Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise And Server Use Of BitLocker™ Drive Encryption Stephen Heil Technical Evangelist Windows Core OS Microsoft Corporation Xian Ke Program Manager.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Enterprise And Server Use Of BitLocker™ Drive Encryption Stephen Heil Technical Evangelist Windows Core OS Microsoft Corporation Xian Ke Program Manager."— Presentation transcript:

1 Enterprise And Server Use Of BitLocker™ Drive Encryption Stephen Heil Technical Evangelist Windows Core OS Microsoft Corporation Xian Ke Program Manager Windows System Integrity Microsoft Corporation

2 Agenda Remote and branch office server scenarios BitLocker™ Drive Encryption overview Protection and recovery scenarios Demo Management scenarios Management features Enterprise concerns BitLocker™ requirements for Windows Server codenamed “Longhorn” Summary

3 The U.S. Dept of Justice estimates that intellectual property theft cost enterprises $250 billion in 2004 Loss of revenue, market capitalization, and competitive advantage Information Loss is Costly Information loss – whether via theft or accidental leakage – is costly on several levels Leaked executive e-mails can be embarrassing Unintended forwarding of sensitive information can adversely impact the company’s image and/or credibility Increasing regulation: SOX, HIPAA, GLBA Bringing a company into compliance can be complex and expensive Non-compliance can lead to significant legal fees, fines and/or settlements Financial Image & Credibility Legal & Regulatory Compliance

4 Branch Office Challenges Theft of server and/or its hard drives Re-provision or decommission of server or its hard drives Data theft via disk cloning by maintenance and outsourcing technicians Secure deployment of a fully configured machine shipped to remote location Data-at-rest on Branch Office Servers needs protection!

5 Branch Office Server Class Systems More than 25% of Windows Servers are installed in branch offices and remote locations where physical security may be lax RetailFinanceInsurance Typical hardware 1P and 2P pedestal systems RAID

6 BitLocker ™ And TPM Features BitLocker™ Drive Encryption Encrypts entire volume Uses Trusted Platform Module (TPM) v1.2 to validate pre-OS components Customizable protection and authentication methods Pre-OS Protection USB startup key, PIN, and TPM-backed authentication Single Microsoft TPM Driver Improved stability and security TPM Base Services (TBS) Enables third party applications Active Directory Backup Automated key backup to AD server Group Policy support Scriptable Interfaces TPM management BitLocker™ management Command-line tool

7 1-Factor TPM-Only Protection Scenario Transparently validates early boot components on OS startup Best ease of use Protects against SW-only attacks Vulnerable to some HW attacks

8 2-Factor TPM+PIN Protection Scenario Must enter 4-20 digit PIN on OS startup Validates PIN and early boot components Protects against software-only and many hardware attacks Vulnerable to TPM breaking attacks

9 2-Factor TPM+Startup Key Protection Scenario Looks for USB flash drive with Startup Key Validates saved key and early boot components Protects against many HW attacks Protects against TPM attacks

10 Startup Key Protection Scenario Looks for USB with Startup Key Validates saved key Protects against many HW attacks Vulnerable to lost token and pre-OS attacks

11 Recovery Key Scenario Looks for USB with Recovery Key Validates saved key Unlocks volume to enable decryption

12 Recovery Password Scenario Prompts user to enter Recovery Password Validates Password Unlocks volume to enable decryption

13 Protection For Data Volumes Definition: A data volume is a BitLocker-capable volume without the current OS Automatic unlocking Transparently read encrypted data volumes Save unlock keys on the BitLocker-protected OS volume Inherited protection Gain TPM-based protection from the OS volume No need to manage new startup PINs or startup keys Recover volumes Unlock access with a numerical password or external key Decommission volumes Reduce data exposure by wiping stored BitLocker keys Integrated into FORMAT in Windows Vista RC1

14 BitLocker™ And Data Volumes Server and client management Unlocking and auto-unlocking

15 BitLocker ™ Management Scenarios Turn on and off BitLocker protection View BitLocker status indicators View and manage key protectors for the volume’s encryption key Temporarily disable protectors without decryption Unlock and recover encrypted volumes Set up automatic unlocking of data volumes Decommission volumes

16 TPM Management Scenarios Initialize TPM to work with BitLocker and other apps Turn on and manage the TPM with “physical presence” assertions View TPM status and manufacturer information View all available TPM commands and descriptions Block and allow TPM commands

17 BitLocker™ Status Indicators Conversion status Fully encrypted Encryption/decryption in progress, encryption percentage Encryption/decryption paused, encryption percentage Fully decrypted Protection status Protection On: Fully encrypted and key protectors enabled Protection Off Lock status Unlocked: Encrypted data is accessible Locked: Needs recovery to access data

