BitLocker™ Drive Encryption In The Enterprise

Slides:



Advertisements
Similar presentations
Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.
Advertisements

Charles Hottelet Improvements and best practices Deployment options.
Windows 7 Test Prep Ch 2 Part 3.
The System Center Family Microsoft. Mobile Device Manager 2008.
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) Chapter 2 Installing Windows Server 2008.
SECCT10: BitLocker™ Drive Encryption Deployment
SEC325 BitLocker™ Drive Encryption Deployment
BitLocker: deep details, improvements and benifits
Windows 8: Windows To Go Overview Zvezdan PavkovicTanya Koval Senior ConsultantArchitect WCL333.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Enterprise And Server Use Of BitLocker™ Drive Encryption Stephen Heil Technical Evangelist Windows Core OS Microsoft Corporation Xian Ke Program Manager.
SEC316: BitLocker™ Drive Encryption
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
BitLocker™ Drive Encryption Hardware Enhanced Data Protection
Microsoft® Desktop Deployment Assistance Program 4: SMS OS Deployment Feature Pack Thomas Lee Chief Technologist QA plc
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Tech·Ed North America /19/2017 6:02 AM
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 2 Installing Windows Server 2008.
Executive Overview. PLEASE READ (hidden slide) To deliver this presentation effectively, you need to be familiar with Windows Server 2008 R2 management.
Paul A. Cooke - CISSP Director Microsoft Session Code: CLI311.
Implementering af Windows 8 in real life Windows 8 OS Deployment Windows 8 OS Deployment features of ConfigMgr 2012 SP1 Take a look at what’s coming.
Windows 7 Windows Server 2008 R2 VirtualizationVirtualization Heterogeneous Server Environment Inventory Linux, Unix & VMware Windows 7 & Server 2008.
Understanding Active Directory
Virtual techdays Desktop Security with Windows 7 AppLocker & BitLocker to Go Aviraj Ajgekar│ Technology Evangelist │Microsoft Corporation Blog:
Using The WDK For Windows Logo And Signature Testing Craig Rowland Program Manager Windows Driver Kits Microsoft Corporation.
Richard Smith Senior Consultant – Management, Operations and Deployment Microsoft UK Simple Deployments with Windows AIK and Windows DS.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
Chapter 2: Installing and Upgrading to Windows Server 2008 R2 BAI617.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
BitLocker Enterprise Deployment
Microsoft ® Official Course Module 8 Securing Windows 8 Desktops.
Using the WDK for Windows Logo and Signature Testing Craig Rowland Program Manager Windows Driver Kits Microsoft Corporation.
Week #7 Objectives: Secure Windows 7 Desktop
Chapter Fourteen Windows XP Professional Fault Tolerance.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 5 Windows XP Professional McGraw-Hill.
Troubleshooting Windows Vista Security Chapter 4.
Windows XP to Windows 7 using P2V Migration. Agenda Deploying Local P2V Migration for SA Retro Mode Scripts Customize MDT 2010 with Disk2VHD Windows Virtual.
Deploying Windows 7 Lesson 3. Objectives Understand enterprise deployments Capture an image file Modify an image file Deploy an image file.
Microsoft Solution Accelerator for Business Desktop Deployment Microsoft ® Solution Accelerator for Business Desktop Deployment Training for IT Professionals.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Kyle Rosenthal MVP Windows Shell/User – Spider Consulting Pty Ltd CLI317 Deannah Templeton Solutions Specialist – Microsoft New Zealand.
LegendCorp What is System Center Virtual Machine Manager (SCVMM)? SCVMM at a glance Features and Benefits Components / Topology /
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
Week #2 Objectives Upgrade and Migrating to Windows 7 Image-Based Installation of Windows 7 Application Compatibility.
Microsoft Management Seminar Series SMS 2003 Change Management.
Paul Cooke - CISSP Director Microsoft Session Code: CLI322.
Lesson 18: Configuring Security for Mobile Devices MOAC : Configuring Windows 8.1.
Service Pack 2 System Center Configuration Manager 2007.
Ellis Paul Technical Solution Specialist – System Center Microsoft UK Operations Manager Overview.
John Pritchard | Windows Client | Microsoft. FAQ WDS and what’s happened to RIS? What’s the WIM – driver injection and image management? What’s in automated.
Planning Server Deployments Chapter 1. Server Deployment When planning a server deployment for a large enterprise network, the operating system edition.
Windows Vista Configuration MCTS : Installing and Upgrading.
Windows Vista Configuration MCTS : NTFS Security Features and File Sharing.
Deployment Planning Services
Deployment Planning Services
A Fast Track into Device Guard
Excel Services Deployment and Administration
11/11/2018 Desktop Virtualization Corey Hynes Kyle Rosenthal President Technical Lead HynesITe Inc Spider Consulting @windowspcguy.
Microsoft Virtual Academy
Chapter 5 Objectives Understand How to Plan a Windows 7 Deployment with Answer Files. Capture System Image Using Sysprep and ImageX. Use Deployment Image.
Microsoft Virtual Academy
TechEd /28/2019 3:22 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
5/3/2019 Desktop Virtualization Corey Hynes Kyle Rosenthal President Technical Lead HynesITe Inc Spider Consulting @windowspcguy.
Microsoft Virtual Academy
Deploying and Managing Windows To Go
Microsoft 365 Business Technical Fundamentals Series
Microsoft 365 Business Technical Fundamentals Series
Microsoft Virtual Academy
Presentation transcript:

