Win7Security sub presentation

8/7/2019 Win7Security sub presentation

http://slidepdf.com/reader/full/win7security-sub-presentation 1/24

BitLocker™ DriveBitLocker™ DriveEncryption HardwareEncryption HardwareEnhanced Data ProtectionEnhanced Data Protection

Shon Eizenhoefer, Program Manager Shon Eizenhoefer, Program Manager Microsoft CorporationMicrosoft Corporation





AgendaAgenda

Security BackgroundSecurity Background

BitLocker™ Drive EncryptionBitLocker™ Drive Encryption

TPM OverviewTPM Overview

Building a BitLocker™ Capable SystemBuilding a BitLocker™ Capable System

Additional ResourcesAdditional Resources



BitLocker™ Drive EncryptionBitLocker™ Drive Encryption

BitLocker™ Drive Encryption gives you improved dataBitLocker™ Drive Encryption gives you improved dataprotection on your Windows Vista and Windows Server protection on your Windows Vista and Windows Server codenamed “Longhorn” systemscodenamed “Longhorn” systems

Notebooks – Often stolen, easily lost in transitNotebooks – Often stolen, easily lost in transit

Desktops – Often stolen, difficult to safely decommissionDesktops – Often stolen, difficult to safely decommission

Servers – High value targets, often kept in insecure locationsServers – High value targets, often kept in insecure locations

All three can contain very sensitive IP and customer dataAll three can contain very sensitive IP and customer data

Designed to provide a transparent user experience thatDesigned to provide a transparent user experience thatrequires little to no interaction on a protected systemrequires little to no interaction on a protected system

Prevents thieves from using another OS or softwarePrevents thieves from using another OS or softwarehacking tool to break OS file and system protectionshacking tool to break OS file and system protections

Prevents offline viewing of user data and OS filesPrevents offline viewing of user data and OS files

Provides enhanced data protection and boot validationProvides enhanced data protection and boot validation

through use of a Trusted Platform Module (TPM) v1.2through use of a Trusted Platform Module (TPM) v1.2



BitLocker™ And TPM FeaturesBitLocker™ And TPM Features

BitLocker™ DriveBitLocker™ DriveEncryptionEncryption

Encrypts entire volumeEncrypts entire volume

Uses Trusted PlatformUses Trusted PlatformModule (TPM) v1.2 toModule (TPM) v1.2 to

validate pre-OS componentsvalidate pre-OS componentsCustomizable protectionCustomizable protectionand authentication methodsand authentication methods

Pre-OS ProtectionPre-OS ProtectionUSB startup key, PIN, andUSB startup key, PIN, and

TPM-backed authenticationTPM-backed authenticationSingle MicrosoftSingle MicrosoftTPM Driver TPM Driver

Improved stabilityImproved stabilityand securityand security

TPM Base Services (TBS)TPM Base Services (TBS)Enables third partyEnables third partyapplicationsapplications

Active Directory BackupActive Directory Backup

Automated key backupAutomated key backupto AD server to AD server

Group Policy supportGroup Policy support

Scriptable InterfacesScriptable Interfaces

TPM managementTPM management

BitLocker™ managementBitLocker™ management

Command-line toolCommand-line tool



Feature Map

TPM Services ArchitectureTPM Services Architecture

(Simplified)(Simplified)

BitLocker™

TPM Admin

Tools

TPM WMI Provider

TPM Base Services

TPM Driver

Third Party

Applications

TSS*

Trusted PlatformTrusted Platform

Module (TPM)Module (TPM)

*TCG Software Stack*TCG Software Stack

Windows Vista

EnterpriseUltimate

Windows Vista

All SKUs



What Is A Trusted PlatformWhat Is A Trusted Platform

Module (TPM)?Module (TPM)?Smartcard-like module on the motherboardSmartcard-like module on the motherboard

Protects secretsProtects secrets

Performs cryptographic functionsPerforms cryptographic functions

RSA, SHA-1, RNGRSA, SHA-1, RNG

Meets encryption export requirementsMeets encryption export requirements

Can create, store and manage keysCan create, store and manage keys

Provides a unique Endorsement Key (EK)Provides a unique Endorsement Key (EK)

Provides a unique Storage Root Key (SRK)Provides a unique Storage Root Key (SRK)

Performs digital signature operationsPerforms digital signature operations

Holds Platform Measurements (hashes)Holds Platform Measurements (hashes)

Anchors chain of trust for keysAnchors chain of trust for keysand credentialsand credentials

Protects itself against attacksProtects itself against attacks

TPM 1.2 spec:TPM 1.2 spec:www.trustedcomputinggroup.orgwww.trustedcomputinggroup.org



Why Use A TPM?Why Use A TPM?

