Securing
Agenda Hard Drive Encryption User Account Permissions Root Level Access Firewall Protection Malware Protection
Available in Windows Vista Ultimate - $ BitLocker Drive Encryption
Why is BitLocker Needed? Reduces the threat of data theft or exposure from lost, stolen, or recycled computers Statistics A laptop is stolen every 53 seconds in the USA - Symantec Over 600,000 laptops are stolen each year in the USA - Safeware Insurance Agency 97% of these laptops are never recovered – FBI The second most common crime, just after identity theft, is laptop theft – FBI Lost or stolen laptops are the top culprit of data leaks/breaches, accounting for 45% (of all the incidents studied) - The Identity Theft Resource Center Laptops are the number-one item stolen in San Francisco - San Francisco Police Department
Requires a version 1.2 Trusted Platform Module for its two main security services BitLocker Drive Encryption
BitLocker Volumes Schematic Typical Disk PartitioningDisk Partitioning with BitLocker Drive 0 OS Volume (active) (Drive C:) OEM Maintenance Volume OEM Maintenance Volume OS Volume (Encrypted with Bitlocker) (Drive C:) System Volume (Active) (Drive D:) (Unencrypted)
What are BitLocker’s services? Boot file integrity Completed using the TPM Creates a unique fingerprint of the system TPM provides access to the encryption keys only if fingerprint is verified Once unique fingerprint is verified BitLocker uses TPM to unlock the OS Volume and permits Windows to boot normally
What are BitLocker’s services? OS volume encryption BitLocker can encrypt the entire OS volume EFS cannot encrypt system files The OS volume contains: Windows OS and it support files Page files Hibernation files
What if a TPM does not exist on the PC? A USB flash drive can be used to store a startup key The startup key is needed during each boot or return from hibernation When using a USB flash drive BitLocker cannot perform the OS Integrity Check
Additional Authentication Modes BitLocker Drive Encryption
What other authentication is there with BitLocker? PIN This forces BitLocker to use a PIN (entered by the user) and the TPM to decrypt the information on the OS Volume If forgotten then the recovery console must be used to recover the BitLocker Keys Startup Key A long string of numeric characters that is unique for each computer usually stored on a USB flash drive but not a smart card BIOS must be able to detect USB device prior to OS starting up Should be removed after boot or return from hibernation
Recovery BitLocker Drive Encryption
What if something goes wrong? BitLocker has built in recovery capabilities. This will recover the BitLocker keys needed to decrypt the OS Volume Recovery involves a 48-bit recovery key Randomly generated during BitLocker Setup Recovery key can be stored: USB Flash drive Printed
Restriction and Limitations BitLocker Drive Encryption
What are BitLocker’s limitations? Offline Protection BitLocker only protects the PC when it is offline Only OS Volume encrypted Lost recovery key = lost data
Availability and Requirements BitLocker Drive Encryption
What is necessary to use BitLocker? Windows Vista Ultimate BitLocker with OS integrity checking A version 1.2 TPM and a BIOS compliant with version 1.2 TCG (trusted computing group) to establish the chain of trust for pre-OS boot Support for TCG-specified static root trust measurement Partitioning into at least 2 volumes (OS Volume, BitLocker Boot Partition)
What is necessary to use BitLocker? Windows Vista Ultimate BitLocker without OS integrity checking BIOS support for Class 2 USB mass-storage devices Must include capabilities to read and write in the pre- OS boot environment Be partitioned to include 2 volumes (OS Volume, BitLocker Boot Partition)
Agenda Hard Drive Encryption User Account Permissions Root Level Access Firewall Protection Malware Protection
User Account Control
What are user account controls and how do they work? Enables a user to have a non-administrator account and still be productive All users operate a lowest possible privileges Vista has a special account that runs in AAM (admin approval mode) Means that the user either supplies administrative credentials or consents (depending on group policy settings) to perform typical admin functions EXAMPLE: install a program
UAC continued Microsoft places a high value on application compatibility Microsoft has tried to ensure that existing applications can run without administrative privileges
UAC continued DDetermining privileged tasks TTemporarily elevating privileges IIsolating system messages EEnsuring existing applications run
Agenda Hard Drive Encryption User Account Permissions Root Level Access Firewall Protection Malware Protection
Root Level Access Admin Services D D D User Kernel D Kernel Drivers Service 1 Service 2 Service 3 Service … Service … Restricted services Low rights programs DD D Service A Service B D User-mode Drivers
What can operate at root level? Microsoft has included the ability for file and registry virtualization. This pulls all programs away from operating at the kernel level Only trusted and “signed” programs can operate at root or kernel level To get signed a VeriSign Class 2 Commercial Software Publisher Certificate must be received This is coded into the binary of the program therefore removing performance hampering validation
Agenda Hard Drive Encryption User Account Permissions Root Level Access Firewall Protection Malware Protection
Windows Vista Firewall
Improvements for IT Departments? The Windows Vista firewall will now have the ability to block outgoing traffic Windows XP only blocked incoming traffic Provides the ability to stop peer-to-peer connections Provides the ability to stop instant messaging programs
Agenda Hard Drive Encryption User Account Permissions Root Level Access Firewall Protection Malware Protection
Windows Defender
What does windows defend against? Spyware Uses automatic definition updates provided by Microsoft to remove known spyware from the windows vista system