Securing Windows Server 2008: BitLocker data protection basics

Service provider takeaway: This section of the chapter excerpt titled "Microsoft Windows Server 2008: Data Protection" is taken from the book Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization. The chapter excerpt teaches how to set up BitLocker and provides details on full volume encryption and recovery mechanisms.

Download the .pdf of the "Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization" chapter here.

BitLocker

Everyone has heard the new reports about laptops being stolen, temporarily misplaced, or lost. The data stored on the hard drive can be retrieved by means other than through the operating system. Things such as bootable CDs or USB keys can be used to bypass the operating system and get directly to the information stored on the physical media without the need to know any passwords. Once the operating system has been bypassed, all the files on the drive can be viewed, edited, or copied. The best safeguard to defend against this security issue is encryption.

BitLocker is Microsoft's answer to providing better security by encrypting the data stored on the drive's operating system volume, and is available only in the Enterprise and Ultimate versions of Vista. This new security feature goes a long way toward helping users and organizations protect their data.

You can set up BitLocker in the following configurations:

The default configuration for BitLocker is to be used in conjunction with a TPM. The TPM is a hardware microchip embedded into the motherboard that is used to store the encryption keys. This protects the hard drive even if it has been removed from the computer and installed into another computer. You can also use BitLocker on systems that don't have the TPM hardware manufactured on the mother board. You can do this by changing the BitLocker's default configurations with either a Group Policy or a script. When

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection and Backup Services Disaster recovery services for solution providers Developing online backup and archiving services IBM works to improve data placement on SSDs; Steelhead-AutoCAD dedupe problem solved VAR resources: Backup best practices collection i365 takes storage appliance route Helping storage administrators save money: Telling both sides of the story Channel Expert Podcast: Implementing a modern backup strategy Channel Expert Podcast, Part 1: Modern backup systems Channel Expert Podcast, Part 2: Backup testing and verification strategies How to offer data theft protection services to customers Data Backup and Data Protection How to solve out-of-space problems on NetApp replicated volumes Low-cost disk backup vs. tape Five questions to ask in a disk array data replication project Tape drive autoloader vs. cloud backup NetApp/Data Domain deal: The impact on VARs Step-by-step: How to size a virtual tape library (VTL) Enterprise virtual tape library (VTL) decision: Performance issues Helping storage administrators save money: Telling both sides of the story Remote data replication: Hardware vs. host vs. backup replication The top five data theft protection tools for solution providers

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

you use BitLocker without a TPM, you must store the key on a USB flash drive and insert the USB flash drive into the computer for the system to boot.

The hardware and software requirements for BitLocker are:

Trusted Platform Modules

Developed by the Trusted Platform Group -- an initiative by vendors such as AMD, Hewlett-Packard, IBM, Infineon, Intel, Microsoft, and others -- a TPM is a semiconductor built into your computer motherboard. It is capable of generating cryptographic keys, limiting the use of those keys, and generating pseudo-random numbers.

Each TPM has a unique RSA key (the endorsement key) burnt into it that cannot be altered. The key is used for data encryption (a process known as binding). A TPM also provides facilities for Secure I/O, Memory curtaining, Remote Attestation, and Sealed Storage. You can secure your TPM module by assigning a TPM owner password.

With secure input and output (which is also known as trusted path), it is possible to establish a protected path between the computer user and the software that is running. The protected path prevents the user from capturing or intercepting data sent from the user to the software process, for example playing a media file. The trusted path is implemented in both hardware (TPM) and software and uses checksums for the verification process.

Memory curtaining provides extended memory protection. With memory curtaining, even the operating system does not have full access to the protected memory area.

Remote attestation creates a hashed summary of the hardware and software configuration of a system. This allows changes to the computer to be detected.

Sealed storage protects private information in a manner that the information can be read only on a system with the same configuration. In the preceding example, sealed storage prevents the user from opening the file on a "foreign" media player or computer system. In conjunction, it even prevents the user from making a copy (memory curtaining) or capturing the data stream that is sent to the sound system (secure I/O).

