Professional Documents
Culture Documents
Microsoft (Data Protection Solutions)
Microsoft (Data Protection Solutions)
Analysis of
Microsoft Data
Protection
Solutions
2
Agenda
Introduction
BitLocker Drive Encryption (BDE)
Encrypting File System (EFS)
Rights Management Services (RMS)
Conclusion
3
Windows Server 2008
Key Technologies
5
BitLocker™ Drive Encryption
2 PIN
OS Volume USB-
hosted key
3
System System Volume
Contains:
MBR, Loader, Boot Utilities
(Unencrypted, small)
BDE: Available Authenticators
USB Key
• Default: Trusted (Recovery or Non-TPM)
• TPM + PIN
• USB Startup Key1,2,3 TPM+USB
3. A non-TPM startup key and a recovery key are the exact same thing.
Recovery Password
4. Not used routinely, for recovery only (48 Digits)
BDE architecture
Static root of trust measurement of early boot
components
PreOS Static OS All Boot Blobs Volume Blob of Target OS
unlocked unlocked
TPM Init
BIOS
MBR
BootSector
BootBlock
BootManager
Start
OS Loader
OS
Enabling BitLocker
• Create a 1.5GB active partition
−This becomes your “system” partition—where OS
boots
• The TPM boot manager uses only 50MB
−Windows runs from on your “boot” partition—where
the system lives
• Enable TPM chip (via system BIOS)
• Enable BitLocker in Security Center
−Update hard disk MBR
−Encrypt Windows “boot” partition
• Generate symmetric encryption key
• Store key in TPM
• Encryption begins after reboot
BDE passwords and PINs...
BIOS password
− Required to enable TPM in BIOS
Owner password
− After TPM initialization
− Required for Disabling TPM, Clearing TPM, Recycling
− In domain: hash stored in AD computer object
Administrator password
− Required for enabling BDE
BDE PIN (Optional)
− Required for accessing encrypted BDE volume
Recovery password
− Can also be on USB token
− In domain: can be stored in AD computer object
− Required for recovering BDE data after PIN loss, TPM errors, boot file
modification
BDE Recovery options
Based on GPO:
−BitLocker setup can automatically escrow
recovery keys and owner passwords into AD
−Setup may also try to backup keys and
passwords onto a USB dongle or to a file location
• Default for non-domain-joined users (e.g., Ultimate
SKU)
• Working with third parties for web service-based key
escrow
Recovery password known by the
user/administrator
• Recovery can occur “in the field”
• Windows operation can continue as normal
How about Embedded Security for HP
ProtectTools? Supported applications:
Secures cryptographic keys:
− Microsoft Encrypting File System
− Personal Secure Drive
− S/MIME
− Any CAPI or PKCS#11 based application
Two-factor authentication
− 802.1x EAP-TLS based
Enhanced SecurID
− Protects access to SecurID seed
HP protectTools Credential Manager access
− Client-side credential caching SSO
User pre-boot authentication
DriveLock
− Drivelock password secured using TPM
Available on TPM 1.1 and 1.2
But...there’s more than
Technology...
“54321 TO SILENCE
ALARM”
“REPEAT CODE TO
RESET”
Agenda
Introduction
BitLocker Drive Encryption (BDE)
Encrypting File System (EFS)
Rights Management Services (RMS)
Conclusion
18
EFS investments
• Smartcards provide strong protection for
laptop and shared workstation scenarios
• Client
Side Encryption – protection against
malicious server administrators
• Investmentsin group policy controls
on encryption
• Re-key wizard
• Key backup notification
EFS with Smartcards
Smartcards can be too slow
to be used for every file
access Smartcard Private Key
Accelerated mode:
− Derive a symmetric Derive a symmetric key
Accele
software key using the rated
private key on the mode
AES-256 key
smartcard
− Use this key to
Use as
encrypt/decrypt files RSA
Software Private Key
− The symmetric key can mode
only be derived using the (Accelerated)
smartcard’s private key
Cache in LSA
Client
connects to
remote server File
share Share
Encrypted file sent to server
SMB protocol
25
How does RMS work?
• Author receives a client licensor
certificate (CLC) the first time they
SQL Server Active Directory
rights-protect information
Sign says,
“road is for
cars only”
34
Technology comparison
BDE EFS RMS
Encryption AES 128 (RSA32.LIB) AES 128 (Crypt32.DLL) AES 128 (Crypt32.DLL)
Protects What? Windows and Data Directories and Files Documents (including use)
Protection Local, removable media Local, removable media, Remote, removable media
remote
Who is god? Local admin, net admin Local admin, net admin Document owner, RMS admin
Data Recovery Dongle, File, Network; Local or AD based policy RMS server policy
Mechanism Manual Key Entry
Killer Admin Just switch it on. My Documents encrypted by Establish corporate information
Scenario (also Force Recovery) default policy
What feature should I use?
Who are you protecting against?
− Other users or administrators on the machine?
− Unauthorized users with physical access?
Scenarios BDE EFS RMS
Laptops X
Branch office server X
Local single-user file & folder X
protection
Local multi-user file & folder protection X
Remote file & folder protection X
Untrusted network admin X
Remote document policy enforcement X
Some cases can result in overlap. (e.g. Multi-user roaming laptops with untrusted
network admins)
Overview
Introduction
BitLocker Drive Encryption (BDE)
Encrypting File System (EFS)
Rights Management Services (RMS)
Conclusion
37
Questions?
38
Download the HP Security
Handbook!
Go to: www.hp.com/go/security
http://www.hp.com/go/security
More information
“Windows Security
Fundamentals”
Jan De Clercq –
Guido
Grillenmeier
ISBN 1555583407
40
Info Collected By Vinayak
Nandikal
Courtesy HP Technology
Thank You