Trusted Platforms use Roots-of-TrustTrusted Platforms use Roots-of-TrustA TPM is an implementation of a Root-of-TrustA TPM is an implementation of a Root-of-Trust

A hardware Root-of-Trust has distinct advantagesA hardware Root-of-Trust has distinct advantages

Software can be hacked by SoftwareSoftware can be hacked by Software

Difficult to root trust in software that has to validate itself Difficult to root trust in software that has to validate itself Hardware can be made to be robust against attacksHardware can be made to be robust against attacks

Certified to be tamper resistantCertified to be tamper resistant

Hardware and software combined can protect root secretsHardware and software combined can protect root secretsbetter than software alonebetter than software alone

A TPM can ensure that keys and secrets are onlyA TPM can ensure that keys and secrets are onlyavailable for use when the environment is appropriateavailable for use when the environment is appropriate

Many specific hardware and software configurationsMany specific hardware and software configurations



BitLocker™ Drive Encryption ArchitectureBitLocker™ Drive Encryption ArchitectureStatic Root of Trust Measurement of boot componentsStatic Root of Trust Measurement of boot components

Volume Blob of Target OSunlocked

All Boot Blobsunlocked

Static OS

BootSector

BootManager Start

OSOS Loader

BootBlock

PreOS

BIOS

MBR

TPM Init



Disk Layout And Key StorageDisk Layout And Key Storage

OS VolumeOS Volume ContainsContainsEncrypted OSEncrypted OS

Encrypted Page FileEncrypted Page File

Encrypted Temp FilesEncrypted Temp Files

Encrypted DataEncrypted Data

Encrypted Hibernation FileEncrypted Hibernation File

Where’s the Encryption Key? Where’s the Encryption Key? 1.1. SRKSRK (Storage Root Key)(Storage Root Key)

contained in TPMcontained in TPM

2.2. SRKSRK encryptsencrypts FVEKFVEK (Full Volume(Full VolumeEncryption Key) protected byEncryption Key) protected byTPM/PIN/USB Storage DeviceTPM/PIN/USB Storage Device

3.3. FVEKFVEK stored (encrypted bystored (encrypted by SRKSRK))on hard drive in theon hard drive in the OS VolumeOS Volume

System

OS Volume

System VolumeSystem Volume Contains:Contains:

MBR, Boot manager, Boot UtilitiesMBR, Boot manager, Boot Utilities

(Unencrypted, small)(Unencrypted, small)

3

2 FVEKFVEK 1 SRKSRK



Internal threats are just as prevalent as external threatsInternal threats are just as prevalent as external threats

IntentionalIntentionalAccidentalAccidental TargetedTargeted

DataDataintentionallyintentionally

compromisedcompromised

Thief stealsThief stealsasset based onasset based onvalue of datavalue of data

Loss due toLoss due tocarelessnesscarelessness

System disposal or System disposal or repurposing withoutrepurposing withoutdata wipedata wipe

System physically lostSystem physically lostin transitin transit

Insider Insider access toaccess tounauthorizedunauthorizeddatadata

Offline attackOffline attackon lost/stolenon lost/stolenlaptoplaptop

Theft of branch officeTheft of branch officeserver (high value andserver (high value andvolume of data)volume of data)

Theft of executive or Theft of executive or government laptopgovernment laptop

Direct attacks withDirect attacks withspecialized hardwarespecialized hardware

Information Protection ThreatsInformation Protection Threats



BitLocker™ offers a spectrum of

protection, allowing an organization tocustomize according to its own needs

Spectrum of ProtectionSpectrum of Protection

TPM Only

“What it is”

Protects Against:

Most SW attacks

Vulnerable To:

Hardware attacks

User Must:

N/A

No user impact

TPM + PIN“What it is + what

you know”

Protects Against:

Many HW attacks

Vulnerable To:

Hardware attacks

User Must:

Enter PIN to boot

USB Only“What you have”

Protects Against:

HW attacks

Vulnerable To:

Stolen USB key

No boot validation

User Must:

Protect USB key

TPM + USB“What it is + what

you have”

Protects Against:

HW attacks

Vulnerable To:

Stolen USB key

User Must:

Protect USB key

EaseofDep

lo

yme



BitLocker™ InterfaceBitLocker™ Interface

MicrosoftMicrosoftSystem Integrity TeamSystem Integrity Team



BitLocker™ Recovery ScenariosBitLocker™ Recovery Scenarios

Lost/Forgotten Authentication MethodsLost/Forgotten Authentication MethodsLost USB key, user forgets PINLost USB key, user forgets PIN

Upgrade to Core FilesUpgrade to Core Files

Unanticipated change to pre-OS filesUnanticipated change to pre-OS files(BIOS upgrade, etc…)(BIOS upgrade, etc…)

