Microsoft (Data Protection Solutions)

A Critical Analysis of Microsoft Data Protection Solutions

Agenda Introduction BitLocker Drive Encryption (BDE) Encrypting File System (EFS) Rights Management Services (RMS) Conclusion

Key Technologies Windows Server 2008 Service Hardening Windows Advanced Firewall BitLocker Drive Encryption Server Core Dynamic Partitioning Next Generation TCP/IP 64x64-bit Cores Investment in the Fundamentals Operations Infrastructure Centralized Role Management Failover Clustering Windows Virtualization Network Access Protection Terminal Services AD Read Only Domain Controllers Windows PowerShell Security Reliability Performance Application Platform IIS 7 .NET Framework 3.0 Resource Management Federated Identity

BitLocker™ Drive Encryption Designed specifically to help prevent a thief who boots another Operating System or runs a hacking tool from breaking Windows file and system protections Helps provides data protection on your Windows client systems, even when the system is in unauthorized hands or is running a different or exploiting Operating System Can use a v1.2 Trusted Platform Module (TPM) or USB flash drive for key storage HP provides TPM1.2 in Notebooks: 2400, 4400, 6400, 8400 Series Desktops: dc7700, dx5xxx In all Windows Server 2008 (Longhorn) versions Only on Windows Vista Enterprise and Vista Ultimate Editions BitLocker

Bitlocker™ features overview BitLocker Drive Encryption (BDE) Prevents bypass of Window’s boot process Ensures Boot Process Integrity (Secure Startup) Protects the system from offline software based attacks. Protects data while the system is offline Encrypts entire Windows volume including both user data and system files, the hibernation file, the page file and temporary files Eases equipment recycling Pre-OS multi-factor authentication Dongle, BIOS, and TPM-backed SW Identity TPM Base Services (TBS) Windows and 3rd party SW access to TPM

What is a Trusted Platform Module (TPM)? Smartcard-like module on the motherboard that: Helps protect secrets Performs cryptographic functions RSA, SHA-1, RNG Meets encryption export requirements Can create, store and manage keys Provides a unique Endorsement Key (EK) Provides a unique Storage Root Key (SRK) Performs digital signature operations Holds Platform Measurements (hashes) Anchors chain of trust for keys and credentials Protects itself against attacks TPM 1.2 spec: www.trustedcomputinggroup.org

BDE Disk layout and key storage System OS Volume Contains: Encrypted OS Encrypted Page File Encrypted Temp Files Encrypted Data Encrypted Hibernation File System Volume Contains: MBR, Loader, Boot Utilities (Unencrypted, small) Where’s the Encryption Key? SRK (Storage Root Key) contained in TPM SRK encrypts FVEK (Full Volume Encryption Key) protected by TPM/PIN/USB Storage Device FVEK stored (encrypted by SRK ) on hard drive in System Volume SRK 1 2 3 OS Volume PIN USB-hosted key FVEK

BDE: Available Authenticators Default: Trusted Platform Module (TPM) TPM + USB Startup Key 1 TPM + PIN USB Startup Key 1,2,3 USB Recovery Key 3,4 Numeric (Text) Recovery Password 4 Windows Server 2008: TPM + USB + PIN A Startup key with a TPM is different than one without a TPM Used only on non-TPM computers A non-TPM startup key and a recovery key are the exact same thing. Not used routinely, for recovery only TPM TPM+USB TPM+PIN USB Key (Recovery or Non-TPM) 123456-789012-345678- Recovery Password (48 Digits) TPM+USB+Pin

BDE architecture Static root of trust measurement of early boot components

Create a 1.5GB active partition This becomes your “system” partition—where OS boots The TPM boot manager uses only 50MB Windows runs from on your “boot” partition—where the system lives Enable TPM chip (via system BIOS) Enable BitLocker in Security Center Update hard disk MBR Encrypt Windows “boot” partition Generate symmetric encryption key Store key in TPM Encryption begins after reboot Enabling BitLocker

BDE passwords and PINs... BIOS password Required to enable TPM in BIOS Owner password After TPM initialization Required for Disabling TPM, Clearing TPM, Recycling In domain: hash stored in AD computer object Administrator password Required for enabling BDE BDE PIN (Optional) Required for accessing encrypted BDE volume Recovery password Can also be on USB token In domain: can be stored in AD computer object Required for recovering BDE data after PIN loss, TPM errors, boot file modification

BDE Recovery options Based on GPO: BitLocker setup can automatically escrow recovery keys and owner passwords into AD Setup may also try to backup keys and passwords onto a USB dongle or to a file location Default for non-domain-joined users (e.g., Ultimate SKU) Working with third parties for web service-based key escrow Recovery password known by the user/administrator Recovery can occur “in the field” Windows operation can continue as normal

How about Embedded Security for HP ProtectTools? Supported applications: Secures cryptographic keys: Microsoft Encrypting File System Personal Secure Drive S/MIME Any CAPI or PKCS#11 based application Two-factor authentication 802.1x EAP-TLS based Enhanced SecurID Protects access to SecurID seed HP protectTools Credential Manager access Client-side credential caching SSO User pre-boot authentication DriveLock Drivelock password secured using TPM Available on TPM 1.1 and 1.2

But...there’s more than Technology... “ 54321 TO SILENCE ALARM” “ REPEAT CODE TO RESET”

EFS investments Smartcards provide strong protection for laptop and shared workstation scenarios Client Side Encryption – protection against malicious server administrators Investments in group policy controls on encryption Re-key wizard Key backup notification

EFS with Smartcards Smartcards can be too slow to be used for every file access Accelerated mode: Derive a symmetric software key using the private key on the smartcard Use this key to encrypt/decrypt files The symmetric key can only be derived using the smartcard’s private key Smartcard Private Key Derive a symmetric key AES-256 key Use as Software Private Key (Accelerated) Cache in LSA Use to encrypt FEK RSA mode Accelerated mode

