How to Avoid a $1.5 Million Dollar Fine by Using Microsoft BitLocker

Created by Chris O’Connell

8/7/2013 How to Avoid a $1.5 Million Dollar Fine by Using Microsoft BitLocker – By Chris P. OConnell V5

1

BAWSUG NewsPlease fill out our polls on Meetup.org/WindowsBoston

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

2

What’s up with that title?

The Mass Eye and Ear Infirmary and Mass Eye and Ear Associates were fined $1.5 Million dollars for having an unencrypted laptop stolen.

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

3

Why Encrypt Your Disk?

Question: How much does a login password really protect your data?

Answer: Just enough to prevent a basic user from accessing your data.

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

4

Group Policy Complexity Requirements

3 out of 4 of the following:

• Capital Letter

• Lower Case Letter

• Number

• Special Character (!, $, &, etc)

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

5

Does this password meet complexity requirements?

Password1

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

6

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

7

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

8

What If…

You can’t crack my password?

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

9

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

10

What if…

I password protected my BIOS and disabled boot from removable media?

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

11

I use a Mac, I’m safe right?

Wrong!

Less than

5 minutes

with a

mac boot disk:

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

12

I use Linux, I’m safe right?

Wrong!

• Boot with any live CD and perform a chroot or browse the file system.

• Less than 5 minutes.

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

13

Why Encrypt Your Disk?

Login passwords don’t protect your data if:

• Someone boots up with a bootable CD or thumb drive

• Someone removes your disk and attaches it to a disk to USB adapter.

Both of these methods bypass login passwords.

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

14

BitLocker Protects You

Drive encryption helps secure your data when:

• A computer is lost or stolen.

• Prevent unauthorized access to someone who has physical possesion

• A computer is decommissioned but the drive is not wiped (then given or thrown away / recycled)

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

15

BitLocker Won’t Protect

It’s important to note that:

• doesn’t protect a running machine

• Screens should be locked, otherwise encryption is less effective.

• Doesn’t protect against network attack

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

16

BitLocker Won’t Protect

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

17

BitLocker Won’t Protect

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

18

Whole Disk Encryption

• Whole Disk Encryption (WDE)

– Encrypts the entire disk as opposed to individual files.

– Software based

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

19

New to BitLocker

• Full Disk Encryption (FDE), a feature of Encrypted Hard Drives (EHD)

– Encrypts the entire disk, Windows refers to this as Full Volume Encryption (FVE)

– Leverages hardware built into new hard drives

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

20

And finally… who cares? Why should I bother encrypting computers?

“My users are trained to only store files on network shares.”

• No matter how much you tell users to save stuff to their network drives…

• DropBox/SkyDrive

Sometimes users don’t mean to break the rules.

Why Encrypt Your Disk?

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

21

What is BitLocker

• Whole Disk Encryption (WDE)

• By default it uses the AES encryption algorithm in CBC mode with a 128 bit key, combined with the Elephant diffuser for additional disk encryption-specific security not provided by AES. Also, if configured, bitlockeris able to encrypt using a 256 bit key.

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

22

What is BitLocker

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

23

Possibly the most important feature:• Integrated with Windows login credentials

Microsoft BitLocker Requirements

BitLocker is available in the following versions of Windows:

• Windows Vista & Windows 7

– Enterprise & Ultimate

• Windows 8

– Professional & Enterprise

• Windows Server 2008 R2 & Server 2012

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

24

BitLocker Boot Requirements

Trusted Platform Module Chip (TPM) is recommended for a seamless user experience.• TPM is available on most business grade

machines

If your PC doesn’t have TPM a flash drive can be used.• Thumb drive must be plugged in when PC is

booted• Alternately, can use pre-boot pin

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

25

BitLocker Boot Requirements

2 partitions are required for BitLocker to be installed.

• First partition must be >100MB & be set as active

• Second is not decrypted until proper Windows Login credentials are presented.

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

26

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

27

TPM must be turned on

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

28

TPM must be turned on

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

29

Observations

BitLocker is fast, performance overhead is hardly noticeable to me (especially when SSD drives are used)

Data is recoverable from an encrypted drive, even if the drive is failing (so long as you have the key).

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

30

Observations

• BitLocker is seamless to the end user.

What happens when users have too many passwords to remember?

• That’s right, and where do they put those passwords that they write down?

• Right again! In the laptop bag… so if the password is in the laptop bag how secure is the computer?

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

31

Observations – Administrative Overhead

Administrative overhead is minimal. However:

• Keys need to be stored and organized.

• If BitLocker is deployed with Group Policy the keys can be stored in Active Directory.

• Remember to suspend BitLocker before a firmware/BIOS update.

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

32

Observations – Administrative overhead

Safemode requires the BitLocker key.

This raises an interesting question about who should be granted access to the keys.

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

33

Nuances

If you use Windows Backup to backup a BitLocker volume the backup is NOT encrypted.

• This means backups must be stored in a secure location.

