Deploying Windows 7 BitLocker in the Enterprise
Nils DussartProgram ManagerMicrosoft CorporationSIA305
Why Data Protection Matters
“More than 100 USB memory sticks, some containing secret information, have been lost or stolen from the Ministry of Defense since 2004, it has emerged.”– BBC News July 2008
“Some of the largest and medium-sized U.S. airports report close to 637,000 laptops lost each year, according to the Ponemon Institute survey released Monday”– PC World June 2008
What’s New in Windows 7 Support for data volumes
Two new BitLocker unlock methodsPassword protectorSmartcard protector (X.509 based)TPM now supports alphanumerical PIN
New GPOs to improve enterprise managementOnly grant write access to BitLocker protected drives Protector enforcementPer device type GPOs
BitLocker To Go ReaderProvides read only access on Windows XP™ and Windows Vista™ clients
What’s New in Windows 7 Other improvements
Improved setup experienceBitLocker Preparation Tool now part of the BitLocker Setup WizardImproved Setup WizardLetter-less and smaller system partition
Improved recovery scenariosImprovements with Windows Recovery Environment (WinRE)Data Recovery Agents (certificate based)
Disk Layout and Key StorageOperating system volume contains:
Encrypted OSEncrypted page fileEncrypted temp filesEncrypted dataEncrypted hibernation file
Where’s the encryption key?SRK (Storage Root Key) contained in TPM SRK encrypts the VMK (Volume Master Key)VMK encrypts FVEK (Full Volume Encryption Key) – used for the actual data encryptionFVEK and VMK are stored encrypted on the Operating System Volume
Operating System Volume
SystemSystem volume contains:
MBR Boot Manager Boot Utilities
FVEKSRK
VMK
TMP Only“What it is.”
Dongle Only“What you have.”
TPM + PIN“What you know.”
TPM + Dongle“Two what I
have’s.”
Disk Layout and Key StorageEa
se o
f Use
BitLocker offers a spectrum of protection allowing customers to balance ease-of-use against the threats they are most concerned with
Protects against: SW-only attacks
Vulnerable to: HW attacks (including
potential “easy” HW attacks)
Security
Protects against: All HW attacks
Vulnerable to: Losing dongle Pre-OS attacks
XXXXX
Protects against: Many HW attacks
Vulnerable to: TPM breaking
attacks
Protects against: Many HW attacks
Vulnerable to: HW attacks
XXXXX
All Boot Blobs
unlocked
Volume Blob of Target OS unlocked
Trusted Platform Module (TPM)Static root of trust measurement of early boot components
PreOS Static OS
TMP Init
BIOS
MBR
BootSector
BootBlock
BootManager
OS Loader
StartOS
Windows Vista BitLocker Volume
Boot Sector Boot Sector
Encrypted Volume Data
BitLocker Metadata Copies
Pointer to Primary Metadata Copy
Pointers to other metadata copies
Windows 7 BitLocker Volume
Virtual Boot Sector
Virtual Boot Sector
Encrypted Volume Data
BitLocker Metadata Copies
Pointer to Primary Metadata Copy
Pointers to other metadata copies
Boot Sector
Hardware RequirementsTrusted Platform Module
Trusted Platform Module (TPM) v1.2Trusted Platform Module (TPM) Compatible BIOS
USB Flash DriveThe system BIOS must support both reading and writing small files on a USB flash drive in the pre-operating system environment
Disk PartitioningSeparate reserved system partition using NTFSSystem partition minimum size of at least 100MBChoosing the right partitioning is key for a successful deploymentSystem partition is a Windows 7 requirement not specific to BitLocker
Note: An additional 50MB is required on the recovery partition for volume snapshots during Complete PC backups
Disk Partitioning RequirementsPossible examples
Windows RE250 MB
NTFS
System Partition100 MB
NTFS
OS - EncryptedRemaining Disk
NTFS
System Partition/Windows RE300 MB
NTFS
OS - EncryptedRemaining Disk
NTFS
RecommendationsStandardize the hardware
Hardware pre-build configuration (OEM)BIOS settingsEnable and Activate the TPMBIOS passwords
Minimize the number of reboots for your usersWorst scenario – 4 rebootsBest scenario – 1 rebootNumber of reboots is key in a successful deployment of BitLocker
RecommendationsWhat requires reboots?
