Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECCT10: BitLocker™ Drive Encryption Deployment

Published byJosephine Newman Modified over 9 years ago

Similar presentations

Presentation on theme: "SECCT10: BitLocker™ Drive Encryption Deployment"— Presentation transcript:

1 SECCT10: BitLocker™ Drive Encryption Deployment
Russell Humphries Senior Product Manager – Window Vista Security

2 Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial release of the software described herein. The information contained in this presentation represents the current view of Microsoft Corporation on the issues discussed as of the date of the presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of the presentation. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this presentation. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this information does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2006 Microsoft Corporation. All rights reserved.

3 Legal & Regulatory Compliance
Information Loss Is Costly Information loss – whether via theft or accidental leakage – is costly on several levels Financial The U.S. Dept of Justice estimates that intellectual property theft cost enterprises $250 billion in 2004 Loss of revenue, market capitalization, and competitive advantage Legal & Regulatory Compliance Increasing regulation: SOX, HIPAA, GLBA Bringing a company into compliance can be complex and expensive Non-compliance can lead to significant legal fees, fines and/or settlements Image & Credibility Leaked executive s can be embarrassing Unintended forwarding of sensitive information can adversely impact the company’s image and/or credibility

4 “BitLocker Drive Encryption provides stronger protection for data stored on your Windows Vista ™ systems – even when the system is in unauthorized hands or is running a different or attacking OS. BitLocker does this by utilizing full volume encryption; this prevents a thief who boots another OS or runs a software disk inspection tool from breaking Vista file and system protections or even the offline viewing of data files.”

5 BitLocker Drive Encryption
BitLocker Drive Encryption fully encrypts the entire Windows Vista volume. Designed specifically to prevent the unauthorized disclosure of data when it is at rest. Provides data protection on your Windows client systems, even when the system is in unauthorized hands. Designed to utilize a v1.2 Trusted Platform Module (TPM) for secure key storage and boot environment authentication BitLocker

6 Security Management secure usable affordable
Adapted from Jesper M. Johansson, “Security Management”, Microsoft TechNet

7 Who are these people? National Interest Personal Gain Personal Fame
Curiosity Spy Thief Trespasser Vandal Author Script-Kiddy Undergraduate Expert Specialist

8 Who are these people? Largest area by $ spent Largest area by $ lost
National Interest Personal Gain Personal Fame Curiosity Spy Largest area by $ lost Thief Fastest growing segment Trespasser Vandal Author Script-Kiddy Undergraduate Expert Specialist Largest area by volume

9 Spectrum of Protection
BitLocker offers a spectrum of protection allowing customers to balance ease-of-use against the threats they are most concerned with.

10 BitLocker disk layout

11 Ease of Deployment Integration with existing infrastructure
Deployment features Functionality fully exposed by WMI Supplied MMC plug-in Integrates with Group Policy Active Directory Seamless integration with Longhorn Server Schema extensions available for Server 2003 sp1 and higher Auto-escrow of recovery keys enabled by default Confidential bit set on keys; read-only by admin only

12 BitLocker TPM Administration Storyboard – New Machine
4 1 1 2 3 Note: Steps 1-3 can be pre-config’ed (OEM, SP) ********* Basic TPM Administration/Deployment Machine arrives at enterprise in un-initialized state. Turn TPM On Check for physical presence by rebooting the machine and prompting user at BIOS screen for key press. Log back into Windows Vista Take Ownership of TPM Check for existence of Endorsement Key (Provided by OEM) Create TPM Administration Password. Commit changes to TPM and initialize. Publish TPM Administration Password to AD/File TPM Initialization Complete 9 10 5 ********* 8 7 6

13 BitLocker Enterprise Machine Deployment with TPM
Active Directory is prepared for BDE Keys Windows Vista Install BDE installation Active Directory prepared for CS keys Windows Vista Install BDE is only available in the Enterprise and Ultimate versions of Windows Vista. BDE requires a partition separate from the Windows Vista OS partition with a min free space of 350Mb. During installation the system is checked for correct version of TPM (v 1.2) and BIOS via Plug and Play. TPM & BDE drivers are installed. BDE Initialization Scripted initialization of TPM. TPM Ownership password saved to Active Directory Remote executed Script BDE Policy saves recovery key to AD System encrypted Inspect audit logs for successful end to encryption. 2 Store TPM Ownership Password 1 TPM Script Initialization 2 Store BDE recovery key 3 BDE script setup 4 5