Broken HardwareBroken Hardware

Hard drive moved to a new systemHard drive moved to a new systemDeliberate AttackDeliberate Attack

Modified or missing pre-OS filesModified or missing pre-OS files

(Hacked BIOS, MBR, etc…)(Hacked BIOS, MBR, etc…)



BitLocker™ Recovery MethodsBitLocker™ Recovery Methods

Recommended method for Recommended method for domain-joined machinesdomain-joined machines

Automate key backups through BitLocker™ SetupAutomate key backups through BitLocker™ SetupConfigure group policy to store keys in Active DirectoryConfigure group policy to store keys in Active Directory

Provides centralized storage and management of keysProvides centralized storage and management of keys

Recommended methods for nonRecommended methods for nondomain-joined machinesdomain-joined machines

Back up to a USB flash deviceBack up to a USB flash device

Back up to a web-based key storage serviceBack up to a web-based key storage service

““Windows Ultimate Extras” – Provides a free key storageWindows Ultimate Extras” – Provides a free key storageservice for home users or unmanaged environmentsservice for home users or unmanaged environments

Potential OEM or 3rd-party service for key storagePotential OEM or 3rd-party service for key storage

Back up to a fileBack up to a file

Print or record to physical mediaPrint or record to physical media



Platform Threats And MitigationsPlatform Threats And Mitigations

BIOS ModificationBIOS ModificationTHREAT – Lost Core Root of Trust for MeasurementTHREAT – Lost Core Root of Trust for Measurement

MITIGATION – Secure CRTM UpdateMITIGATION – Secure CRTM Update

MITIGATION – Provide extra protection with PIN or USBMITIGATION – Provide extra protection with PIN or USB

Physical MemoryPhysical MemoryTHREAT – Key exposure in physical memoryTHREAT – Key exposure in physical memory

MITIGATION – Memory Overwrite on ResetMITIGATION – Memory Overwrite on Reset

MITIGATION – Provide extra protection with PIN or USBMITIGATION – Provide extra protection with PIN or USB

Dictionary Attack Against PINDictionary Attack Against PIN

THREAT – Key exposureTHREAT – Key exposureMITIGATION – Anti-hammering countermeasuresMITIGATION – Anti-hammering countermeasures

End UsersEnd UsersTHREAT – Unsafe practices (PIN nearby, USB in laptop case)THREAT – Unsafe practices (PIN nearby, USB in laptop case)

MITIGATION – User education, corporate security policyMITIGATION – User education, corporate security policy



Building BitLocker™ SystemsBuilding BitLocker™ Systems

Windows Vista Logo ProgramWindows Vista Logo ProgramPerformance, quality, and feature metrics that help consumers understandPerformance, quality, and feature metrics that help consumers understandand seek out the best computing experience that Windows Vista has to offer and seek out the best computing experience that Windows Vista has to offer

http://www.microsoft.com/whdc/winlogo/hwrequirements.mspxhttp://www.microsoft.com/whdc/winlogo/hwrequirements.mspx

Trusted Platform Module –Trusted Platform Module – SYSFUND-0030SYSFUND-0030

TPM Main Specification, Version 1.2 (or later)TPM Main Specification, Version 1.2 (or later)

Memory Mapped I/O, Locality 0Memory Mapped I/O, Locality 0

https://www.trustedcomputinggroup.org/specs/TPMhttps://www.trustedcomputinggroup.org/specs/TPM

TPM PC Client Interface Specification, Version 1.2 (or later)TPM PC Client Interface Specification, Version 1.2 (or later)

https://www.trustedcomputinggroup.org/specs/PCClienthttps://www.trustedcomputinggroup.org/specs/PCClient

BIOS –BIOS – SYSFUND-0031SYSFUND-0031TCG BIOS SpecificationTCG BIOS Specification

Physical Presence Interface SpecificationPhysical Presence Interface Specification

Memory Overwrite on Reset SpecificationMemory Overwrite on Reset Specification

Immutable CRTM or Secure UpdateImmutable CRTM or Secure Update

https://www.trustedcomputinggroup.org/specs/PCClienthttps://www.trustedcomputinggroup.org/specs/PCClient

http://www.microsoft.com/whdc/winlogo/hwrequirements.mspx


https://www.trustedcomputinggroup.org/specs/TPM


https://www.trustedcomputinggroup.org/specs/PCClient










Building BitLocker™ SystemsBuilding BitLocker™ Systems

Hard Disk –Hard Disk – SYSFUND-0032SYSFUND-0032BitLocker™ requires at least two partitionsBitLocker™ requires at least two partitions

System partition (“Active”, NTFS, minimum 1.5GB)System partition (“Active”, NTFS, minimum 1.5GB)

