A Critical

Analysis of
Microsoft Data
Protection
Solutions

HP Technology Forum & Expo 2008

© 2008 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice Produced in cooperation
with: 1
 Agenda
Introduction
BitLocker Drive Encryption (BDE)
Encrypting File System (EFS)
Rights Management Services (RMS)
Conclusion

2
 Agenda
Introduction
BitLocker Drive Encryption (BDE)
Encrypting File System (EFS)
Rights Management Services (RMS)
Conclusion

3
Windows Server 2008
Key Technologies

Operations Application Platform

Infrastructure IIS 7
Centralized Role Management .NET Framework 3.0
Failover Clustering Resource Management
Windows Virtualization Federated Identity
Network Access Protection
Terminal Services
AD Read Only Domain Controllers
Windows PowerShell

Investment in the Fundamentals

Security Reliability Performance

Service Hardening Server Core Next Generation TCP/IP
Windows Advanced Firewall Dynamic Partitioning 64x64-bit Cores
BitLocker Drive Encryption
 Agenda
Introduction
BitLocker Drive Encryption (BDE)
Encrypting File System (EFS)
Rights Management Services (RMS)
Conclusion

5
BitLocker™ Drive Encryption

Designed specifically to help prevent a

thief who boots another Operating
System or runs a hacking tool from
BitLocker
breaking Windows file and system
protections
Helps provides data protection on your
Windows client systems, even when
the system is in unauthorized hands
or is running a different or exploiting
Operating System
Can use a v1.2 Trusted Platform
Module (TPM) or USB flash drive for
key storage
HP provides TPM1.2 in
− Notebooks: 2400, 4400, 6400, 8400
Series
− Desktops: dc7700, dx5xxx
In all Windows Server 2008 (Longhorn)
versions
Only on Windows Vista Enterprise and
Vista Ultimate Editions
BDE is an option
Bitlocker™ features overview
BitLocker Drive Encryption (BDE)
−Prevents bypass of Window’s boot process
−Ensures Boot Process Integrity (Secure Startup)
• Protects the system from offline software based
attacks.
−Protects data while the system is offline
• Encrypts entire Windows volume including both user
data and system files, the hibernation file, the page file
and temporary files
−Eases equipment recycling
Pre-OS multi-factor authentication
−Dongle, BIOS, and TPM-backed SW Identity
TPM Base Services (TBS)
What is a Trusted Platform Module
(TPM)?
Smartcard-like module on the
motherboard that:
Helps protect secrets
Performs cryptographic functions
− RSA, SHA-1, RNG
− Meets encryption export
requirements
Can create, store and manage
keys TPM 1.2 spec:
− Provides a unique Endorsement www.trustedcomputinggroup.org
Key (EK)
− Provides a unique Storage Root
Key (SRK)
Performs digital signature
operations
Holds Platform Measurements
(hashes)
Anchors chain of trust for keys and
 BDE Disk layout and key storage
Where’s the Encryption Key?
OS Volume Contains:
• SRK (Storage Root Key) contained in TPM
• Encrypted OS
• SRK encrypts FVEK (Full Volume
• Encrypted Page File Encryption Key) protected by TPM/PIN/USB
• Encrypted Temp Files Storage Device
• FVEK stored (encrypted 1
by SRK) on hard
• Encrypted Data drive in System Volume SRK
• Encrypted Hibernation File
FVEK

2 PIN

OS Volume USB-
hosted key
3
System System Volume
Contains:
MBR, Loader, Boot Utilities
(Unencrypted, small)
 BDE: Available Authenticators
USB Key
• Default: Trusted (Recovery or Non-TPM)

Platform Module (TPM)

• TPM + USB Startup
Key1 TPM+PIN

• TPM + PIN
• USB Startup Key1,2,3 TPM+USB

• USB Recovery Key3,4

• Numeric (Text) TPM
Recovery Password4
• Windows Server 2008:
TPM+USB+Pin
1. TPM +keyUSB
A Startup + isPIN
with a TPM different than one without a TPM 123456-
789012-
2. Used only on non-TPM computers 345678-

3. A non-TPM startup key and a recovery key are the exact same thing.
Recovery Password
4. Not used routinely, for recovery only (48 Digits)
BDE architecture
Static root of trust measurement of early boot
components
PreOS Static OS All Boot Blobs Volume Blob of Target OS
unlocked unlocked