RepartitioningTPM initializationTPM ownership – requires physical presenceBitLocker System Check
Improve the user experienceDeploy Windows with the recommended drive partitionsAsk your OEM to enable the TPMStandardize the hardware to remove the requirement of the compatibility wizard
Group Policy PreparationBitLocker Group Policy settings can
Turn on BitLocker backup to Active DirectoryEnable advanced startup options, recovery options, etc.Configure encryption method and strengthEnable FIPS compliance - before setting up BDE keys!Enforce or disable specific protectorsEnforce a minimum PIN length
TPM Services Group Policy canTurn on TPM owner authorization backup to Active Directory Domain ServicesConfigure the list of blocked TPM commands
Develop a Recovery Strategy
Define the process end-users will follow when recovery
of a BitLocker system is needed
Anticipate the recovery scenariosHow to handle lost or forgotten Key Protectors?Reset PIN, lost startup keyHow are disk drive failures recovered?How are TPM hardware failures treated?Recover from core files or pre-OS file (BIOS upgrade, etc…) updates which are not plannedRecovering and diagnosing a deliberate attack
Active Directory Based RecoveryBy default, no recovery information is backed up to AD
Administrators can configure GP to enable backup of BitLocker or TPM owner authorization recovery info
Schema needs to be extended Windows Server 2008 and 2008 R2 are “BitLocker Ready”All domain controllers in the domain must be at least Windows Server 2003 SP1
Recovery data saved for each computer objectRecovery passwords - a 48-digit recovery passwordKey package data (optional) - helps recovery if the disk is severely damagedThere is only one TPM owner password per computer
There can be more than one recovery password per computerO/S VolumeData Volumes
Data Recovery Agent New recovery mechanism
Certificate-based key protectorA certificate containing a public key is distributed through Group Policy and is applied to any drive that mountsThe corresponding private key is held by a data recovery agent in the IT department
Allows IT department to have a way to unlock all protected drives in an enterpriseSaves space in AD – same Key Protector on all drives
Windows Recovery EnvironmentSet of tools for troubleshooting startup problems
In Windows RE environment, user will be prompted for recovery credential on a BitLocker-enabled machineContains the necessary drivers and tools to unlock and repair if necessary a BDE-protected volume
WinRE boot image needs to reside on a non-encrypted volumeBitLocker setup is now Windows RE “aware” and will move Windows RE to a proper partition if required.
Manage-BDE and Repair-BDE are now installed per defaultIn Windows 7In Windows PE and in the Windows Recovery Environment (Windows RE)
RecommendationsGroup Policies
Ensure that the group policies are configured before your deploymentMost BitLocker GPOs are not retroactiveTPM + PIN offers the best balance between security and user experienceRecovery and authentication policies are specific to Vista and Windows 7Leverage the group policy targeting mechanism for granularity
Recovery ScenariosWinRE should be deployed in its own partition or on the system partitionTest all your recovery scenariosUse Active Directory if you want to build custom recovery solutionsUse Data Recovery Agents if you have a requirement for FIPS compliance
BitLocker DeploymentDeployment options
During build processPost-build processUser initiated
Deployment methodsManage-BDEWMISCCM
Windows Deployment Tools
Windows 7 Upgrade Scenario
Deployment Options
Configuration during build processEnabling and activating a TPM during this process will require user interaction to meet the physical presence requirement If backup of recovery info to AD is required, BDE must be enabled after the computer has joined your AD domainStarting encryption during the build process has performance impact, for example if there are additional tasks to be performed (install apps, etc) Consider starting encryption at the very end of the build process
Deployment Options Post-build configuration
Triggered immediately after the system build process completes Or triggered at a later time after the computer is delivered to the end user
Software distribution tool (SCCM)GP scriptingLogon scripts
Very flexible and can be accomplished using numerous methods
User initiated configurationAllow users to selectively enroll and configure their machines for BDENot recommended if BitLocker is mandatory
Deployment Methods
Manage-BDE.exe command-line toolProvides configuration / administration on individual and remote machinesLocation: %systemdrive%\Windows\system32Leverages the BitLocker and TPM WMI providers
Create scripts with BitLocker and TPM WMI providers Useful when integrating support of BitLocker machines into your help desk environment, or user initiated configuration type of deploymentSample script (EnableBitLocker.vbs) availableRecommendation: Use for large enterprise deployments
Deployment MethodsBitLocker WMI Methods allows to
Enable/activate TPM, take ownership and generate random owner passEnable BitLocker protection using supported authentication methodsCreate additional recovery key and recovery passwordReset TPM owner information
Use and modify existing sample script Manage-BDE.wsfLocation: %systemdrive%\Windows\system32Only provided as an example
Scripts can generate a rich log file, WMI exit codes are logged
