May 23rd

Managing your Windows 7 Upgrade: Part I


Many organizations start to think about the process of upgrading to Windows 7 because inherently with Windows 7 there are additions that you might want to make use of.  This makes you question integration and the opportunities and challenges it can bring. One of those opportunities might be Windows BitLocker.  Organizations with Ultimate and Enterprise editions of Windows 7 should be looking at Windows BitLocker.  We’ll examine what the thinking around BitLocker should be, and how to plan and be successful with BitLocker as part of your overall strategy. As you’re upgrading, it’s a great opportunity to look at things like self-encrypting drives. There’s also a lot of buzz around removable media as part of the changed Windows 7, but at the same time, you can think about a broader strategy: Windows, removable media, mobility increasingly, and even cloud services. All of these things are having an impact on the way that enterprise organizations think about data protection.


Let’s cover the highlights of BitLocker.  It’s included as part of a number of different versions of Vista.  I think it’s fair to say that the version that is now in Windows 7 is definitely an improvement over what was in Vista.  Across the various platforms that support Ultimate and Enterprise editions of Windows 7; Windows Server 2008, and 2008 R2. The default encryption of Windows BitLocker is AES with a 128 bit key, a fairly standard encryption.


It operates in three modes: transparent operation mode, user authentication mode, and USB key mode.  The operational modes that you choose for BitLocker will have an impact on the way that you plan to implement Windows 7 as you roll it out. Transparent operation mode is lowest impact as far as your users are concerned.  The Trusted Platform Module (TPM), which is a hardware piece embedded in the system, provides what’s called a “root of trust.”  When the system boots up it just checks that no one’s been tampering with the system while it was powered down.  If it hasn’t, the system starts normally and it’s minimum impact. Transparent operation mode may be attractive from an operation perspective and ideal from a security perspective.  User authentication mode requires the user identity pin.  It has a pre-boot authentication step where you can set the length of that pin; this is part of the polices you set with BitLocker.  Typically, BitLocker is eight digits long, but there is flexibility around that. The third way is to add another layer of authentication is USB key mode, in which you’d have to plug in a USB device in order to boot the system.  Most intrusive, and I think it’s fair to say that using the TPM in conjunction with user authentication mode is probably the balance between security and minimizing the impact on users.  However, all these things do have an impact because you end up increasing the security of the options you have with BitLocker and increasing the potential impact on the user. You have to keep it up and running and get it configured.  And that’s something you want to think about early because management is going to be one of the challenges you want to think about.


It has great encryption, period.  Good solid encryption.  AES algorithm.  You can configure it to 128 or 256 bit key and security that for the volumes that it covers.  With full volume encryption solutions it encrypts the entire volume.  That’s an impact you’ll want to think about.  As I mentioned, it is an improvement over the Vista version. The Windows implementation is considerably better.  It uses and AES NI processor support.  That’s the Intel chips that will aid processing.  And it only utilizes that TPM module.  Pretty much all systems these days have a TPM in them. So, it can utilize that TPM and the nice thing about that is that it can add a degree of trust that no one has tampered with the system while it’s been off.  The system has the ability to essentially detect if someone’s trying to attack it while it’s offline.  The good thing is obviously that it improves security. It does mean, however, that it can have an impact on users if you’re not set up to manage it appropriately.  And it will also leverage Active Directory Server 2003 or 2008.  If you’re on 2003, you’ll probably require some extensions.  It’s all built into Active Directory in 2008 and included in the OS, so for many organizations, the primary reason they’re looking at BitLocker is because it’s already there. It’s included.  If you’ve got Windows 7 or if you’re moving to Windows 7 Enterprise or Ultimate editions, BitLocker’s already in there and it’s a fairly compelling argument to say you should at least examine it for some users.


BitLocker may, however, not be appropriate for everybody. Like most tools, security tools are no different. They are appropriate for some jobs, and not for others.  Obviously, if you’ve got Windows 7 Enterprise or Ultimate, the sensible thing is to at least look at it.  For users that do not share systems, then it makes sense because it’s a volume encryption approach.  It will require you to unencrypt the entire volume when you turn it on.  And as a result the full volume is unlocked and available unencrypted.  But unlocked and available for use, across shared systems could be a challenge.  Also, it’s for users that don’t have highly sensitive information. The reason I say that is that it’s part of the challenge with a full volume approach once it’s unlocked. If there’s highly sensitive information you might want to think about a slightly more granular approach than a full volume approach.  Simply, it may be a fit for some types of users in some environments, but not for others.


