How to Avoid a $1.5 Million Dollar Fine by Using Microsoft BitLocker
Created by Chris O’Connell
8/7/2013 How to Avoid a $1.5 Million Dollar Fine by Using Microsoft BitLocker – By Chris P. OConnell V5
1
BAWSUG NewsPlease fill out our polls on Meetup.org/WindowsBoston
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
2
What’s up with that title?
The Mass Eye and Ear Infirmary and Mass Eye and Ear Associates were fined $1.5 Million dollars for having an unencrypted laptop stolen.
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
3
Why Encrypt Your Disk?
Question: How much does a login password really protect your data?
Answer: Just enough to prevent a basic user from accessing your data.
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
4
Group Policy Complexity Requirements
3 out of 4 of the following:
• Capital Letter
• Lower Case Letter
• Number
• Special Character (!, $, &, etc)
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
5
Does this password meet complexity requirements?
Password1
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
6
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
7
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
8
What If…
You can’t crack my password?
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
9
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
10
What if…
I password protected my BIOS and disabled boot from removable media?
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
11
I use a Mac, I’m safe right?
Wrong!
Less than
5 minutes
with a
mac boot disk:
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
12
I use Linux, I’m safe right?
Wrong!
• Boot with any live CD and perform a chroot or browse the file system.
• Less than 5 minutes.
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
13
Why Encrypt Your Disk?
Login passwords don’t protect your data if:
• Someone boots up with a bootable CD or thumb drive
• Someone removes your disk and attaches it to a disk to USB adapter.
Both of these methods bypass login passwords.
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
14
BitLocker Protects You
Drive encryption helps secure your data when:
• A computer is lost or stolen.
• Prevent unauthorized access to someone who has physical possesion
• A computer is decommissioned but the drive is not wiped (then given or thrown away / recycled)
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
15
BitLocker Won’t Protect
It’s important to note that:
• doesn’t protect a running machine
• Screens should be locked, otherwise encryption is less effective.
• Doesn’t protect against network attack
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
16
BitLocker Won’t Protect
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
17
BitLocker Won’t Protect
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
18
Whole Disk Encryption
• Whole Disk Encryption (WDE)
– Encrypts the entire disk as opposed to individual files.
– Software based
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
19
New to BitLocker
• Full Disk Encryption (FDE), a feature of Encrypted Hard Drives (EHD)
– Encrypts the entire disk, Windows refers to this as Full Volume Encryption (FVE)
– Leverages hardware built into new hard drives
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
20
And finally… who cares? Why should I bother encrypting computers?
“My users are trained to only store files on network shares.”
• No matter how much you tell users to save stuff to their network drives…
• DropBox/SkyDrive
Sometimes users don’t mean to break the rules.
Why Encrypt Your Disk?
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
21
What is BitLocker
• Whole Disk Encryption (WDE)
• By default it uses the AES encryption algorithm in CBC mode with a 128 bit key, combined with the Elephant diffuser for additional disk encryption-specific security not provided by AES. Also, if configured, bitlockeris able to encrypt using a 256 bit key.
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
22
What is BitLocker
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
23
Possibly the most important feature:• Integrated with Windows login credentials
Microsoft BitLocker Requirements
BitLocker is available in the following versions of Windows:
• Windows Vista & Windows 7
– Enterprise & Ultimate
• Windows 8
– Professional & Enterprise
• Windows Server 2008 R2 & Server 2012
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
24
BitLocker Boot Requirements
Trusted Platform Module Chip (TPM) is recommended for a seamless user experience.• TPM is available on most business grade
machines
If your PC doesn’t have TPM a flash drive can be used.• Thumb drive must be plugged in when PC is
booted• Alternately, can use pre-boot pin
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
25
BitLocker Boot Requirements
2 partitions are required for BitLocker to be installed.
• First partition must be >100MB & be set as active
• Second is not decrypted until proper Windows Login credentials are presented.
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
26
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
27
TPM must be turned on
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
28
TPM must be turned on
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
29
Observations
BitLocker is fast, performance overhead is hardly noticeable to me (especially when SSD drives are used)
Data is recoverable from an encrypted drive, even if the drive is failing (so long as you have the key).
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
30
Observations
• BitLocker is seamless to the end user.
What happens when users have too many passwords to remember?
• That’s right, and where do they put those passwords that they write down?
• Right again! In the laptop bag… so if the password is in the laptop bag how secure is the computer?
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
31
Observations – Administrative Overhead
Administrative overhead is minimal. However:
• Keys need to be stored and organized.
• If BitLocker is deployed with Group Policy the keys can be stored in Active Directory.
• Remember to suspend BitLocker before a firmware/BIOS update.
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
32
Observations – Administrative overhead
Safemode requires the BitLocker key.
This raises an interesting question about who should be granted access to the keys.
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
33
Nuances
If you use Windows Backup to backup a BitLocker volume the backup is NOT encrypted.
• This means backups must be stored in a secure location.
