies and their primary role in protecting data at rest. BitLocker: Provides full-disk encryption. It is an integrated Windows feature (part of Enterprise and Ultimate editions of Windows Vista and Windows 7, as well as Windows Server 2008) that encrypts at the volume level, which can include part of a disk, the entire disk or multiple disks. BitLocker 2 protection happens at a low level in the operating system and is effectively transparent to the user as well as any programs or applications being run on the system. To use BitLocker, you will just have to enable it on a volume. From a practical standpoint, BitLocker provides protection for off-line data, not run-time. Once the system is booted and running, BitLocker already has the keys it needs to encrypt and decrypt the drive. A quick note on BitLocker-To-Go (BTG). BTG takes the functionality of BitLocker and applies it to removable storage. In particular, BTG can and should be used to protect data that is stored on external USB drives, most notably USB thumb drives. Encrypting File System (EFS): Provides file and folder level encryption in Windows operating systems. Protection is enforced by EFS driver in the Windows operating system. Any user or program that wants to access the file/folder must have the appropriate key. A combination of public key and symmetric key cryptography make decrypting the files very difficult without the correct keys. EFS provides protection for both off-line and runtime modes. In off-line mode, the files/folders are encrypted as they sit on the disk. In run-time mode, the Windows operating system does not have the keys needed to decrypt the information; the user does in his profile. The protection is provided by operating system libraries as well as the use of cryptographic keys that a user must possess in order to access the data. NTFS (new technology file system): Provides is access control (i.e., permissions) for data at rest. NTFS is a file system first introduced in Windows NT and still supported on later versions of Windows. It provides the ability to protect data based on specifying individual user or group rights to specific files/folders. NTFS file permissions provide run-time protection in the form of access control on files and folders. NTFS does not provide any form of off-line protection of data. © Copyright 2011 SystemExperts Corporation. All rights reserved. System E X P E R T S LEADERSHIP IN SECURITY & COMPLIANCE w w w. s y s t e m e x p e r t s . c o m 1 . 8 8 8 . 7 4 9 . 9 8 0 0 info@systemexperts.com Using BitLocker As Part Of A Customer Data Protection Program: Part 1 There are a couple of other points that are important to understand: BitLocker: As long as data stays on the disk, wherever that disk goes, the data is protected. Encryption goes with the disk. EFS: Encryption of the file/folder is only on the system EFS is applied on. If you move or copy the file to another system (say a remote file share), the encryption is removed. Protection is specific to the system. NTFS permissions: When copying or moving a file or folder, the permissions may change depending on where you move the file or folder. For all intents and purposes protection is specific to the system. If used correctly, the combination of NTFS, EFS and BitLocker can provide comprehensive off-line and run-time data at rest protection. BitLocker details BitLocker basically sees volumes in two different flavors: operating system volumes and data volumes. Operating system volume can be secured using one or more of the following modes: Transparent: Uses the capabilities of the trusted platform module 1.2 or higher to store encryption keys, thus enabling a transparent system boot, and that the system boots normally to the user. The keys needed to access the data are pulled from the TPM. The TPM provides a hardware based mechanism to securely generate and store cryptographic keys, generate pseudo-random numbers, and provide remote attestation (cryptographic summary of the hardware and software/BIOS configuration) and sealed storage (encrypt data and specifies a state in which the TPM must be in order for the data to be decrypted). Use this mode when: You want minimal user interaction, and you trust the hardware the disk is inserted in. The primary protection this mode provides is if someone removes the disk from the 3 device and tries to attack it in another off-line mode (i.e., plugging it into another system and attempting to access the data). User authentication: Requires that the user provide a PIN during the pre-boot, which will be used to decrypt the keys needed to access the data. This is used in conjunction with a TPM. Use this mode when: You don’t trust the physical protection of the hardware (i.e., a laptop that can be stolen vice a system in a locked office) and want to require some type of user interaction for the additional protection it provides, and are satisfied with just the knowledge of the password/PIN being entered at boot time as the additional security mechanism. This enhances the protection of the transparent