18 BitLocker Key Protectors TPM And PIN TPM TPM And Startup Key Numerical Password External Key (OS volume only)

19 Available Management Features BitLocker management features Control Panel integration BitLocker setup and key management wizards Scriptable WMI provider interface Command-line tool: manage-bde.wsf TPM management features Microsoft Management Console (MMC) snap-in TPM initialization and management wizards BIOS integration for physical presence Scriptable WMI provider interface Remote management functionality Sample scripting solutions

20 Managing Keys Control panel options Duplicate the recovery password Duplicate the recovery key Duplicate the recovery key to a folder Duplicate the startup key Reset the PIN Command-line and scripting options All control panel options List, add, remove any key protectors, including recovery passwords and recovery keys

21 Managing Data Volumes Turning on automatic unlocking in Windows Server Longhorn First turn on BitLocker protection for the OS volume Create an external key on the data volume Enable autounlock to save a key onto the current OS volume Start encryption before or after enabling automatic unlocking Managing automatic unlocking in Windows Server Longhorn Determine autounlock status Disable autounlock Clear autounlock keys before decrypting the BitLocker-protected OS volume Other data volume management tasks (Windows Vista and Windows Server Longhorn) Unlocking a BitLocker-protected volume Lock a BitLocker-protected volume Turn off BitLocker protection on a volume

22 BitLocker ™ And TPM Group Policy BitLocker Group Policy configurations Turn on BitLocker backup to Active Directory Domain Services Configure setup wizard experience (Default is display all available startup and recovery options) Configure disk encryption method (Default is AES 128 bit with Diffuser) Configure TPM platform validation profile (Default is PCR 0, 2, 4, 5, 8-11) TPM Group Policy configurations Turn on TPM backup to Active Directory Domain Services Configure the blocked TPM commands (Default list of blocked commands include TPM_PCR_Reset, TPM_Extend, and TPM_Quote)

23 Enterprise Backup BitLocker setup can automatically back up recovery password to Active Directory BitLocker setup will not continue if backup step fails Can also back up BitLocker key package for specialized recovery (coming in Windows Vista RC1) TPM ownership step can automatically back up TPM owner password hash to Active Directory Active Directory requirements Windows Server 2003 SP1, R2, or Windows Server Longhorn Schema extension for storing recovery information Configure access control permissions to write to AD Configure Group Policy settings

24 Enterprise Recovery Self-recovery with USB recovery key or known recovery password Help desk-assisted recovery to retrieve stored passwords from Active Directory BitLocker recovery screen displays computer name and password ID that can unlock disk access Help desk verifies user identity, even over the phone for in-the-field recovery Given a computer name, find the recovery passwords for all disk volumes Given a Password ID, find the recovery password that can unlock the volume

25 Enterprise Deployment Enterprises will integrate BitLocker deployment steps into existing OS and software distribution infrastructure Enterprises will evaluate hardware manufacturers using Windows Logo Program requirements BitLocker feature requirements BitLocker best practice recommendations Enterprise security policies Enterprise deployment requirements

26 BitLocker™ Server Requirements Trusted Platform Module (TPM) v1.2 Provides platform integrity measurement and reporting TPM 1.2 Spec: https://www.trustedcomputinggroup.org/specs/TPM/ https://www.trustedcomputinggroup.org/specs/TPM/ Requires platform support for TPM 1.2 Interface Specification (TIS) Memory Mapped I/O, Locality 0 https://www.trustedcomputinggroup.org/specs/PCClient/ Firmware – TCG compliant Conventional BIOS or EFI Establishes chain of trust for pre-OS boot Must support TCG Static Root Trust Measurement (SRTM) Conventional BIOS TCG PC Client Specification: https://www.trustedcomputinggroup.org/specs/PCClient/ https://www.trustedcomputinggroup.org/specs/PCClient/ EFI TCG ACPI Specification TCG EFI Interface Specification TCG EFI Protocol Specification https://www.trustedcomputinggroup.org/specs/server Firmware support for reading USB flash drives during boot Disk must have at least two NTFS partitions See Windows Server Longhorn Logo guide for details http://www.microsoft.com/whdc/winlogo/default.mspx

27 Branch Office Challenges Met Theft of server and/or its hard drives OS Volume (including the pagefile and the OS) and data volumes are completely protected by BitLocker™ Re-provision or decommission of server or its hard drives Volume encryption keys can be destroyed via WMI provider method call. Multiple hours for reclamation turned into seconds and data is gone! Data theft via disk cloning by maintenance and outsourcing technicians Volume encryption keys are not released to the thief without an authenticated boot. Disk cloning will only copy encrypted data. Secure deployment of a fully configured machine shipped to remote location Image created at main office is secured with PIN. Authorized personnel at branch office call in to get PIN and unlock the image. Data-at-rest on Branch Office Servers is protected!