BitLocker™ Drive Encryption In The Enterprise 4/19/2017 1:14 PM BitLocker™ Drive Encryption In The Enterprise Tony Ureche Program Manager Microsoft Corporation © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Session Objectives And Takeaways 4/19/2017 1:14 PM Session Objectives And Takeaways Session Objectives To understand BitLocker™ specifics for LHS To better help large scale deployments within an enterprise To outline implementation decisions IT admins need to consider and advanced features available Key Takeaways BitLocker™ is available on LHS and has additional features Successful deployment is facilitated by careful preparation Several deployment methods and OEM value add opportunities are available to facilitate the process © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Agenda BitLocker™ on LHS Deployment Planning 4/19/2017 1:14 PM Agenda BitLocker™ on LHS Deltas and Additional Features Deployment Planning Informal Audit Develop Hardware and Recovery strategy Infrastructure Preparation Group Policy and Active Directory BitLocker Deployment Windows Deployment Tools MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

BitLocker™ On Microsoft Windows Server codenamed "Longhorn"

Branch Office Scenarios Target scenario: Branch Office Physical break or theft of server and/or its hard drives Secure data while shipping a fully configured machine Deprecating or recycling the server due to hardware failures in other components, or in regular upgrade cycle Data theft via disk cloning by maintenance and outsourcing technicians

Security Solution BitLocker BitLocker enabled on a TPM server Boot-sequence integrity Full volume encryption Multi-factor authentication Multiple recovery options Management tools Multiple deployment mechanisms

BitLocker Requirements Trusted Platform Module Hardware The system must have a Trusted Platform Module (TPM) v1.2 Platform must be Windows Server “Longhorn” logo certified Non-TPM Hardware BIOS must support the USB Mass Storage Device Class including reading files on a USB flash drive in the pre-operating system environment Hard Disk Configuration: at least two NTFS volumes Operating System (OS) volume (or boot volume) System volume – must be the active partition and at least 1.5 GB

BitLocker™ Drive Encryption Architecture Static Root of Trust Measurement of early boot components

Deltas And New Features Differences between BitLocker on Windows Vista and BitLocker on Windows LHS Optional Component Needs to be installed using Server Manager (UI or CLI) Available on all SKUs New features available Data Volume support New authenticator supported TPM+USB+PIN UEFI support 64-bit only

Data Volumes Any volume that does not contain the currently- running Operating System (OS) Any number of Data Volumes can be protected Requires BitLocker to be enabled on the OS Volume Turning off BitLocker on the OS Volume requires turning off BitLocker on all data volumes Creates an “auto-unlock key” and a Recovery Password AUK is stored encrypted on the OS Volume RP can be backed-up in AD Foreign volumes can be turned into auto- unlocking data volumes

Deployment Planning What IT admins need to do and how OEMs can help

Understand The Environment Conduct an informal audit focusing on Current / Future Hardware Platform Considerations Current Security Policies Current IT Department Structure Current System Build Processes Impact on Current Systems Management Tools

Evaluate Enterprise Requirements Evaluate BitLocker Authentication Modes Computers without TPM 1.2? Multifactor auth? Any areas of the org need a baseline versus a more secure level of data protection? Define Recovery Password and Key Management Policies E.g. Always require backup of recovery passwords to AD FIPS? Define Hardware Implementation Standards TPM vs non-TPM configs (USB device service life, etc) OEM-specific requirements: tools provided for TPM management automation, EK-Credential generation, boot order, TPM enabled/disabled in BIOS, etc Define Support Processes Document what recovery material is created by BitLocker and where it is stored Determine who in the organization will have access to BitLocker recovery material Develop processes for remote and local recovery Computer Retirement Process

Develop A Hardware Strategy Determine what platforms will use a TPM Will platforms without TPM devices be used? Ensure TPMs can me easily deployed What is the OEM default shipping state of the TPM? Does the OEM require a BIOS password to use TPM? Where is the Endorsement Key generated? Ensure hardware has the correct BIOS UEFI is good!

