Enterprise And Server Use Of BitLocker™ Drive Encryption Stephen Heil Technical Evangelist Windows Core OS Microsoft Corporation Xian Ke Program Manager Windows System Integrity Microsoft Corporation

Agenda Remote and branch office server scenarios BitLocker™ Drive Encryption overview Protection and recovery scenarios Demo Management scenarios Management features Enterprise concerns BitLocker™ requirements for Windows Server codenamed “Longhorn” Summary

The U.S. Dept of Justice estimates that intellectual property theft cost enterprises $250 billion in 2004 Loss of revenue, market capitalization, and competitive advantage Information Loss is Costly Information loss – whether via theft or accidental leakage – is costly on several levels Leaked executive s can be embarrassing Unintended forwarding of sensitive information can adversely impact the company’s image and/or credibility Increasing regulation: SOX, HIPAA, GLBA Bringing a company into compliance can be complex and expensive Non-compliance can lead to significant legal fees, fines and/or settlements Financial Image & Credibility Legal & Regulatory Compliance

Branch Office Challenges Theft of server and/or its hard drives Re-provision or decommission of server or its hard drives Data theft via disk cloning by maintenance and outsourcing technicians Secure deployment of a fully configured machine shipped to remote location Data-at-rest on Branch Office Servers needs protection!

Branch Office Server Class Systems More than 25% of Windows Servers are installed in branch offices and remote locations where physical security may be lax RetailFinanceInsurance Typical hardware 1P and 2P pedestal systems RAID

BitLocker ™ And TPM Features BitLocker™ Drive Encryption Encrypts entire volume Uses Trusted Platform Module (TPM) v1.2 to validate pre-OS components Customizable protection and authentication methods Pre-OS Protection USB startup key, PIN, and TPM-backed authentication Single Microsoft TPM Driver Improved stability and security TPM Base Services (TBS) Enables third party applications Active Directory Backup Automated key backup to AD server Group Policy support Scriptable Interfaces TPM management BitLocker™ management Command-line tool

1-Factor TPM-Only Protection Scenario Transparently validates early boot components on OS startup Best ease of use Protects against SW-only attacks Vulnerable to some HW attacks

2-Factor TPM+PIN Protection Scenario Must enter 4-20 digit PIN on OS startup Validates PIN and early boot components Protects against software-only and many hardware attacks Vulnerable to TPM breaking attacks

2-Factor TPM+Startup Key Protection Scenario Looks for USB flash drive with Startup Key Validates saved key and early boot components Protects against many HW attacks Protects against TPM attacks

Startup Key Protection Scenario Looks for USB with Startup Key Validates saved key Protects against many HW attacks Vulnerable to lost token and pre-OS attacks

Recovery Key Scenario Looks for USB with Recovery Key Validates saved key Unlocks volume to enable decryption

Recovery Password Scenario Prompts user to enter Recovery Password Validates Password Unlocks volume to enable decryption

Protection For Data Volumes Definition: A data volume is a BitLocker-capable volume without the current OS Automatic unlocking Transparently read encrypted data volumes Save unlock keys on the BitLocker-protected OS volume Inherited protection Gain TPM-based protection from the OS volume No need to manage new startup PINs or startup keys Recover volumes Unlock access with a numerical password or external key Decommission volumes Reduce data exposure by wiping stored BitLocker keys Integrated into FORMAT in Windows Vista RC1

BitLocker™ And Data Volumes Server and client management Unlocking and auto-unlocking

BitLocker ™ Management Scenarios Turn on and off BitLocker protection View BitLocker status indicators View and manage key protectors for the volume’s encryption key Temporarily disable protectors without decryption Unlock and recover encrypted volumes Set up automatic unlocking of data volumes Decommission volumes

TPM Management Scenarios Initialize TPM to work with BitLocker and other apps Turn on and manage the TPM with “physical presence” assertions View TPM status and manufacturer information View all available TPM commands and descriptions Block and allow TPM commands

BitLocker™ Status Indicators Conversion status Fully encrypted Encryption/decryption in progress, encryption percentage Encryption/decryption paused, encryption percentage Fully decrypted Protection status Protection On: Fully encrypted and key protectors enabled Protection Off Lock status Unlocked: Encrypted data is accessible Locked: Needs recovery to access data

BitLocker Key Protectors TPM And PIN TPM TPM And Startup Key Numerical Password External Key (OS volume only)

Available Management Features BitLocker management features Control Panel integration BitLocker setup and key management wizards Scriptable WMI provider interface Command-line tool: manage-bde.wsf TPM management features Microsoft Management Console (MMC) snap-in TPM initialization and management wizards BIOS integration for physical presence Scriptable WMI provider interface Remote management functionality Sample scripting solutions

Managing Keys Control panel options Duplicate the recovery password Duplicate the recovery key Duplicate the recovery key to a folder Duplicate the startup key Reset the PIN Command-line and scripting options All control panel options List, add, remove any key protectors, including recovery passwords and recovery keys