EFS with remote files Client side encryption Local EFS encryption [Keys and certificates live on the client] Client connects to remote server share SMB protocol No need to enable Trust For Delegation Encrypted file sent to server File Share

EFS Re-Key Wizard Allows users to better manage their EFS certificates and encrypted files Especially useful when switching to smartcard encryption Provides a choice of EFS services Choose a certificate Create a new certificate Back up the certificate Re-encrypt old files with new certificate

EFS key backup improvements TOP customer pain point (90% of issues reported on newsgroups). Data lost due to keys not being backed up Vista Key and certificate backup notification Major usability and reliability improvements ON for workgroups, OFF for domains

Information Author The Recipient RMS Server SQL Server Active Directory 2 3 4 5 Author defines a set of usage rights and rules for the file; Application creates a “Publishing License” and encrypts the file Author distributes file Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “Use License” Application renders file and enforces rights Author receives a client licensor certificate (CLC) the first time they rights-protect information 1 How does RMS work?

AD RMS in Windows Server 2008 RMS component is included in the operating system AD RMS is now a Server Role Use Server Manager to install AD RMS Easy server deployment Componentized setup installs dependencies automatically Native x64 support Self-Activation No dependency on external MSN RMS Activation Service to enroll the first RMS root server

Challenges in External Collaboration Option 1 : Use .NET passports . NET passports are not suitable for Enterprises In Windows RMS, administrators need to trust the hotmail.com namespace Option 2: Create accounts for partners Adds complexity in the Windows infrastructure Increases operational costs in maintaining external accounts in internal AD

Challenges in External Collaboration Option 3 : Create RMS trusts Partners do not implement RMS Exchange of RMS public key is a non-secure and manual process Option 4: Use 3 rd party product Adds costs to the RMS implementation Relies on external party to host partners accounts

Solution: AD Federation Service Uses Active Directory Federation Service (ADFS) Requires AD RMS to work with ADFS Establishes trust once Can be re-used for other applications Partners manage their AD accounts No Identity lifecycle management

External RMS collaboration via ADFS Contoso Fabrikam RMS WebSSO Assume author is already bootstrapped Author sends protected mail to recipient at Fabrikam Recipient contacts RMS server to get bootstrapped WebSSO agent intercepts request RMS client is redirected to FS-R for home realm discovery RMS client is redirected to FS-A for authentication RMS client is redirected back to FS-R for authentication RMS client makes request to RMS server for bootstrapping WebSSO agent intercepts request, checks authentication, and sends request to RMS server RMS server returns bootstrapping certificates to recipient RMS server returns use license to recipient Recipient accesses protected content AD AD FS-A FS-R 1 RAC CLC PL 2 4 3 5 6 7 8 9 RAC CLC 10 UL 11 12

Exchange 2007 and RMS Author using Office 2003 / 2007 The Recipient SQL Server Active Directory 4 5 6 Author sends e-mail through Exchange 2007 Server Exchange 2007 Server examines the message properties, determines if RMS policies should be applied Exchange 2007 Server makes request to RMS to apply policy to email and obtain a usage license. RMS authenticates user, creates usage license, logs transaction. Recipient synchronizes email with Exchange 2007 Server; message and usage license delivered to user. Recipient opens email; policies enforced. 1 4 2 3

But...there’s more than Technology... All must enter through electronic mantrap Fence ends here Sign says, “road is for cars only”

Technology comparison BDE EFS RMS Encryption AES 128 (RSA32.LIB) AES 128 (Crypt32.DLL) AES 128 (Crypt32.DLL) Data Awareness Blocks Files App defined; docs/email Master Key TPM + SW Identity, Dongle, File SW, Smart-card Obfuscated SW (lockbox) Content Key Same as root key Same as root key Server Protects What? Windows and Data Directories and Files Documents (including use) Protects Who? Machine Owner, User Users Document Owners Protection Local, removable media Local, removable media, remote Remote, removable media Who is god? Local admin, net admin Local admin, net admin Document owner, RMS admin Supports other security systems? Yes Yes (ISV’s only) No (RMS is a security platform for applications) Data Recovery Mechanism Dongle, File, Network; Manual Key Entry Local or AD based policy RMS server policy Killer Client Scenario Lost or Stolen laptop Multi-user PC Protected Document Sharing Killer Server Scenario Branch-Office Server Protect Documents on File Shares from Admin RMS support in Sharepoint and Exchange Killer Admin Scenario Just switch it on. (also Force Recovery) My Documents encrypted by default Establish corporate information policy

What feature should I use? Who are you protecting against? Other users or administrators on the machine? Unauthorized users with physical access? Some cases can result in overlap. (e.g. Multi-user roaming laptops with untrusted network admins) Scenarios BDE EFS RMS Laptops X Branch office server X Local single-user file & folder protection X Local multi-user file & folder protection X Remote file & folder protection X Untrusted network admin X Remote document policy enforcement X

Overview Introduction BitLocker Drive Encryption (BDE) Encrypting File System (EFS) Rights Management Services (RMS) Conclusion

Download the HP Security Handbook! Go to: www.hp.com/go/security http://www.hp.com/go/security

More information “ Windows Security Fundamentals” Jan De Clercq – Guido Grillenmeier ISBN 1555583407

Thank You Info Collected By Vinayak Nandikal Courtesy HP Technology

Microsoft (Data Protection Solutions)

More Related Content

What's hot

Viewers also liked

Similar to Microsoft (Data Protection Solutions)

More from Vinayak Hegde

Recently uploaded

Microsoft (Data Protection Solutions)