Download
bitlocker drive encryption a look under the covers n.
Skip this Video
Loading SlideShow in 5 Seconds..
BitLocker ™ Drive Encryption A look under the covers PowerPoint Presentation
Download Presentation
BitLocker ™ Drive Encryption A look under the covers

BitLocker ™ Drive Encryption A look under the covers

168 Views Download Presentation
Download Presentation

BitLocker ™ Drive Encryption A look under the covers

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. BitLocker™ Drive EncryptionA look under the covers Steve Lamb Technical Security Advisor, Microsoft UK http://blogs.technet.com/steve_lamb Stephen.lamb@microsoft.com

  2. Agenda • Is EFS Dead? • A quick review • What threats does it mitigate? • What threats ARE NOT mitigated • Enhancements @ Vista SP1 • To Gain Access We Need • Deployment Considerations • Resources

  3. Is EFS Dead? ?

  4. A Quick Review BitLocker

  5. What threats does it mitigate? • Data @ rest • Over-riding Access Controls

  6. What threats ARE NOT mitigated? • Stupid User! • Stupid Admin! • Removable Media • Weak Passwords

  7. Enhancements @ SP1 • Multi-volume support • Key Rolling

  8. What Is A Trusted Platform Module ? TPM 1.2 spec: www.trustedcomputinggroup.org

  9. Secure the pre-boot environment • Measure EVERYTHING

  10. What do we measure?

  11. To gain access we need • Full Volume Encryption Key • Volume Master Key • Multiple places to store it

  12. Volume Master Key – option 1

  13. Volume Master Key – option 2

  14. Volume Master Key – option 3

  15. Volume Master Key – option 4

  16. Volume Master Key – option 5

  17. 3 4 TPM VMK 2 1 FVEK DATA Keys and Protectors (“Authenticators”) Where’s the Encryption Key? Data is encrypted with the FVEK The FVEK is encrypted with the VMK and then stored in the volume metadata. The VMK is encrypted by one or more key protectors, then stored in the volume metadata. The Trusted Platform Module will not decrypt the VMK if the system integrity check fails. USB Key(Recovery or Non-TPM) TPM+PIN TPM+USB 123456-789012-345678- Recovery Password(48 Digits)

  18. Disk Configuration • Partitioning guidelines:

  19. You can measure the BIOS too

  20. Deployment Considerations

  21. Understanding the Options with the Windows Vista Security Guide Unique GPO Accelerator tool deploys security configurations in minutes vs. hours Tested guidance by Windows Vista Security Experts Preconfigured, customizable security settings Windows Vista Security Guide provides customers with best practices and automated tools to help them quickly and easily deploy Windows Vista, and provides tested guidance to balance their needs for security and functionality SOLUTIONACCELERATORS Act faster. Go further.

  22. Please fill in your Evaluation Form

  23. Resources • Data Encryption Toolkit for Mobile PCs • Bitlocker Drive Encryption Technical Overview • Keys to Protecting Data with Bitlocker Drive Encryption • Developing Credential Providers for Windows Vista • Create Custom Login Experiences With Credential Providers For Windows Vista

  24. Resources • Technical Communities, Webcasts, Blogs, Chats & User Groupshttp://www.microsoft.com/communities/default.mspx • Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx • Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdnhttp://microsoft.com/technet • Trial Software and Virtual Labshttp://www.microsoft.com/technet/downloads/trials/default.mspx Visit TechNet in the ATE Pavilion and get a FREE 60-day subscription to TechNet Plus!

  25. © 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.