Service provider takeaway: This section of the chapter excerpt titled "Microsoft Windows Server 2008: Data Protection" is taken from the book Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization.
Download the .pdf of the "Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization" chapter here.
Everyone has heard the new reports about laptops being stolen, temporarily misplaced, or lost. The data stored on the hard drive can be retrieved by means other than through the operating system. Things such as bootable CDs or USB keys can be used to bypass the operating system and get directly to the information stored on the physical media without the need to know any passwords. Once the operating system has been bypassed, all the files on the drive can be viewed, edited, or copied. The best safeguard to defend against this security issue is encryption.
BitLocker is Microsoft's answer to providing better security by encrypting the data stored on the drive's operating system volume, and is available only in the Enterprise and Ultimate versions of Vista. This new security feature goes a long way toward helping users and organizations protect their data.
You can set up BitLocker in the following configurations:
- TPM only In this configuration, only the hardware microchip is used to protect the data stored on the drive. The Trusted Platform Module (TPM) stores the encryption key and verifies that there have been no changes to the hard drive.
- TPM and USB flash drive In this configuration, the TPM will still verify the validity of the hard drive, but in addition, part of the encryption key is stored on the USB flash drive. The USB flash drive is required each time the computer starts.
- TPM and PIN This configuration is also a two-layer security approach. After successful verification of the drive, you will be required to enter the correct PIN for the start process to continue.
The default configuration for BitLocker is to be used in conjunction with a TPM. The TPM is a hardware microchip embedded into the motherboard that is used to store the encryption keys. This protects the hard drive even if it has been removed from the computer and installed into another computer. You can also use BitLocker on systems that don't have the TPM hardware manufactured on the mother board. You can do this by changing the BitLocker's default configurations with either a Group Policy or a script. When you use BitLocker without a TPM, you must store the key on a USB flash drive and insert the USB flash drive into the computer for the system to boot.
The hardware and software requirements for BitLocker are:
- A computer that is capable of running Windows Server 2008
- A Trusted Platform Module version 1.2, enabled in BIOS
- A Trusted Computing Group (TCG)-compliant BIOS.
- Two NTFS disk partitions, one for the system volume and one for the
- operating system volume
Trusted Platform Modules
Developed by the Trusted Platform Group -- an initiative by vendors such as AMD, Hewlett-Packard, IBM, Infineon, Intel, Microsoft, and others -- a TPM is a semiconductor built into your computer motherboard. It is capable of generating cryptographic keys, limiting the use of those keys, and generating pseudo-random numbers.
Each TPM has a unique RSA key (the endorsement key) burnt into it that cannot be altered. The key is used for data encryption (a process known as binding). A TPM also provides facilities for Secure I/O, Memory curtaining, Remote Attestation, and Sealed Storage. You can secure your TPM module by assigning a TPM owner password.
With secure input and output (which is also known as trusted path), it is possible to establish a protected path between the computer user and the software that is running. The protected path prevents the user from capturing or intercepting data sent from the user to the software process, for example playing a media file. The trusted path is implemented in both hardware (TPM) and software and uses checksums for the verification process.
Memory curtaining provides extended memory protection. With memory curtaining, even the operating system does not have full access to the protected memory area.
Remote attestation creates a hashed summary of the hardware and software configuration of a system. This allows changes to the computer to be detected.
Sealed storage protects private information in a manner that the information can be read only on a system with the same configuration. In the preceding example, sealed storage prevents the user from opening the file on a "foreign" media player or computer system. In conjunction, it even prevents the user from making a copy (memory curtaining) or capturing the data stream that is sent to the sound system (secure I/O).
A Practical Example:
You download a music file from an online store. Digital rights management protects the file. All security methods are enforced: the file plays only in media players provided by the publisher (remote attestation). The file can be played only on your system (sealed storage), and it can neither be copied (memory curtaining) nor digitally recorded by the user during playback (secure I/O).
The major features of BitLocker are full-volume encryption, checking the integrity of the startup process, recovery mechanisms, remote administration, and a process for securely decommissioning systems.