TPM Init

BIOS

MBR

BootSector

BootBlock

BootManager
Start
OS Loader
OS
Enabling BitLocker
• Create a 1.5GB active partition
−This becomes your “system” partition—where OS
boots
• The TPM boot manager uses only 50MB
−Windows runs from on your “boot” partition—where
the system lives
• Enable TPM chip (via system BIOS)
• Enable BitLocker in Security Center
−Update hard disk MBR
−Encrypt Windows “boot” partition
• Generate symmetric encryption key
• Store key in TPM
• Encryption begins after reboot
BDE passwords and PINs...
BIOS password
− Required to enable TPM in BIOS
Owner password
− After TPM initialization
− Required for Disabling TPM, Clearing TPM, Recycling
− In domain: hash stored in AD computer object
Administrator password
− Required for enabling BDE
BDE PIN (Optional)
− Required for accessing encrypted BDE volume
Recovery password
− Can also be on USB token
− In domain: can be stored in AD computer object
− Required for recovering BDE data after PIN loss, TPM errors, boot file
modification
BDE Recovery options
Based on GPO:
−BitLocker setup can automatically escrow
recovery keys and owner passwords into AD
−Setup may also try to backup keys and
passwords onto a USB dongle or to a file location
• Default for non-domain-joined users (e.g., Ultimate
SKU)
• Working with third parties for web service-based key
escrow
Recovery password known by the
user/administrator
• Recovery can occur “in the field”
• Windows operation can continue as normal
How about Embedded Security for HP
ProtectTools? Supported applications:
Secures cryptographic keys:
− Microsoft Encrypting File System
− Personal Secure Drive
− S/MIME
− Any CAPI or PKCS#11 based application
Two-factor authentication
− 802.1x EAP-TLS based
Enhanced SecurID
− Protects access to SecurID seed
HP protectTools Credential Manager access
− Client-side credential caching SSO
User pre-boot authentication
DriveLock
− Drivelock password secured using TPM
Available on TPM 1.1 and 1.2
 But...there’s more than
Technology...

“54321 TO SILENCE
ALARM”

“REPEAT CODE TO
RESET”
 Agenda
Introduction
BitLocker Drive Encryption (BDE)
Encrypting File System (EFS)
Rights Management Services (RMS)
Conclusion

18
EFS investments
• Smartcards provide strong protection for
laptop and shared workstation scenarios
• Client
Side Encryption – protection against
malicious server administrators
• Investmentsin group policy controls
on encryption
• Re-key wizard
• Key backup notification
EFS with Smartcards
Smartcards can be too slow
to be used for every file
access Smartcard Private Key

Accelerated mode:
− Derive a symmetric Derive a symmetric key
Accele
software key using the rated
private key on the mode
AES-256 key
smartcard
− Use this key to
Use as
encrypt/decrypt files RSA
Software Private Key
− The symmetric key can mode
only be derived using the (Accelerated)
smartcard’s private key
Cache in LSA

Use to encrypt FEK

EFS with remote files
Client side encryption

Client
connects to
remote server File
share Share
Encrypted file sent to server

SMB protocol

Local EFS encryption

[Keys and
certificates live on No need to
the client] enable
Trust For
Delegation
EFS Group policy enhancements
EFS Re-Key Wizard
Allows users to better manage their EFS
certificates and encrypted files
Especially useful when switching to
smartcard encryption
Provides a choice of EFS services
−Choose a certificate
−Create a new certificate
−Back up the certificate
−Re-encrypt old files with new certificate
EFS key backup improvements
TOP customer pain point (90% of issues
reported on newsgroups). Data lost due to
keys not being backed up
Vista Key and certificate backup notification
−Major usability and reliability improvements
−ON for workgroups, OFF for domains
 Agenda
Introduction
BitLocker Drive Encryption (BDE)
Encrypting File System (EFS)
Rights Management Services (RMS)
Conclusion

25
How does RMS work?
• Author receives a client licensor
certificate (CLC) the first time they
SQL Server Active Directory
rights-protect information

1. Author defines a set of usage rights

and rules for the file; Application
creates a “Publishing License” and
encrypts the file
RMS Server

1. Author distributes file

1 4
1. Recipient clicks file to open, the
application calls to the RMS server
which validates the user and issues a
“Use License”
2 3 5
1. Application renders file and enforces
rights
Information The
Author Recipient
AD RMS in Windows Server 2008
RMS component is included in the operating
system
AD RMS is now a Server Role
• Use Server Manager to install AD RMS
• Easy server deployment
• Componentized setup installs dependencies
automatically
Native x64 support
Self-Activation
• No dependency on external MSN RMS Activation
Service to enroll the first RMS root server
[Rev. # or date] – HP Restricted
Challenges in External Collaboration
Option 1 : Use .NET passports
• .NET passports are not suitable for Enterprises
• In Windows RMS, administrators need to trust the
hotmail.com namespace