14 BitLocker BitLocker Recovery
2 1 2 1 4 5 6 Example Recovery Scenario Feature turned on. AD access via network. Recovery key escrowed to AD and/or USB dongle. User drops laptop and breaks motherboard. HD from old broken machine put into new laptop with BDE enabled. BDE can’t access HD because the TPM key in new laptop is different. User launches BDE recovery: User uses USB dongle to recover the drive. -or- User calls admin and Administrator authenticates user. Admin gets correct recovery key from AD. Admin reads key to user over the phone. User types in recovery key. Recovery key is used to recover the drive 3 3 7a 7b 8 8 7e 7D 7d 7c 7C

15 System Upgrade with BitLocker™
Upgrading computers with BDE Turn off BitLocker Upgrade system Updated BIOS -- or -- Install Service Pack Turn On BitLocker – no encryption required * If doing an update using Windows Update Services, the hash of the new component will already be calculated, so BitLocker will not need to be disabled to do the update. 1 2 3

16

17

18 ©. 2006 Microsoft Corporation. All rights reserved
© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. 18

Download ppt "SECCT10: BitLocker™ Drive Encryption Deployment"

Similar presentations

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.
The following 10 questions test your knowledge of desired configuration management in Configuration Manager 2007. Configuration Manager Desired Configuration.

The following 10 questions test your knowledge of desired configuration management in Configuration Manager Configuration Manager Desired Configuration.
Microsoft ® Exchange Online Advanced Security Name Title Microsoft Corporation.

Microsoft ® Exchange Online Advanced Security Name Title Microsoft Corporation.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Microsoft ® Exchange Online Migration and Coexistence Name Title Microsoft Corporation.

Microsoft ® Exchange Online Migration and Coexistence Name Title Microsoft Corporation.
WCL317 Disclaimer The information in this presentation relates to a pre-released product which may be substantially modified before it’s commercially.

WCL317 Disclaimer The information in this presentation relates to a pre-released product which may be substantially modified before it’s commercially.
BitLocker: deep details, improvements and benifits

BitLocker: deep details, improvements and benifits
MIX 09 4/15/2017 11:14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

MIX 09 4/15/ :14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Feature: Payroll and HR Enhancements © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

Feature: Payroll and HR Enhancements © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.
Enterprise And Server Use Of BitLocker™ Drive Encryption Stephen Heil Technical Evangelist Windows Core OS Microsoft Corporation Xian Ke Program Manager.

Enterprise And Server Use Of BitLocker™ Drive Encryption Stephen Heil Technical Evangelist Windows Core OS Microsoft Corporation Xian Ke Program Manager.
SEC316: BitLocker™ Drive Encryption

SEC316: BitLocker™ Drive Encryption
Microsoft Office System UK Developers Conference Radisson Edwardian, Heathrow 29 th & 30 th June 2005.

Microsoft Office System UK Developers Conference Radisson Edwardian, Heathrow 29 th & 30 th June 2005.
4/17/2017 7:07 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

4/17/2017 7:07 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
BitLocker™ Drive Encryption Hardware Enhanced Data Protection

BitLocker™ Drive Encryption Hardware Enhanced Data Protection
Windows 7 Windows Server 2008 R2 VirtualizationVirtualization Heterogeneous Server Environment Inventory Linux, Unix & VMware Windows 7 & Server 2008.

Windows 7 Windows Server 2008 R2 VirtualizationVirtualization Heterogeneous Server Environment Inventory Linux, Unix & VMware Windows 7 & Server 2008.
Windows 7 Training Microsoft Confidential. Windows ® 7 Compatibility Version Checking.

Windows 7 Training Microsoft Confidential. Windows ® 7 Compatibility Version Checking.
What’s New in Exchange Online. Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial.

What’s New in Exchange Online. Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial.
Feature: OLE Notes Migration Utility

Feature: OLE Notes Migration Utility
Wally Mead Senior Program Manager Microsoft Corporation.

Wally Mead Senior Program Manager Microsoft Corporation.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Similar presentations

Ads by Google