|Hacking Exposed Windows
By Joel Scambray
Have a look inside the third edition of Hacking Exposed Windows : Microsoft Windows Security Secrets and Solutions...
Step 2 of 2:
by Joel Scambray, with this excerpt from chapter 12, "Windows security features and tools."
With the introduction of Windows Server and Windows Vista came an
As mentioned, BitLocker can be configured in a variety of ways. In this section we discuss each, along with its strengths, weaknesses and prerequisites. BitLocker can be configured to operate in the following modes:
Tip: Microsoft provides an excellent step-by-step procedure for configuring your system in each of these scenarios.
Depending on the desired configuration for BitLocker, your system must also satisfy other hardware and software prerequisites. To determine whether your Windows Vista computer meets these requirements, perform the following steps:
If your computer configuration meets all prerequisites, you will see the screen shown in Figure 12-1.
At a high level, these configuration options represent different combinations of the following:
Of these, the most secure configuration is a system that has a TPM and utilizes two-factor authentication, for this reason: The TPM provides BitLocker with the ability to validate each component of the boot process. This ensures the platform is in a known secure state before decrypting the volume.
With most authentication systems, barring implementation flaws, the degree of difficulty to authenticate as another principal increases with the number of "factors" -- each factor introduces an additional test that must be passed by the entity attempting to authenticate. Common authentication factors include the following:
Currently, BitLocker supports two of these: something you have (a USB or TPM) and something you know (a PIN). In the next section, we take a deeper look at the desired solution -- BitLocker equipped with a TPM and an additional form of authentication, such as a PIN or USB token.