Microsoft recommends Using BitLocker and TPM WMI providers for enterprise deploymentUsing manage-bde for administration of BitLocker enabled machines
Deployment Methods
Systems Center Configuration Manager 2007Unify the deployment toolsets for both client and serverDeliver an end-to-end process for deploymentProvide high degrees of flexibility to accommodate complex enterprise requirementsUse native toolsets found in WindowsSupports BitLocker natively
Windows Deployment Tools
Systems Center Configuration Manager 2007http://www.microsoft.com/systemcenter/
Microsoft Deployment Toolkit 2008http://technet.microsoft.com/en-us/solutionaccelerators/dd407791.aspx
Windows Deployment Services
Unattended Installation
Imaging with ImageX
Windows 7 Upgrade Scenario
Upgrade from a BitLocker machineNo decryption required but you need to suspend BitLockerCurrent partitioning will be preservedSystem partition will be 1.5 GBDrive letter will not be removed
Upgrade from a non-BitLocker machineCurrent partitioning will be preserved (single partition)BitLocker will automatically create a system partitionSystem partition will be 300MB with no drive letter
BitLocker Server ScenariosBitLocker is a feature on Windows Server (optional component)
The feature needs to be installed through Server Manager
All the recommendations made in this presentation apply to the server scenario
BitLocker provides great value in branch office scenarios
Branch Office TechCenterhttp://technet.microsoft.com/en-us/branchoffice/default.aspx
RecommendationsBare Metal install ≠ Clean install
Make sure to partition the diskFile base imaging does not partition the disk per default
Turn on BitLocker in the post build processProvides the most flexibility
Do not partition the disk post installationDeploy Windows 7 using the right partitionsOnly Shrink the O/S volume when no other options are availableIf you need to shrink the disk use bdehdcfg.exe post installation or the BitLocker Setup WizardDo not shrink from Vista for large deployments
Data Drive Key Storage
Password
Auto-Unlock
Smartcards
Ease
of U
seBitLocker offers a spectrum of protection allowing customers to balance ease-of-use against the threats they are most concerned with
Security
Pros:Ease of use backward
compatibility BitLocker to go reader
Cons:Less secure vulnerable
to brute force and dictionary attacks
Pros:Uses a stronger key
Cons:Specific to a
single machine
Pros:Uses much stronger keys
Cons:Requires hardware not backward compatible
XXXXX
Data Drive Specific Group Policy
BitLocker Group Policy settings canTurn on BitLocker backup to Active DirectoryEnable, enforce or disable password or smartcard protectorsEnforce a minimum password lengthEnforce password complexityDeny write access to drives not encrypted with BitLockerDo not allow write access to devices from other organizations
BitLocker Enforcement
Requiring BitLocker for data drivesWhen this policy is enforced, all data drives will require BitLocker protection in order to have write accessAs soon as a drive is plugged into a machine, a dialog is displayed to the user to either enable BitLocker on the device or only have read-only accessThe user gets full RW access only after encryption is completedUsers can alternatively enable BitLocker at a later time
BitLocker Cross-OrganizationThis policy will help enterprises manage compliance when a requirement exists to not allow devices to roam outside of the enterprise
When the "Deny write access to devices configured in another organization" policy is enabled
Only drives with identification fields matching the computer's identification fields will be given write accessWhen a removable data drive is accessed it will be checked for valid identification field and allowed identification fieldsThese fields are defined by the "Provide the unique identifiers for your organization" policy setting
Certificate Requirements
Possible deployment scenariosLeverage an existing certificateLeverage a generic certificateDeploy a new BitLocker certificate
The BitLocker Object Identifier (OID)Associate a certificate to BitLocker (Certificate Application Policies)Default value: 1.3.6.1.4.1.311.67.1.1The BitLocker OID can be modified using Group Policies
Certificate RequirementsSupported certificates for smart card authentication
A certificate is considered valid for BitLocker if the following conditions are met for Key Usage:
No KU is present KU is present and contains one of the following keyEncipherment bits:
CERT_DATA_ENCIPHERMENT_KEY_USAGECERT_KEY_AGREEMENT_KEY_USAGECERT_KEY_ENCIPHERMENT_KEY_USAGE
A certificate is considered valid for BitLocker if the following conditions are met for Extended Key Usage:
No EKU is presentEKU is present and contains BitLocker OIDEKU is set to anyExtendedKeyUsage
RecommendationsIdentification fields
Should be set before your deployment if you are planning to use DRAs or the cross-organization policyAre automatically set during encryptionCan be set after encryption using Manage-BDE or WMI but this requires Administrator rights
CertificatesDeploy the required certificates before enabling BitLocker on data drives
BitLocker To Go ReaderInstalled per default but can be managed through group policiesRequires the use of a passwordCan be deployed separately using a software distribution tool
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Related Content
Breakout Sessions - Windows 7 Security Overview - SIA327
Hands-on Labs – BitLocker To Go™ - SIA02
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Top Related