Managing Data Volumes Turning on automatic unlocking in Windows Server Longhorn First turn on BitLocker protection for the OS volume Create an external key on the data volume Enable autounlock to save a key onto the current OS volume Start encryption before or after enabling automatic unlocking Managing automatic unlocking in Windows Server Longhorn Determine autounlock status Disable autounlock Clear autounlock keys before decrypting the BitLocker-protected OS volume Other data volume management tasks (Windows Vista and Windows Server Longhorn) Unlocking a BitLocker-protected volume Lock a BitLocker-protected volume Turn off BitLocker protection on a volume

BitLocker ™ And TPM Group Policy BitLocker Group Policy configurations Turn on BitLocker backup to Active Directory Domain Services Configure setup wizard experience (Default is display all available startup and recovery options) Configure disk encryption method (Default is AES 128 bit with Diffuser) Configure TPM platform validation profile (Default is PCR 0, 2, 4, 5, 8-11) TPM Group Policy configurations Turn on TPM backup to Active Directory Domain Services Configure the blocked TPM commands (Default list of blocked commands include TPM_PCR_Reset, TPM_Extend, and TPM_Quote)

Enterprise Backup BitLocker setup can automatically back up recovery password to Active Directory BitLocker setup will not continue if backup step fails Can also back up BitLocker key package for specialized recovery (coming in Windows Vista RC1) TPM ownership step can automatically back up TPM owner password hash to Active Directory Active Directory requirements Windows Server 2003 SP1, R2, or Windows Server Longhorn Schema extension for storing recovery information Configure access control permissions to write to AD Configure Group Policy settings

Enterprise Recovery Self-recovery with USB recovery key or known recovery password Help desk-assisted recovery to retrieve stored passwords from Active Directory BitLocker recovery screen displays computer name and password ID that can unlock disk access Help desk verifies user identity, even over the phone for in-the-field recovery Given a computer name, find the recovery passwords for all disk volumes Given a Password ID, find the recovery password that can unlock the volume

Enterprise Deployment Enterprises will integrate BitLocker deployment steps into existing OS and software distribution infrastructure Enterprises will evaluate hardware manufacturers using Windows Logo Program requirements BitLocker feature requirements BitLocker best practice recommendations Enterprise security policies Enterprise deployment requirements

BitLocker™ Server Requirements Trusted Platform Module (TPM) v1.2 Provides platform integrity measurement and reporting TPM 1.2 Spec: Requires platform support for TPM 1.2 Interface Specification (TIS) Memory Mapped I/O, Locality 0 Firmware – TCG compliant Conventional BIOS or EFI Establishes chain of trust for pre-OS boot Must support TCG Static Root Trust Measurement (SRTM) Conventional BIOS TCG PC Client Specification: EFI TCG ACPI Specification TCG EFI Interface Specification TCG EFI Protocol Specification Firmware support for reading USB flash drives during boot Disk must have at least two NTFS partitions See Windows Server Longhorn Logo guide for details

Branch Office Challenges Met Theft of server and/or its hard drives OS Volume (including the pagefile and the OS) and data volumes are completely protected by BitLocker™ Re-provision or decommission of server or its hard drives Volume encryption keys can be destroyed via WMI provider method call. Multiple hours for reclamation turned into seconds and data is gone! Data theft via disk cloning by maintenance and outsourcing technicians Volume encryption keys are not released to the thief without an authenticated boot. Disk cloning will only copy encrypted data. Secure deployment of a fully configured machine shipped to remote location Image created at main office is secured with PIN. Authorized personnel at branch office call in to get PIN and unlock the image. Data-at-rest on Branch Office Servers is protected!

Value-Add Opportunities Solutions to lower enterprise deployment costs Remove manual steps to ready the TPM for BitLocker enterprise deployment An interactive “physical presence” assertion guards against malicious software turning on the TPM, but zero-touch deployment is possible after the TPM is on Factory pre-configurations that ease BitLocker setup Other value-add BIOS features or management tools End-to-end enterprise solutions on clients and servers Help enterprises achieve regulatory compliance – e.g., Sarbanes-Oxley, Health Insurance Portability and Accountability Act (HIPAA) Key management, recovery and escrow services

Call To Action Build server platforms with BitLocker™ support Trusted Platform Module (TPM) v1.2 Requires platform support of TPM 1.2 Interface Specification (TIS) System firmware support Conventional BIOS or EFI USB flash drive functionality at boot BitLocker uses USB drives as startup and recovery tokens Disk must have at least two NTFS partitions The system volume must have at least 1.5 GB for MBR, loader, boot and setup files. Work with us to test your reference designs for more information microsoft.com

Web resources BitLocker™ information BitLocker™ technical papers and specs Windows Logo program testing TCG Related sessions BitLocker™ Drive Encryption: Hardware Enhanced Data Protection (CPA064) Windows Vista and Windows Server Longhorn Security Platform Enhancements (CPA127) BitLocker™ questions Additional Resources microsoft.com

Question And Answer Thank You! Please fill out an evaluation form

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.