Despite the fact that it obviously has very strong encryption, there are some challenges.  I’ll be specific about a couple of these because they do have an impact on the way you think about using BitLocker.  Recovery key management is one of the more significant challenges with BitLocker as it stands. Recovery keys are required with the TPM. If it senses a threat and goes into recovery mode and you don’t have that recovery key somewhere available for the user, you then have a bunch of users who potentially cannot get into their systems.  A system can go into recovery mode for a lot of reasons. If it’s under attack, obviously, but even things like docking and un-docking a laptop can cause the system to go into recovery mode.  Also, hitting certain function keys during the boot.  If you accidentally touch the wrong function keys during boot time, that can send the system into recovery mode.  It can be sensitive.  Should you tinker with the way that the TPM’s set up, it can become incredibly sensitive.  Bottom line, you’ve got to think about recovery key management.  Also, BitLocker by itself really doesn’t provide you much in the way of auditing, logging and reporting that you would expect from an enterprise solution if you’re using multiple, different platforms and different types of users – you’re not going to have that integration either.  You’ll probably have to put something else in place for reporting and auditing.


It’s important to understand recovery keys. The question that comes up most is, “What’s a recovery key? My system won’t boot.”  The user is already in a great deal of pain at that point.  Recovery keys are the things that you create in order to be able to tell that TPM that everything is fine. You only need the recovery key occasionally when the TPM asks for it, but when you need it, you really need it.  It’s a 48 digit randomly generated key and you have to type it in using the function keys.  You can do a couple of different things with a recovery key, sometimes called a recovery password – they’re essentially the same thing depending on how you store them.  But you have to make sure that they’re available, because if it’s 3:00 a.m. my time and the other side of the world someone’s booting a system and it’s gone into recovery mode, you want to make sure you can get them that recovery key so that they can unlock their system and keep working.


You have a few choices when it comes to how you store recovery keys as you create them.  You can tell the user to write it down on a piece of paper, but I would not recommend that. (If you wish to go ahead and tell them to do that you certainly can, though.)  You can print it out.  You can store it on a USB device.  That’s when it becomes a sort of recovery key device that you can plug in.  Or you can store it natively straight off into active directory.  That is an attractive choice from a management perspective.  It is not necessarily a great choice from a security perspective, because it will still store in plain text.  If it’s in active directory and having the recovery keys available for anyone that has active directory administrative capabilities is not necessarily a good thing, because it means they can then get access to that system. You really have to think about what you can put in place to manage recovery keys and to help mitigate the challenges.


There are some areas to be aware of with BitLocker. We talked about key management and reporting, but FIPS compliance is something else you have to consider as you roll it out. If FIPS compliance is important to you, it will have an impact on the way you configure the policies for BitLocker.  You’d have to set it into FIPS compliance mode. Biometric authentication is not supported.  There is support for removable media encryption, data security.  But it is not necessarily optimal from a performance and reliability perspective; you might want to think about another solution.  There are a number of choices when it comes to layering management with BitLocker. Credant as an organization can help you with that.  There are choices out there – Microsoft provides a tool called Microsoft BitLocker Administration and Management tool or MBAM, which is part of the Microsoft desktop optimization pack.  It is something I would suggest if you’re going to look at BitLocker; you’ll probably end up glancing at MBAM at some point.  From an enterprise perspective, it’s probably not something that’s going to meet all of your needs. It certainly doesn’t cover all of the problems.  For example, it won’t stop a privileged user or administrator from turning BitLocker off on a system if they don’t like it. But again, you’ll want to look at something to help you manage BitLocker as you roll it out, because otherwise you will find that there will be some significant holes and it’s better to plan for those earlier rather than later.


Okay so that’s enough on BitLocker.  If you want more information, has a wealth of additional information, including whitepapers and datasheets on best practices for managing BitLocker. 

Stay tuned for part two, where we’ll dive into self-encrypting drives.

No Comments

Leave a Reply

Follow Us

Follow us on Twitter Follow us on Facebook Follow us on Youtube