A Practical Example:

You download a music file from an online store. Digital rights management protects the file. All security methods are enforced: the file plays only in media players provided by the publisher (remote attestation). The file can be played only on your system (sealed storage), and it can neither be copied (memory curtaining) nor digitally recorded by the user during playback (secure I/O).

The major features of BitLocker are full-volume encryption, checking the integrity of the startup process, recovery mechanisms, remote administration, and a process for securely decommissioning systems.

Full Volume Encryption

Windows BitLocker provides data encryption for volumes on your local hard drive. Unlike Encrypting File System (EFS), BitLocker encrypts all data on a volume-operating system, applications and their data, as well as page and hibernation files. In Windows Server 2008, you can use BitLocker to encrypt the whole drive, as compared to Windows Vista where you can encrypt volumes. BitLocker operation is transparent to the user and should have a minimal performance impact on well-designed systems. The TPM endorsement key is one of the major components in this scenario.

Startup Process Integrity Verification

Because Windows Startup components must be unencrypted for the computer to start, an attacker could gain access to these components, change the code, and then gain access to the computer, thereby gaining access to sensitive data such as BitLocker keys or user passwords as a consequence.

To prevent such attacks, BitLocker Integrity checking ensures that startup components (BIOS, Master Boot Record (MBR), boot sector, and boot manager code) have not been changed since the last boot.

Each startup component checks its code each time the computer starts, and calculates a hash value. This hash value is stored in the TPM and cannot be replaced until the next system restart. A combination of these values is also stored.

These values are also used to protect data. For this to work, the TPM creates a key that is bound to these values. The key is encrypted by the TPM (with the endorsement key) and can be decrypted only by the same TPM. During computer startup, the TPM compares the values that have been created by startup components with the values that existed when the key was created. It decrypts the key only if these values match.

Recovery Mechanisms

BitLocker includes a comprehensive set of recovery options to make sure data not only is protected, but also available. When BitLocker is enabled, the user is asked for a recovery password. This password must be either printed out, saved to file on a local or network drive, or saved to a USB drive.

In an enterprise environment, however, you would not want to rely on each user to store and protect BitLocker keys. Therefore, you can configure BitLocker to store recovery information in Active Directory. We will cover key recovery using Active Directory later in this chapter.

Remote Administration

Especially in environments with branch offices, it is desirable to have a remote management interface for BitLocker. A WMI script provided by Microsoft allows for BitLocker remote administration and management. You will find the script in the \Windows\System32 folder after you install BitLocker.

To manage a BitLocker protected system via script:

1. Log on as an administrator.
2. Click Start, click All Programs, click Accessories, and then click Command Prompt.
3. At the command prompt type cd /d C:\Windows\System32.
4. For example, to view the current status of BitLocker volumes, type cscript manage-bde.wsf -status.

Secure Decommissioning

If you decommission or reassign (maybe donate) equipment it might be necessary to delete all confidential data so that it cannot be reused by unauthorized people. Many processes and tools exist to remove confidential data from disk drives. Most of them are very time consuming, costly, or even destroy the hardware.

BitLocker volume encryption makes sure that data on a disk is never stored in a format that can be useful to an attacker, a thief, or even the new owner of the hardware. By destroying all copies of the encryption key it is possible to render the disk permanently inaccessible. The disk itself can then be reused.

There are two scenarios when deleting the encryption key:

About the book
"Securing Windows Server 2008: Prevent Attack from Outside and Inside Your Organization" will teach you how to configure Windows Server 2008 to secure your network, how to use Windows Server 2008 hand-in-hand with Active Directory and Vista and how to understand Server Core. This book also focuses on public key infrastructure management, virtualization, terminal services, Active Directory Domain security changes and certificate management.

Printed with permission from Syngress, a division of Elsevier. Copyright 2008. "Securing Windows Server 2008" by Aaron Tiensivu. For more information about this title and other similar books, please visit Elsevier.