Option 2: Create accounts for partners

• Adds complexity in the Windows infrastructure
• Increases operational costs in maintaining
external accounts in internal AD

[Rev. # or date] – HP Restricted

Challenges in External Collaboration
Option 3 : Create RMS trusts
• Partners do not implement RMS
• Exchange of RMS public key is a non-secure and
manual process

• Option 4: Use 3rd party product

• Adds costs to the RMS implementation
• Relies on external party to host partners accounts

[Rev. # or date] – HP Restricted

Solution: AD Federation Service
Uses Active Directory Federation Service
(ADFS)
Requires AD RMS to work with ADFS

Establishes trust once

• Can be re-used for other applications

Partners manage their AD accounts

• No Identity lifecycle management

[Rev. # or date] – HP Restricted

 External RMS collaboration via
ADFS
AD Contoso Fabrikam AD 1. Assume author is already
bootstrapped
2. Author sends protected mail to
recipient at Fabrikam
3. Recipient contacts RMS server to
get bootstrapped
FS-R FS-A
4. WebSSO agent intercepts request
9 WebSS
5. RMS client is redirected to FS-R for
home realm discovery
O
4
6. RMS client is redirected to FS-A
6 for authentication
5 7. RMS client is redirected back to FS-R
7 for authentication
3
8
8. RMS client makes request to RMS
RMS server for bootstrapping
9. WebSSO agent intercepts request,
checks authentication, and sends
request to RMS server
2
10. RMS server returns bootstrapping
certificates to recipient
PL 11 11. RMS server returns use license
10 to recipient
1
12 12. Recipient accesses protected content
RAC CLC RAC CLC UL
 Exchange 2007 and RMS
SQL Server Active Directory
4 4
• Author sends e-mail through
Exchange 2007 Server
• Exchange 2007 Server examines the
message properties, determines if
RMS policies should be applied
3 • Exchange 2007 Server makes request
to RMS to apply policy to email and
obtain a usage license.
2
• RMS authenticates user, creates
usage license, logs transaction.
• Recipient synchronizes email with
Exchange 2007 Server; message and
1 5 usage license delivered to user.
6 • Recipient opens email; policies
enforced.

Author using The

Office 2003 / 2007 Recipient
But...there’s more than
Technology...

Sign says,
“road is for
cars only”

All must enter Fence ends

through electronic here
mantrap
Agenda
Introduction
BitLocker Drive Encryption (BDE)
Encrypting File System (EFS)
Rights Management Services (RMS)
Conclusion

34
Technology comparison
BDE EFS RMS
Encryption AES 128 (RSA32.LIB) AES 128 (Crypt32.DLL) AES 128 (Crypt32.DLL)

Data Awareness Blocks Files App defined; docs/email

Master Key TPM + SW Identity, Dongle, SW, Smart-card Obfuscated SW (lockbox)

File

Content Key Same as root key Same as root key Server

Protects What? Windows and Data Directories and Files Documents (including use)

Protects Who? Machine Owner, User Users Document Owners

Protection Local, removable media Local, removable media, Remote, removable media
remote

Who is god? Local admin, net admin Local admin, net admin Document owner, RMS admin

Supports other Yes Yes (ISV’s only) No (RMS is a security platform

security systems? for applications)

Data Recovery Dongle, File, Network; Local or AD based policy RMS server policy
Mechanism Manual Key Entry

Killer Client Lost or Stolen laptop Multi-user PC Protected Document Sharing

Scenario Branch-Office Server Protect Documents on File RMS support in Sharepoint and
Killer Server
Scenario Shares from Admin Exchange

Killer Admin Just switch it on. My Documents encrypted by Establish corporate information
Scenario (also Force Recovery) default policy
What feature should I use?
Who are you protecting against?
− Other users or administrators on the machine?
− Unauthorized users with physical access?
Scenarios BDE EFS RMS
Laptops X
Branch office server X
Local single-user file & folder X
protection
Local multi-user file & folder protection X
Remote file & folder protection X
Untrusted network admin X
Remote document policy enforcement X

Some cases can result in overlap. (e.g. Multi-user roaming laptops with untrusted
network admins)
Overview
Introduction
BitLocker Drive Encryption (BDE)
Encrypting File System (EFS)
Rights Management Services (RMS)
Conclusion

37
Questions?

38
Download the HP Security
Handbook!

Go to: www.hp.com/go/security

 http://www.hp.com/go/security
More information

“Windows Security
Fundamentals”
Jan De Clercq –
Guido
Grillenmeier
ISBN 1555583407

40
Info Collected By Vinayak
Nandikal

Courtesy HP Technology

Thank You