Develop A Recovery Strategy Define the process end-users will follow when recovery of a BitLocker system is needed Anticipate the recovery scenarios How to handle lost or forgotten Key Protectors? Reset PIN, Lost startup key How are disk drive failures recovered? How are TPM hardware failures treated? Recover from core files or pre-OS file (BIOS upgrade, etc…) updates which are not planned Recovering and diagnosing a deliberate attack Modified or missing pre-OS files (Hacked BIOS, MBR, etc…)

Recovery Key Points Recovery Keys: Store the USB drives securely Recovery Passwords: Store in AD Computer Name, Drive Label, or Password ID to retrieve pass Only recovery passwords are escrowed to AD NOT recovery keys Escrow is only done upon creation Cannot be re-escrowed, BUT Managing recovery passwords and keys can be done using WMI Only domain admins can view recovery objects Can delegate the permissions

WinRE Set of tools for troubleshooting startup problems Contains the necessary drivers and tools to unlock a BDE-protected volume WinRE boot image needs to reside on a non-encrypted volume, usually type 0x27 If WinRE shares same partition with the System Volume it must be type 0x7 In WinRE environment, user will be prompted for recovery credential on a BitLocker-enabled machine

Disk Configuration Possible partitioning layout for OEMs Partitions 3 Windows RE and BitLocker separate partitions BitLocker Type 0x7 1.5GB (Active) Windows RE Type 0x27 1GB Windows Vista

Infrastructure Preparation

Group Policy Preparation 4/19/2017 1:14 PM Group Policy Preparation BitLocker Group Policy settings can Turn on BitLocker backup to Active Directory Control Panel Setup: Enable advanced startup options, recovery options, configure recovery folder, etc Configure encryption method Configure TPM platform validation profile  Enable FIPS compliance FIPS GP needs to be turned on before setting up BDE keys! Hide drive letter in UI for system partition TPM Services Group Policy can Turn on TPM backup to Active Directory Domain Services Configure the list of blocked TPM commands

Active Directory Preparation 4/19/2017 1:14 PM Active Directory Preparation By default, no recovery information is backed up to AD Admins can configure GP to enable backup of BitLocker or TPM recovery info Schema needs to be extended Necessary storage locations and that access permissions have been granted to perform the backup All domain controllers in the domain must be at least Windows Server 2003 SP1 If LHS Beta 3 and above domain controller schema extensions already in place Recovery data saved for each computer object Recovery passwords - A 48-digit recovery password Key package data - Helps recovery if the disk is severely damaged There is only one TPM owner password per computer There can be more than one recovery password per computer

Determine Config Options Pre-build configuration (Could be an OEM- provided service) May choose to make BIOS setting changes to enable and activate the TPM, meet the physical presence requirement, and set BIOS passwords Configuration during build process May choose to enable and configure BitLocker Enabling and activating a TPM during this process will require user interaction to meet the physical presence requirement If backup of recovery info to AD is required, BDE must be enabled after the computer has joined your AD domain Starting encryption during the build process has perf impact If there are additional tasks to be performed (install apps, etc) Consider starting encryption at the very end of the build process

Config Options Post-build configuration User initiated configuration Might occur immediately after the system build process completes or at a later time after the computer is delivered to the end user Using another software distribution tool, GP scripting, or logon scripts Very flexible and can be accomplished using numerous methods User initiated configuration Allow users to selectively enroll and configure their machines for BDE

Configuration Methods manage-bde.wsf command-line tool One-off configuration / administration on individual machines Location: %systemdrive%\Windows\system32 Recommendation: Use for small scale deployments of < 25 computers Create scripts with BitLocker and TPM WMI providers Useful when integrating support of BitLocker machines into your help desk environment, or user initiated configuration type of deployment Sample script (EnableBitLocker.vbs) available Recommendation: Use for large enterprise deployments

WMI Scripting For BDE Config Allows to Enable/activate TPM, take ownership and generate random owner pass Enable BitLocker protection using supported authentication methods Create additional recovery key and of recovery pass Specify specific encryption method Reset TPM owner information Use and modify existing sample script Scripts can generate a rich log file, WMI exit codes are logged Microsoft recommends Using BitLocker and TPM WMI providers for enterprise deployment Using manage-bde for administration of BitLocker enabled machines