mode by adding a layer of security that requires user interaction. USB key: Requires that the user insert a USB device that contains a startup key during the pre-boot. The USB key will then be used to decrypt the keys needed to access the data. This can be used standalone or in conjunction with PIN and/or TPM. Use this mode when: You don’t trust the hardware and want to require some type of user interaction for the additional protection it provides, and are satisfied with just the knowledge of the password/ PIN being entered at boot time as the additional security mechanism. This enhances the protection of the transparent mode by adding a layer of security that requires user interaction. You can use the following different combinations of the above authentication mechanisms with BitLocker when enabling it for the volume that contains the currently running operating system: USB Key only TPM only PIN only TPM + PIN TPM + USB Key TPM + PIN + USB Key © Copyright 2011 SystemExperts Corporation. All rights reserved. System E X P E R T S LEADERSHIP IN SECURITY & COMPLIANCE w w w. s y s t e m e x p e r t s . c o m 1 . 8 8 8 . 7 4 9 . 9 8 0 0 info@systemexperts.com Using BitLocker As Part Of A Customer Data Protection Program: Part 1 For data volumes, you have 3 different options: Automatic: Will protect volume’s encryption key with a key protected on the Widows disk (effectively the TPM or USB Key). To be able to automatically unlock fixed data drives, the drive that Windows is installed on must also be encrypted by BitLocker. Smartcard: A BitLocker certificate on the smartcard protects the volume’s encryption key. To unlock the drive, you will insert the smart card and enter the smart card PIN. Password: The user’s password secures the volume’s encryption key. To unlock the drive, you’ll enter the password. TPM validation By default, when the system starts, the TPM checks for a number of things to see if there are changes to a number of items, but the biggest ones I care about are: BIOS Master Boot Record Code and Partition Table NTFS Boot Sector and Boot Block Boot Manager BitLocker Access Control If any changes have been made to these while BitLocker protection has been enabled, the TPM will not release the volume’s encryption key and the system will enter the BitLocker recovery mode. From there you will need to: Enter the 48-digit numerical recovery password (Note: This is not available in FIPS-compliance mode) Insert a USB flash drive containing a 256-bit recovery key Access to backup of keys in Active Directory Domain Services (if configured) 4 Using BitLocker for customer data protection Getting back to our vantage point, here are my recommendations for using BitLocker as part of a resale offering or in a generic architecture for your client: Use a newer system with a compatible TPM chip, and use the following authentication modes Laptop: TPM + PIN I don’t want a stolen laptop to only rely on the TPM for protection. General Desktop or Server in datacenter: Transparent Protection level seems to be commensurate with the risk. I want systems to be able to reboot automatically after maintenance. Secure Desktop, or Server not in datacenter: TPM + USB or TPM + PIN These are important systems, deserving of special consideration due to lack of more stringent physical controls. Print the recovery key and provide it with the physical machine if applicable Require a minimum 8 digit PIN Allow the use of passwords on removable drives (Passwords cannot be used if FIPS compliance is enabled) Using BitLocker and these three recommendations will give you the ability to provide your clients added security for their data without significant heartache. For example, if I were deploying a software package that needed secure storage of configuration files that may contain sensitive information or keys, I would configure the system to use BitLocker for off-line protection. Another example would be to ensure that any removable USB drive was encrypted prior to storing any sensitive data to it. © Copyright 2011 SystemExperts Corporation. All rights reserved. System E X P E R T S LEADERSHIP IN SECURITY & COMPLIANCE w w w. s y s t e m e x p e r t s . c o m 1 . 8 8 8 . 7 4 9 . 9 8 0 0 info@systemexperts.com Using BitLocker As Part Of A Customer Data Protection Program: Part 1 About The Author Philip Cox is Director, Security and Compliance at SystemExperts Corporation, a consulting firm that specializes in system security and management. He is a well-known authority in the areas of system integration and security. His experience includes Windows, UNIX, and IP-based networks integration, firewall design and implementation and ISO 17799 and PCI compliance. Phil frequently writes and lectures on issues dealing with heterogeneous system integration and compliance with PCI-DSS. He is the lead author of Windows 2000 Security Handbook Second Edition (Osborne McGraw-Hill) and contributing author for Windows NT/2000 Network Security (Macmillan Technical Publishing). 5 © Copyright 2011 SystemExperts Corporation. All rights reserved.