virtual techdays Desktop Security with Windows 7 AppLocker & BitLocker to Go Aviraj Ajgekar│ Technology Evangelist │Microsoft Corporation Blog: http://blogs.technet.com/aviraj │ aviraj@microsoft.com

Agenda BitLocker enhancements and capabilities Trusted Module Management PINs Encrypt Data Volumes and Removable storage devices Recover Encrypted Data AppLocker Enforce Rules & Audit Only Mode AppLocker Management using PowerShell AppLocker Architecture AppLocker Deployment Best Practices AppLocker Vs Software Restriction Policies

BitLocker & BitLocker to Go

Overview of BitLocker + Extend BitLocker drive encryption to removable devices Create group policies to mandate the use of encryption and block unencrypted drives Simplify BitLocker setup and configuration of primary hard drive

New Features of BitLocker Improved Setup Wizard Automatic 200MB hidden boot partition New Key Protectors BitLocker To Go Support for FAT Protectors: DRA, passphrase, smart card and/or auto-unlock New GPOs to improve enterprise management Edition Availability BitLocker To Go Reader

Trusted Platform Module (TPM) Version 1.2 or later www.trustedcomputinggroup.org/specs/TPM www.trustedcomputinggroup.org/specs/PCClient BIOS Trusted Computing Group BIOS Physical presence interface Memory overwrite on reset Immutable CRTM or secure update USB System boot from USB 1.x and 2.x USB read/write in pre-operating system environment Hard Disk Requires at least two partitions Separate partitions for System and OS

DEMO Configuring the Trusted Platform Module Set Ownership of the TPM Block or Allow TPM Commands Turn Off and Clear TPM

DEMO Configuring BitLocker Group Policy Settings Enable BitLocker Encryption Without a TPM Configure BitLocker Group Policy Settings

Operating System Volume Disk Layout and Key Storage Operating System Volume Contains Encrypted OS Encrypted page file Encrypted temp files Encrypted data Encrypted hibernation file Where’s the Encryption Key? SRK (Storage Root Key) contained in TPM SRK encrypts the VMK (Volume Master Key) VMK encrypts FVEK (Full Volume Encryption Key) – used for the actual data encryption FVEK and VMK are stored encrypted on the Operating System Volume VMK FVEK 2 SRK 3 Operating System Volume 1 4 System Volume Contains MBR Boot Manager Boot Utilities System

BitLocker on Removable Drives Drive Type Removable data drives USB flash drives External hard drives Unlock Methods Passphrase Smart card Automatic unlocking Recovery Methods Recovery password Recovery key Active Directory backup of recovery password Data Recovery Agent Management Robust and consistent group policy controls Ability to mandate encryption prior to granting write access File Systems NTFS FAT FAT32 ExFAT

DEMO Encrypting Drives Using BitLocker and BitLocker To Go Add a Data Recovery Agent Encrypt FAT-Formatted Disk Drive Configure BitLocker To Go

DEMO Using the Manage-BDE Command-Line Tool Encrypt and Decrypt a Drive Using Manage-BDE

Lost or forgotten authentication methods Data Recovery Scenarios Lost or forgotten authentication methods Upgrade to core files Broken hardware Deliberate attack

Windows Recovery Environment Data Recovery Methods Develop Strategy Active Directory Data Recovery Agents Windows Recovery Environment

DEMO Managing and Recovering Data Unlock FAT-Formatted Drive Manage and Decrypt BitLocker Protected Disk Drive

AppLocker

Application Control - Situation Today Users can install and run non-standard applications Even standard users can install some types of software Unauthorized applications may: Introduce malware Increase helpdesk calls Reduce user productivity Undermine compliance efforts

Windows 7 AppLockerTM Eliminate unwanted/unknown applications in your network Enforce application standardization within your organization Easily create and manage flexible rules using Group Policy

DEMO AppLocker Identity Service AppLocker Audit Only Mode AppLocker Enforce Rules & Policies AppLocker Custom Error Messages

PowerShell Cmdlets Get-AppLockerFileInformation Get-AppLockerPolicy Core needs scriptable through PowerShell Building blocks for a more streamlined end-to-end experience Inbox cmdlets Get-AppLockerFileInformation Get-AppLockerPolicy Set-AppLockerPolicy New-AppLockerPolicy Test-AppLockerPolicy

DEMO AppLocker Management using PowerShell

Architectural Overview Process 1 Process 2 Process 3 AppID/SRP Service LoadLibrary SaferIdentityLevel CreateProcess ntdll SRP UM QueryPolicy ntoskrnl CreateProcess Notification Appid.sys AppID SRP Kernel

Deployment Best Practices Create a desktop lockdown strategy Inventory your applications Select and test rule types (allow / deny) in a lab Define GPO strategy and structure Build a process for managing rules Document your AppLocker design Build reference computers Test and update the policy using audit-only Enable rule enforcement Maintain the policy

AppLocker Vs. Software Restriction Policies

Session Summary BitLocker enhancements and capabilities BitLocker to Go for Removable Storage Devices BitLocker Recovery Agents & Tools AppLocker protect digital assets by preventing unwanted software from running AppLocker provides an improved management experience making it easier to maintain a list of approved applications

tech·ed Event Overview Microsoft® Event Dates: 23 - 25 March, 2011 India │2011 March 23-25│B a n g a l o r e Event Dates: 23 - 25 March, 2011 Event Venue: Lalit Ashok│ Bangalore (India) - 2010 Attendee Profile: CXO’s:3%│CXO’s -1/-2:13%│Architects : 8%│Developers : 54% │ IT Pro’s : 22% │Students │ Media/Press Event Theme: Learn │Connect │Explore │Evolve What’s in it 4 Audience: Strategic direction in Keynotes│Deep-Dive Technical Training │Free Certification │Software Access │ Networking│ Hands on Labs │Demo X Expected Attendance: 3,500 Tech Audience (onsite) │100,000 Tech Audience (satellite locations) │300 CXO & CXO-1 (onsite)

“Stay Ahead of the Game” Participate & “Stay Ahead of the Game” www.microsoftteched.in

virtual techdays Thank You Email: aviraj@microsoft.com Blog: http://blogs.technet.com/aviraj