28 Value-Add Opportunities Solutions to lower enterprise deployment costs Remove manual steps to ready the TPM for BitLocker enterprise deployment An interactive “physical presence” assertion guards against malicious software turning on the TPM, but zero-touch deployment is possible after the TPM is on Factory pre-configurations that ease BitLocker setup Other value-add BIOS features or management tools End-to-end enterprise solutions on clients and servers Help enterprises achieve regulatory compliance – e.g., Sarbanes-Oxley, Health Insurance Portability and Accountability Act (HIPAA) Key management, recovery and escrow services

29 Call To Action Build server platforms with BitLocker™ support Trusted Platform Module (TPM) v1.2 Requires platform support of TPM 1.2 Interface Specification (TIS) System firmware support Conventional BIOS or EFI USB flash drive functionality at boot BitLocker uses USB drives as startup and recovery tokens Disk must have at least two NTFS partitions The system volume must have at least 1.5 GB for MBR, loader, boot and setup files. Work with us to test your reference designs E-mail: for more information bdeinfo @ microsoft.com

30 Web resources BitLocker™ information http://www.microsoft.com/technet/windowsvista/security/bitlockr.mspx BitLocker™ technical papers and specs http://www.microsoft.com/whdc/system/platform/hwsecurity/default.mspx Windows Logo program testing http://www.microsoft.com/whdc/GetStart/testing.mspx TCG http://www.trustedcomputinggroup.org Related sessions BitLocker™ Drive Encryption: Hardware Enhanced Data Protection (CPA064) Windows Vista and Windows Server Longhorn Security Platform Enhancements (CPA127) BitLocker™ questions Additional Resources bdeinfo @ microsoft.com

31 Question And Answer Thank You! Please fill out an evaluation form

32 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33

Download ppt "Enterprise And Server Use Of BitLocker™ Drive Encryption Stephen Heil Technical Evangelist Windows Core OS Microsoft Corporation Xian Ke Program Manager."

Similar presentations

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.
The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
SECCT10: BitLocker™ Drive Encryption Deployment

SECCT10: BitLocker™ Drive Encryption Deployment
SEC325 BitLocker™ Drive Encryption Deployment

SEC325 BitLocker™ Drive Encryption Deployment
BitLocker: deep details, improvements and benifits

BitLocker: deep details, improvements and benifits
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
SEC316: BitLocker™ Drive Encryption

SEC316: BitLocker™ Drive Encryption
4/17/2017 7:07 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

4/17/2017 7:07 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
BitLocker™ Drive Encryption Hardware Enhanced Data Protection

BitLocker™ Drive Encryption Hardware Enhanced Data Protection
Executive Overview. PLEASE READ (hidden slide) To deliver this presentation effectively, you need to be familiar with Windows Server 2008 R2 management.

Executive Overview. PLEASE READ (hidden slide) To deliver this presentation effectively, you need to be familiar with Windows Server 2008 R2 management.
Paul A. Cooke - CISSP Director Microsoft Session Code: CLI311.

Paul A. Cooke - CISSP Director Microsoft Session Code: CLI311.
BitLocker™ Drive Encryption In The Enterprise

BitLocker™ Drive Encryption In The Enterprise
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Windows 7 Windows Server 2008 R2 VirtualizationVirtualization Heterogeneous Server Environment Inventory Linux, Unix & VMware Windows 7 & Server 2008.

Windows 7 Windows Server 2008 R2 VirtualizationVirtualization Heterogeneous Server Environment Inventory Linux, Unix & VMware Windows 7 & Server 2008.
Understanding Active Directory

Understanding Active Directory
Virtual techdays Desktop Security with Windows 7 AppLocker & BitLocker to Go Aviraj Ajgekar│ Technology Evangelist │Microsoft Corporation Blog: http://blogs.technet.com/aviraj.

Virtual techdays Desktop Security with Windows 7 AppLocker & BitLocker to Go Aviraj Ajgekar│ Technology Evangelist │Microsoft Corporation Blog:
Using The WDK For Windows Logo And Signature Testing Craig Rowland Program Manager Windows Driver Kits Microsoft Corporation.

Using The WDK For Windows Logo And Signature Testing Craig Rowland Program Manager Windows Driver Kits Microsoft Corporation.
Richard Smith Senior Consultant – Management, Operations and Deployment Microsoft UK Simple Deployments with Windows AIK and Windows DS.

Richard Smith Senior Consultant – Management, Operations and Deployment Microsoft UK Simple Deployments with Windows AIK and Windows DS.
Identity and Access Management Business Ready Security Solutions.

Identity and Access Management Business Ready Security Solutions.

Similar presentations

Ads by Google