Full Volume Encryption
Windows BitLocker provides data encryption for volumes on your local hard drive. Unlike Encrypting File System (EFS), BitLocker encrypts all data on a volume-operating system, applications and their data, as well as page and hibernation files. In Windows Server 2008, you can use BitLocker to encrypt the whole drive, as compared to Windows Vista where you can encrypt volumes. BitLocker operation is transparent to the user and should have a minimal performance impact on well-designed systems. The TPM endorsement key is one of the major components in this scenario.
Startup Process Integrity Verification
Because Windows Startup components must be unencrypted for the computer to start, an attacker could gain access to these components, change the code, and then gain access to the computer, thereby gaining access to sensitive data such as BitLocker keys or user passwords as a consequence.
To prevent such attacks, BitLocker Integrity checking ensures that startup components (BIOS, Master Boot Record (MBR), boot sector, and boot manager code) have not been changed since the last boot.
Each startup component checks its code each time the computer starts, and calculates a hash value. This hash value is stored in the TPM and cannot be replaced until the next system restart. A combination of these values is also stored.
These values are also used to protect data. For this to work, the TPM creates a key that is bound to these values. The key is encrypted by the TPM (with the endorsement key) and can be decrypted only by the same TPM. During computer startup, the TPM compares the values that have been created by startup components with the values that existed when the key was created. It decrypts the key only if these values match.
BitLocker includes a comprehensive set of recovery options to make sure data not only is protected, but also available. When BitLocker is enabled, the user is asked for a recovery password. This password must be either printed out, saved to file on a local or network drive, or saved to a USB drive.
In an enterprise environment, however, you would not want to rely on each user to store and protect BitLocker keys. Therefore, you can configure BitLocker to store recovery information in Active Directory. We will cover key recovery using Active Directory later in this chapter.
Especially in environments with branch offices, it is desirable to have a remote management interface for BitLocker. A WMI script provided by Microsoft allows for BitLocker remote administration and management. You will find the script in the \Windows\System32 folder after you install BitLocker.
To manage a BitLocker protected system via script:
1. Log on as an administrator.
2. Click Start, click All Programs, click Accessories, and then click Command Prompt.
3. At the command prompt type cd /d C:\Windows\System32.
4. For example, to view the current status of BitLocker volumes, type cscript manage-bde.wsf -status.
If you decommission or reassign (maybe donate) equipment it might be necessary to delete all confidential data so that it cannot be reused by unauthorized people. Many processes and tools exist to remove confidential data from disk drives. Most of them are very time consuming, costly, or even destroy the hardware.
BitLocker volume encryption makes sure that data on a disk is never stored in a format that can be useful to an attacker, a thief, or even the new owner of the hardware. By destroying all copies of the encryption key it is possible to render the disk permanently inaccessible. The disk itself can then be reused.
There are two scenarios when deleting the encryption key:
- Deleting all key copies from volume metadata, while keeping an archive of it in a secure location such as a USB flash drive or Active Directory. This approach allows you to temporarily decommission hardware. It also enables you to safely transfer or ship a system without the risk of data exposure.
- Deleting all key copies from volume metadata without keeping any archive. Thus, no decryption key exists and the disk can no longer be decrypted.
About the book
"Securing Windows Server 2008: Prevent Attack from Outside and Inside Your Organization" will teach you how to configure Windows Server 2008 to secure your network, how to use Windows Server 2008 hand-in-hand with Active Directory and Vista and how to understand Server Core. This book also focuses on public key infrastructure management, virtualization, terminal services, Active Directory Domain security changes and certificate management.
Printed with permission from Syngress, a division of Elsevier. Copyright 2008. "Securing Windows Server 2008" by Aaron Tiensivu. For more information about this title and other similar books, please visit Elsevier.
Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization
Securing Windows Server 2008: BitLocker data protection basics
Securing Windows Server 2008: BitLocker authentication and configuration
Securing Windows Server 2008: Installing and turning on BitLocker
Securing Windows Server 2008: BitLocker information storage and administration
This was first published in August 2008