Users who have admin rights to their machines can disable BitLocker or change the key

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

34

Let’s get started!

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

35

Let’s get started!

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

36

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

37

BitLocker Drive Encryption recovery key

To verify that this is the correct recovery key, compare the start of the following identifier with the identifier value displayed on your PC.

Identifier:

161DE714-2890-4DEA-B9F7-CAE7F6D57FE9

If the above identifier matches the one displayed by your PC, then use the following key to unlock your drive.

Recovery Key:

197505-013761-602173-268642-684321-690745-278113-024585

If the above identifier doesn't match the one displayed by your PC, then this isn't the right key to unlock your drive.Try another recovery key, or contact your administrator or IT Help Desk for assistance.

Generated Encryption Recovery Key File

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

38

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

39

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

40

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

41

So what happens if?!?

You try to boot off this drive in another machine?

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

42

So what happens if?!?

Plug this drive into a machine running Windows via USB converter to rescue data?

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

43

Q&A

Questions and answers before we move on to BitLocker To Go.

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

44

BitLocker To Go

• Encryption of removable media

• Does not use domain credentials, you pick a password

• Seamless with Windows 7 and Windows 8, full read/write

• Windows XP & Vista require BitLocker To Go Reader, read only access

• You can say “Never prompt for password on this PC”

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

45

BitLocker To Go

• Perhaps best of all, you can FORCE all removable media to be encrypted when it’s plugged in!

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

46

BitLocker To Go

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

47

BitLocker To Go

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

48

BitLocker To Go

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

49

Now you’re all Encrypted!

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

50

Let’s take a 15 minute break

When we return:

1. A quick BitLocker video

2. BitLocker Active Directory integration and tools

3. Q&A

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

51

Welcome Back - Let’s watch a movie!

Here’s a short, 5 minute video on BitLocker and BitLocker To Go:

http://technet.microsoft.com/en-us/windows/bitlocker-and-bitlocker-to-go.aspx

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

52

Requirements AD BitLocker Backup

Windows Server 2003 SP1 or higher

Windows Server 2003 R2

Windows Server 2008

Windows Server 2008 R2

I assume Server 2012.

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

53

Active Directory Integration

The following BitLocker info can be backed up in AD:• Recovery Passwords (can be numerous per

object)• TPM Owner information (only one per computer

object)

Why do we care about this?Because otherwise we have to manually organize and backup keys.

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

54

Active Directory Integration

• BitLocker AD Information is stored under Computer object.

• Each object can have multiple BitLocker recovery objects.

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

55

Active Directory Integration

• Previously encrypted machines/devices will not automatically back up keys and TPM owner information to AD.

• Configure AD first, before encrypting!

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

56

Some things to do with GPO

• Prevent BitLocker from encrypting unless the key is backed up in AD.

• Configure keys to save to network share.

• Configure a larger key size. Note: larger keysize = higher performance impact.

• You can set BitLocker To Go to be used in numerous organizations.

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

57

Some things to do with GPO

• Configure a Data Recovery Agent

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

58

Minimum GPO Settings

Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption:• Save BitLocker Recovery Information in Active Directory Domain Services =

enabled– Require BitLocker to backup to AD DS = checked

Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives:• Chose how BitLocker-protected Operating System Drives Can Be

Recovered = enabled– Do note enable BitLocker until recovery information is stored in AD DS for

operating system drives = checked (way at the bottom)

Computer Configuration\Policies\Administrative Templates\System\Trusted Platform Module Services• Turn on TPM backup to Active Directory Domain Services

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

59

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

60

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

61

BitLocker Password Recovery Viewer

To view on Windows Workstation:

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

62

BitLocker Password Recovery Viewer

To view on Windows Server 2012:

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

63

This is what it looks like

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

64

Scripting

Tools are available:

Manage-bde command line tool

BitLocker WMI

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

65

Resources

The $1.5 Million Dollar Fine

https://www.cdt.org/blogs/alice-leiter/2409stolen-laptop-unencrypted-medical-data-15-million-fine

BitLocker To Go:

http://www.microsoft.com/en-us/download/details.aspx?id=24303

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

66

Resources

Detailed Microsoft documentation on BitLocker:

http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx

BitLocker Recovery Password Viewer for Active Directory:

http://technet.microsoft.com/en-us/library/dd875531(v=ws.10).aspx

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

67

Resources

File needed to update AD Schema:

http://www.microsoft.com/en-us/download/confirmation.aspx?id=13432

Instructions on verifying AD Schema:

http://technet.microsoft.com/en-us/library/dd875533(v=ws.10).aspx

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

68

Resources

BitLocker Data Recovery Agent Video:

https://www.youtube.com/watch?v=TNx9HANvCP8&feature=youtube_gdata_player

Scripting BitLocker install:

http://technet.microsoft.com/en-us/library/dd894351(v=ws.10).aspx

8/7/2013How to Avoid a $1.5 Million Dollar Fine

Using Microsoft BitLocker – By Chris O’Connell V2

69