Users who have admin rights to their machines can disable BitLocker or change the key
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
34
Let’s get started!
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
35
Let’s get started!
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
36
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
37
BitLocker Drive Encryption recovery key
To verify that this is the correct recovery key, compare the start of the following identifier with the identifier value displayed on your PC.
Identifier:
161DE714-2890-4DEA-B9F7-CAE7F6D57FE9
If the above identifier matches the one displayed by your PC, then use the following key to unlock your drive.
Recovery Key:
197505-013761-602173-268642-684321-690745-278113-024585
If the above identifier doesn't match the one displayed by your PC, then this isn't the right key to unlock your drive.Try another recovery key, or contact your administrator or IT Help Desk for assistance.
Generated Encryption Recovery Key File
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
38
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
39
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
40
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
41
So what happens if?!?
You try to boot off this drive in another machine?
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
42
So what happens if?!?
Plug this drive into a machine running Windows via USB converter to rescue data?
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
43
Q&A
Questions and answers before we move on to BitLocker To Go.
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
44
BitLocker To Go
• Encryption of removable media
• Does not use domain credentials, you pick a password
• Seamless with Windows 7 and Windows 8, full read/write
• Windows XP & Vista require BitLocker To Go Reader, read only access
• You can say “Never prompt for password on this PC”
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
45
BitLocker To Go
• Perhaps best of all, you can FORCE all removable media to be encrypted when it’s plugged in!
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
46
BitLocker To Go
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
47
BitLocker To Go
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
48
BitLocker To Go
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
49
Now you’re all Encrypted!
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
50
Let’s take a 15 minute break
When we return:
1. A quick BitLocker video
2. BitLocker Active Directory integration and tools
3. Q&A
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
51
Welcome Back - Let’s watch a movie!
Here’s a short, 5 minute video on BitLocker and BitLocker To Go:
http://technet.microsoft.com/en-us/windows/bitlocker-and-bitlocker-to-go.aspx
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
52
Requirements AD BitLocker Backup
Windows Server 2003 SP1 or higher
Windows Server 2003 R2
Windows Server 2008
Windows Server 2008 R2
I assume Server 2012.
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
53
Active Directory Integration
The following BitLocker info can be backed up in AD:• Recovery Passwords (can be numerous per
object)• TPM Owner information (only one per computer
object)
Why do we care about this?Because otherwise we have to manually organize and backup keys.
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
54
Active Directory Integration
• BitLocker AD Information is stored under Computer object.
• Each object can have multiple BitLocker recovery objects.
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
55
Active Directory Integration
• Previously encrypted machines/devices will not automatically back up keys and TPM owner information to AD.
• Configure AD first, before encrypting!
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
56
Some things to do with GPO
• Prevent BitLocker from encrypting unless the key is backed up in AD.
• Configure keys to save to network share.
• Configure a larger key size. Note: larger keysize = higher performance impact.
• You can set BitLocker To Go to be used in numerous organizations.
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
57
Some things to do with GPO
• Configure a Data Recovery Agent
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
58
Minimum GPO Settings
Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption:• Save BitLocker Recovery Information in Active Directory Domain Services =
enabled– Require BitLocker to backup to AD DS = checked
Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives:• Chose how BitLocker-protected Operating System Drives Can Be
Recovered = enabled– Do note enable BitLocker until recovery information is stored in AD DS for
operating system drives = checked (way at the bottom)
Computer Configuration\Policies\Administrative Templates\System\Trusted Platform Module Services• Turn on TPM backup to Active Directory Domain Services
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
59
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
60
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
61
BitLocker Password Recovery Viewer
To view on Windows Workstation:
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
62
BitLocker Password Recovery Viewer
To view on Windows Server 2012:
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
63
This is what it looks like
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
64
Scripting
Tools are available:
Manage-bde command line tool
BitLocker WMI
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
65
Resources
The $1.5 Million Dollar Fine
https://www.cdt.org/blogs/alice-leiter/2409stolen-laptop-unencrypted-medical-data-15-million-fine
BitLocker To Go:
http://www.microsoft.com/en-us/download/details.aspx?id=24303
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
66
Resources
Detailed Microsoft documentation on BitLocker:
http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx
BitLocker Recovery Password Viewer for Active Directory:
http://technet.microsoft.com/en-us/library/dd875531(v=ws.10).aspx
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
67
Resources
File needed to update AD Schema:
http://www.microsoft.com/en-us/download/confirmation.aspx?id=13432
Instructions on verifying AD Schema:
http://technet.microsoft.com/en-us/library/dd875533(v=ws.10).aspx
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
68
Resources
BitLocker Data Recovery Agent Video:
https://www.youtube.com/watch?v=TNx9HANvCP8&feature=youtube_gdata_player
Scripting BitLocker install:
http://technet.microsoft.com/en-us/library/dd894351(v=ws.10).aspx
8/7/2013How to Avoid a $1.5 Million Dollar Fine
Using Microsoft BitLocker – By Chris O’Connell V2
69