Deployment

Deployment Tools Deploying BitLocker-ready machines using Windows Deployment Services (WDS) Unattended Installation Imaging with ImageX SMS 2003 OSD BDD 2007

WDS Build reference configuration on a single partition machine 4/19/2017 1:14 PM WDS Build reference configuration on a single partition machine Sysprep machine and capture image using the ImageX Create WDS client unattend file Specify drive configuration to BitLocker requirements Create image unattend file with any optional settings for BDE config Add automation scripts for enabling and configuring BDE post-install Upload images and configure unattend files on WDS server Deploy OS (net-boot the target computer) and enable BDE Key Points WDS client unattend files are applied per server and per architecture (i.e. x86, amd64, ia64) Disk layout and partitioning can only be done in WDS client unattend file not image unattend files

Unattend Installation Build reference configuration on a single partition machine Sysprep machine and capture image using the ImageX Create unattend answer file with any additional settings Specify drive configuration to BitLocker requirements Add automation scripts for enabling and configuring BDE post-install Create bootable DVD Deploy OS (DVD-boot the target computer) and enable BDE Key Points Straight forward build process with the least complications Setup requires RW access to image file during expansion Needs to copy the entire install.wim to the local disk, then expand contents Consider not storing WIM on CD or DVD where possible to improve speed 29

Imaging Using ImageX Build reference configuration on a correctly partitioned machine Create unattend answer file with any additional settings Add automation scripts for enabling and configuring BDE post-install Sysprep machine and capture both SYSTEM and OS partitions using ImageX Create bootable DVD Deploy OS (DVD-boot the target computer in WinPE) and enable BDE Configure the disk with Diskpart Apply SYSTEM and OS partition images to the appropriate partitions on target machine Use a script to establish correct drive letter reference Key Points Drive letters need to be adjusted after images are applied Preparing the initial reference image is slightly more complex with multiple partitions You can build one DVD ISO that does all the partitioning, installation, and drive letter fixing automatically

SMS 2003 OSD Build reference configuration on a single partition machine Sysprep machine and capture image using standard OSD process Configure SMS to distribute the image however is required Configure pre-installation task to create single partition 1.5GB smaller than the total drive size (optional) Use the BitLocker Drive Preparation Tool to convert one partition machine to two partition machine ready for BitLocker Enable BitLocker with method of choice Key Points SMS 2003 OSD doesn’t support multiple partition deployments The Drive Preparation Tool only runs in Windows Vista / LHS and will be released as part of OS OOB tools BitLocker deployment is fully integrated with SMS 2007 31

BDD 2007 The Microsoft Solution Accelerator for Business Desktop Deployment (BDD) Provides guidance/best practice and tools required to efficiently manage the deployment of Windows Vista / LHS BDD 2007 integration with BitLocker BitLocker support for Lite Touch Install scenarios Integrates with the Drive Preparation Tool via a self- updating mechanism built into the solution UI dialogs that let you choose configuration settings like where on the network to save .TXT files containing BitLocker recovery passwords

Other BitLocker Tools BitLocker Drive Preparation Tool Correctly partitions an existing Windows installation for BitLocker without reimaging Automatically repartitions any existing MBR partition layout through the Wizard Scriptable command line interface allows for customized deployment Allows an admin to remotely configure systems

Other BitLocker Tools BitLocker Recovery Password Viewer for AD Allows to locate and view recovery passwords that are stored in AD Extension for the AD Users and Computers MMC snap-in Search for a recovery password across all the domains in the Active Directory forest BitLocker Repair Tool Helps recover data from an encrypted volume if the hard disk has been severely damaged Can reconstruct critical parts of the drive and salvage recoverable data Uses the recovery package escrowed in AD A recovery password or recovery key is required to decrypt the data

Call To Action Need more server platforms for testing and validation Chipset support TPM 1.2 Interface Specification (TIS) Firmware (UEFI and BIOS) implementations OEM value-add opportunities TPM enablement options Key management, recovery and escrow services Enterprise solution offerings

Bdeinfo @ microsoft.com Additional Resources Web Resources Feature Explained: http://www.microsoft.com/windows/products/windowsvista/features/details/bitlocker.mspx BitLocker docs: http://technet.microsoft.com/en-us/windowsvista/aa905065.aspx Technical Overview: http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Drive Preparation Tool: http://support.microsoft.com/kb/930063 AD Guide: http://www.microsoft.com/downloads/details.aspx?FamilyID=3A207915-DFC3-4579- 90CD-86AC666F61D4&displaylang=en Questions, comments, etc: Bdeinfo @ microsoft.com

© 2007 Microsoft Corporation. All rights reserved © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.