How to secure BitLocker configurations

Have a look inside the third edition of Hacking Exposed Windows : Microsoft Windows Security Secrets and Solutions by Joel Scambray, with this excerpt from chapter 12, "Windows security features and tools."

With the introduction of Windows Server and Windows Vista came an additional security feature, BitLocker Drive Encryption (BDE, or BitLocker), which protects the confidentiality and integrity of the operating system volume during the boot sequence and while the operating system is not loaded. Windows Server will also extend this capability to protect data volumes as well. BitLocker was designed to mitigate offline attacks, such as removing the physical drive from a lost or stolen laptop and accessing the data from an attacker controlled operating system. In the following section we discuss the various configuration options for BitLocker and their prerequisites.

BitLocker configurations

As mentioned, BitLocker can be configured in a variety of ways. In this section we discuss each, along with its strengths, weaknesses and prerequisites. BitLocker can be configured to operate in the following modes:

• BitLocker with a Trusted Platform Module (TPM).
• BitLocker with a TPM + startup PIN.
• BitLocker with a TPM + USB token.
• BitLocker without TPM.
• BitLocker without TPM + USB.
• BitLocker without TPM + startup PIN.

Tip: Microsoft provides an excellent step-by-step procedure for configuring your system in each of these scenarios.

Depending on the desired configuration ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Windows Vista operating system Windows 7 launches, offers salvation from Vista An intro to Windows 7's Deployment Image Servicing and Management tool Guide to converting from Windows XP to Windows 7 Choosing the best way to install images Has Microsoft corrected Vista annoyances in Windows 7? Microsoft's August patches run the gamut Your questions answered: The Windows 7 upgrade quandary Windows Vista users get little pricing relief on Windows 7 Combining folder redirection with roaming profiles IPv6 protocol, Windows Vista features simplify peer ad-hoc networking Patches, alerts and critical updates Microsoft releases six patches for November Structuring patch management in seven steps Underlying causes of inconsistent patch management Microsoft's Online Desktop Manager caters to small IT shops Microsoft's Patch Tuesday brings a bumper crop of security fixes Act fast with five critical September patches Microsoft's August patches run the gamut Patching third-party browsers adds more work in Windows shops Troubleshooting Microsoft WSUS connectivity issues Windows security tools for the busy desktop administrator Network intrusion detection and prevention and malware removal Improvements to offline file synchronization in Windows 7 Underlying causes of inconsistent patch management Windows security tools for the busy desktop administrator Check IT List: Five steps for rootkit detection Top Windows client security tools for end users Hacking Exposed Windows: Windows security features and tools Tools for virus removal and detection Windows security testing: Five tips for the summer Buffer overflows can be prevented by GS cookies Windows Resource Protection (WRP) protects critical system resources

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary desktop management  (SearchEnterpriseDesktop.com) Vista  (SearchEnterpriseDesktop.com) Vista glossary  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

for BitLocker, your system must also satisfy other hardware and software prerequisites. To determine whether your Windows Vista computer meets these requirements, perform the following steps:

1. Click start.
2. Click control panel.
3. Click security.
4. Click BitLocker Drive Encryption.

If your computer configuration meets all prerequisites, you will see the screen shown in Figure 12-1.

At a high level, these configuration options represent different combinations of the following:

• systems with the TPM.
• systems without the TPM.
• systems using single-factor authentication.
• systems using two-factor authentication.

Of these, the most secure configuration is a system that has a TPM and utilizes two-factor authentication, for this reason: The TPM provides BitLocker with the ability to validate each component of the boot process. This ensures the platform is in a known secure state before decrypting the volume.

With most authentication systems, barring implementation flaws, the degree of difficulty to authenticate as another principal increases with the number of "factors" -- each factor introduces an additional test that must be passed by the entity attempting to authenticate. Common authentication factors include the following:

• something you have.
• something you know.
• something you are.

[IMAGE]
Figure 12-1: system that satisfies BitLocker prerequisites

Currently, BitLocker supports two of these: something you have (a USB or TPM) and something you know (a PIN). In the next section, we take a deeper look at the desired solution -- BitLocker equipped with a TPM and an additional form of authentication, such as a PIN or USB token.