OS must be installed on separate partitionOS must be installed on separate partition

OS and other partition(s) can be of any sizeOS and other partition(s) can be of any sizee-mail for more informatione-mail for more information

USB –USB – SYSFUND-0069-0070SYSFUND-0069-0070

System boot from USB 1.x and 2.x USBSystem boot from USB 1.x and 2.x USB

USB read/write in pre-OS environmentUSB read/write in pre-OS environmentFAT16, FAT32, or NTFS file systemFAT16, FAT32, or NTFS file system

e-mail for BitLocker™e-mail for BitLocker™and TPM Admin BIOS and Platform Requirementsand TPM Admin BIOS and Platform Requirements

bdeinfo @ microsoft.combdeinfo @ microsoft.com

bdeinfo @ microsoft.combdeinfo @ microsoft.com



Enterprise Customer NeedsEnterprise Customer Needs

Remote Deployment ConsiderationsRemote Deployment ConsiderationsThink through large-scale deployment of BitLocker™Think through large-scale deployment of BitLocker™

Provide solutions for remote initialization of TPMsProvide solutions for remote initialization of TPMs

Provide a secure BIOS update mechanismProvide a secure BIOS update mechanism

Support Encrypted Volumes in Recovery EnvironmentSupport Encrypted Volumes in Recovery Environment

Include WinRE scripting componentsInclude WinRE scripting components

Ship Systems with an Endorsement Key (EK)Ship Systems with an Endorsement Key (EK)EK generation in the field is time consumingEK generation in the field is time consuming

Industry security best practiceIndustry security best practice

TCG GuidelinesTCG Guidelines



Call To ActionCall To Action

Build BitLocker™-ready SystemsBuild BitLocker™-ready SystemsTPM v1.2 – Consider the deployment experience, make it easyTPM v1.2 – Consider the deployment experience, make it easy

BIOS – Don’t ship systems without secure CRTM/BIOS update!BIOS – Don’t ship systems without secure CRTM/BIOS update!

Hard Disk – Ship your platforms with two or more partitionsHard Disk – Ship your platforms with two or more partitions

USB – Verify read/write/boot from USB in pre-OS environmentUSB – Verify read/write/boot from USB in pre-OS environment

Consider Enterprise Customer NeedsConsider Enterprise Customer NeedsProvide ability to initialize TPM remotelyProvide ability to initialize TPM remotely

Ship with Endorsement Key (EK)Ship with Endorsement Key (EK)

Test Your Platforms!Test Your Platforms!

Test with latest Windows Vista releasesTest with latest Windows Vista releases

WDK test suiteWDK test suitehttp://www.microsoft.com/whdc/driver/WDK/aboutWDK.mspxhttp://www.microsoft.com/whdc/driver/WDK/aboutWDK.mspx

Work with us to get your reference platforms tested!Work with us to get your reference platforms tested!e-mail for more informatione-mail for more informationbdeinfo @ microsoft.combdeinfo @ microsoft.com

http://www.microsoft.com/whdc/driver/WDK/aboutWDK.mspx





Additional ResourcesAdditional Resources

Web ResourcesWeb ResourcesSpecs and WhitepapersSpecs and Whitepapers

http://www.microsoft.com/whdc/system/platform/hwsecurity/default.mspxhttp://www.microsoft.com/whdc/system/platform/hwsecurity/default.mspx

Windows Logo Program TestingWindows Logo Program Testing

http://www.microsoft.com/whdc/GetStart/testing.mspxhttp://www.microsoft.com/whdc/GetStart/testing.mspx

TCGTCGhttp://www.trustedcomputinggroup.orghttp://www.trustedcomputinggroup.org

Related SessionsRelated Sessions

Enterprise and Server Use of Microsoft BitLocker™Enterprise and Server Use of Microsoft BitLocker™Drive Encryption (CPA027)Drive Encryption (CPA027)

Windows Vista and Windows Server Longhorn Security PlatformWindows Vista and Windows Server Longhorn Security PlatformEnhancements (CPA127)Enhancements (CPA127)

BitLocker™ Questions or IdeasBitLocker™ Questions or Ideas

BitLocker™ BlogBitLocker™ Blog

http://blogs.msdn.com/si_team/default.aspxhttp://blogs.msdn.com/si_team/default.aspx

Bdeinfo @ microsoft.comBdeinfo @ microsoft.com

http://www.microsoft.com/whdc/system/platform/hwsecurity/default.mspx


http://www.microsoft.com/whdc/GetStart/testing.mspx


http://www.trustedcomputinggroup.org/


http://blogs.msdn.com/si_team/default.aspx










© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporat ion as of the date of this presentation. Because Microsoft must respond to changing market conditions,

it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.



Win7Security sub presentation

Documents