SANS Session 2.1

The first session of the second day at the SANS Secure Storage and Encryption Summit was presented by Jason Fossen. Jason teaches the Securing Windows Track at many SANS conferences. Today he is speaking on Vista Bitlocker as well as EFS.
I missed the first 5 or 10 minutes thanks to DC area traffic. I’m kind of angry about that, but what are you going to do. It look me 15 minutes longer on Thursday than on Wednesday to get there.
With EFS you can encrypt anything not in the Windows folder and without the system bit set.
The ultimate strength of the encryption is in the password complexity.
EFS is NTFS only.
The problems you get into is that you are relying on the users to select folders for encryption and put sensitive data in those folders. Also EFS is for folders only. You would need a separate solution for email and for all your electronic toys.
With Bitlocker and EFS in Vista you’d have to have a compelling case for purchasing the third party whole desk encryption programs. (assuming you’re a windows shop who is upgrading to vista anyway). The main argument for third party is the usb fobs and phones.
Doesn’t EFS has horrendous vulnerabilities?
-By default the local admin in windows 2000 was the recovery agent. This was listed in the help file. There were ways to deal with that. After the uproar, that was no longer the default in XP but in many minds the damage was done.
– You should always encrypt at the folder level to avoid an issue.
– Swapfile and hibernate are issues that should be considered
What about commercial EFS crackers?
They require the password to work.
Bitlocker – system must be partitioned in 2 volumes, boot and OS. Only OS volume can be encrypted in Vista. In Longhorn (server) any non-boot volume can be encrypted.
Bitlocker provides verification of the integrity of the boot-up files which can help prevent rootkits and other malware. Note you need TPM for this feature.
Bitlocker provides sector level encryption of the entire hard drive.
Steps to enable TPM
1. Verify your Bios supports TPM 1.2 (make sure you have latest BIOS)
2. Enable TPM in BIOS
3. Turn on TPM in Windows (tpm.msc)
4. Initialize the TPM with an owners pass.
There are options that involve still using a USB token containing a key in combination with the TPM to provide a multi-factor authentication. It seems to me the USB is likely to be left in the laptop bag so why bother. Its nice to have that level of security available where necessary.
There is a script manage-bde.wsf to manage TPM and bitlocker from the command line.
Takes about 1 minute per GB when enabling bitlocker. You can reboot! you are able to work while its performing its initial encryption.
**Gotcha** if you don’t disable bitlocker during a bios update it will freak out. So you can temporarily disable it while updating bios or boot files.
So what if the TPM is pooched, how do you get your data? There is a 48 digit recovery password. This is stored in the computer account in Active Directory. You should require in Group Policy to have this PIN stored before bitlocker can enable.
Best Practices:
– Make sure your new hardware supports tpm 1.2.
– It may save time to have the hardware vendor partition with two partitions.
– Enforce a strong passphrase policy
use 128 bit AES. 512 bit is overkill for most.
Bitlocker doesn’t replace EFS it enhances it.
Q – Can bitlocker use third party certs?
A- no, it doesn’t not use certs per se
Q – is a schema mod required for bitlocker
A – yes not only that, You must be running Windows 2003 SP1 domain controllers with a Schema mod.
Q- Forensics?
A- Well, if you left the door open for forensics, the bad guy could look at the file too. With all these whole disk encryption products, you pretty much need to decrypt the disk to use an encase.
Q- Can malware disable bitlocker? You mentioned a script to enable/disable
A- If you’re running as admin and malware gets installed, sure. But then you’ve got a bad enough problem already if malware is running as admin. Why are you running as admin?