Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECCT10: BitLocker™ Drive Encryption Deployment Russell Humphries Senior Product Manager – Window Vista Security.

Similar presentations


Presentation on theme: "SECCT10: BitLocker™ Drive Encryption Deployment Russell Humphries Senior Product Manager – Window Vista Security."— Presentation transcript:

1 SECCT10: BitLocker™ Drive Encryption Deployment Russell Humphries Senior Product Manager – Window Vista Security

2 Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial release of the software described herein. The information contained in this presentation represents the current view of Microsoft Corporation on the issues discussed as of the date of the presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of the presentation. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this presentation. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this information does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2006 Microsoft Corporation. All rights reserved.

3 The U.S. Dept of Justice estimates that intellectual property theft cost enterprises $250 billion in 2004 Loss of revenue, market capitalization, and competitive advantage Leaked executive s can be embarrassing Unintended forwarding of sensitive information can adversely impact the company’s image and/or credibility Increasing regulation: SOX, HIPAA, GLBA Bringing a company into compliance can be complex and expensive Non-compliance can lead to significant legal fees, fines and/or settlements Financial Image & Credibility Legal & Regulatory Compliance Information Loss Is Costly Information loss – whether via theft or accidental leakage – is costly on several levels

4 “BitLocker Drive Encryption provides stronger protection for data stored on your Windows Vista ™ systems – even when the system is in unauthorized hands or is running a different or attacking OS. BitLocker does this by utilizing full volume encryption; this prevents a thief who boots another OS or runs a software disk inspection tool from breaking Vista file and system protections or even the offline viewing of data files.”

5 BitLocker Drive Encryption BitLocker Drive Encryption fully encrypts the entire Windows Vista volume. Designed specifically to prevent the unauthorized disclosure of data when it is at rest. Provides data protection on your Windows client systems, even when the system is in unauthorized hands. Designed to utilize a v1.2 Trusted Platform Module (TPM) for secure key storage and boot environment authentication BitLocker BitLocker

6 secure usableaffordable Adapted from Jesper M. Johansson, “Security Management”, Microsoft TechNet Security Management

7 7 Who are these people? Vandal Trespasser Thief Spy Author National Interest Personal Gain Personal Fame Curiosity Script-Kiddy Undergraduate Expert Specialist

8 8 Who are these people? Vandal Trespasser Thief Spy Author National Interest Personal Gain Personal Fame Curiosity Script-Kiddy Undergraduate Expert Specialist Largest area by volume Largest area by $ lost Largest area by $ spent Fastestgrowingsegment

9 Spectrum of Protection BitLocker offers a spectrum of protection allowing customers to balance ease-of-use against the threats they are most concerned with.

10 BitLocker disk layout

11 Ease of Deployment Integration with existing infrastructure Deployment features Functionality fully exposed by WMI Supplied MMC plug-in Integrates with Group Policy Active Directory Seamless integration with Longhorn Server Schema extensions available for Server 2003 sp1 and higher Auto-escrow of recovery keys enabled by default Confidential bit set on keys; read-only by admin only

12 BitLocker TPM Administration Storyboard – New Machine Basic TPM Administration/Deployment 1.Machine arrives at enterprise in un- initialized state. 2.Turn TPM On 3.Check for physical presence by rebooting the machine and prompting user at BIOS screen for key press. 4.Log back into Windows Vista 5.Take Ownership of TPM 6.Check for existence of Endorsement Key (Provided by OEM) 7.Create TPM Administration Password. 8.Commit changes to TPM and initialize. 9.Publish TPM Administration Password to AD/File 10.TPM Initialization Complete ********* ********* Note: Steps 1-3 can be pre-config’ed (OEM, SP)

13 BDE installation 1.Active Directory prepared for CS keys 2.Windows Vista Install a.BDE is only available in the Enterprise and Ultimate versions of Windows Vista. b.BDE requires a partition separate from the Windows Vista OS partition with a min free space of 350Mb. c.During installation the system is checked for correct version of TPM (v 1.2) and BIOS via Plug and Play. d.TPM & BDE drivers are installed. 3.BDE Initialization a.Scripted initialization of TPM. b.TPM Ownership password saved to Active Directory 4.Remote executed Script BDE a.Policy saves recovery key to AD b.System encrypted 5.Inspect audit logs for successful end to encryption. BitLocker Enterprise Machine Deployment with TPM Windows Vista Install TPM Script Initialization 2 BDE script setup Active Directory is prepared for BDE Keys Store BDE recovery key Store TPM Ownership Password

14 Example Recovery Scenario 1.Feature turned on. 2.AD access via network. 3.Recovery key escrowed to AD and/or USB dongle. 4.User drops laptop and breaks motherboard. 5.HD from old broken machine put into new laptop with BDE enabled. 6.BDE can’t access HD because the TPM key in new laptop is different. 7.User launches BDE recovery: A.User uses USB dongle to recover the drive. -or- A.User calls admin and Administrator authenticates user. B.Admin gets correct recovery key from AD. C.Admin reads key to user over the phone. D.User types in recovery key. 8.Recovery key is used to recover the drive C7C7C7C 7D7D7D7D a 7b 7c7d 7e 8 BitLocker BitLocker Recovery

15 Upgrading computers with BDE 1.Turn off BitLocker 2.Upgrade system Updated BIOS -- or or -- Install Service Pack 3.Turn On BitLocker – no encryption required * If doing an update using Windows Update Services, the hash of the new component will already be calculated, so BitLocker will not need to be disabled to do the update. System Upgrade with BitLocker™ 1 2 3

16

17

18 ©2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.


Download ppt "SECCT10: BitLocker™ Drive Encryption Deployment Russell Humphries Senior Product Manager – Window Vista Security."

Similar presentations


Ads by Google