Microsoft (Data Protection Solutions)


Published on

Published in: Spiritual, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Microsoft (Data Protection Solutions)

    1. 1. A Critical Analysis of Microsoft Data Protection Solutions
    2. 2. Agenda <ul><li>Introduction </li></ul><ul><li>BitLocker Drive Encryption (BDE) </li></ul><ul><li>Encrypting File System (EFS) </li></ul><ul><li>Rights Management Services (RMS) </li></ul><ul><li>Conclusion </li></ul>
    3. 3. Agenda <ul><li>Introduction </li></ul><ul><li>BitLocker Drive Encryption (BDE) </li></ul><ul><li>Encrypting File System (EFS) </li></ul><ul><li>Rights Management Services (RMS) </li></ul><ul><li>Conclusion </li></ul>
    4. 4. <ul><li>Key Technologies </li></ul>Windows Server 2008 Service Hardening Windows Advanced Firewall BitLocker Drive Encryption Server Core Dynamic Partitioning Next Generation TCP/IP 64x64-bit Cores Investment in the Fundamentals Operations Infrastructure Centralized Role Management Failover Clustering Windows Virtualization Network Access Protection Terminal Services AD Read Only Domain Controllers Windows PowerShell Security Reliability Performance Application Platform IIS 7 .NET Framework 3.0 Resource Management Federated Identity
    5. 5. Agenda <ul><li>Introduction </li></ul><ul><li>BitLocker Drive Encryption (BDE) </li></ul><ul><li>Encrypting File System (EFS) </li></ul><ul><li>Rights Management Services (RMS) </li></ul><ul><li>Conclusion </li></ul>
    6. 6. BitLocker™ Drive Encryption <ul><li>Designed specifically to help prevent a thief who boots another Operating System or runs a hacking tool from breaking Windows file and system protections </li></ul><ul><li>Helps provides data protection on your Windows client systems, even when the system is in unauthorized hands or is running a different or exploiting Operating System </li></ul><ul><li>Can use a v1.2 Trusted Platform Module (TPM) or USB flash drive for key storage </li></ul><ul><li>HP provides TPM1.2 in </li></ul><ul><ul><li>Notebooks: 2400, 4400, 6400, 8400 Series </li></ul></ul><ul><ul><li>Desktops: dc7700, dx5xxx </li></ul></ul><ul><li>In all Windows Server 2008 (Longhorn) versions </li></ul><ul><li>Only on Windows Vista Enterprise and Vista Ultimate Editions </li></ul>BitLocker
    7. 7. BDE is an option
    8. 8. Bitlocker™ features overview <ul><li>BitLocker Drive Encryption (BDE) </li></ul><ul><ul><li>Prevents bypass of Window’s boot process </li></ul></ul><ul><ul><li>Ensures Boot Process Integrity (Secure Startup) </li></ul></ul><ul><ul><ul><li>Protects the system from offline software based attacks. </li></ul></ul></ul><ul><ul><li>Protects data while the system is offline </li></ul></ul><ul><ul><ul><li>Encrypts entire Windows volume including both user data and system files, the hibernation file, the page file and temporary files </li></ul></ul></ul><ul><ul><li>Eases equipment recycling </li></ul></ul><ul><li>Pre-OS multi-factor authentication </li></ul><ul><ul><li>Dongle, BIOS, and TPM-backed SW Identity </li></ul></ul><ul><li>TPM Base Services (TBS) </li></ul><ul><ul><li>Windows and 3rd party SW access to TPM </li></ul></ul>
    9. 9. What is a Trusted Platform Module (TPM)? <ul><li>Smartcard-like module on the motherboard that: </li></ul><ul><li>Helps protect secrets </li></ul><ul><li>Performs cryptographic functions </li></ul><ul><ul><li>RSA, SHA-1, RNG </li></ul></ul><ul><ul><li>Meets encryption export requirements </li></ul></ul><ul><li>Can create, store and manage keys </li></ul><ul><ul><li>Provides a unique Endorsement Key (EK) </li></ul></ul><ul><ul><li>Provides a unique Storage Root Key (SRK) </li></ul></ul><ul><li>Performs digital signature operations </li></ul><ul><li>Holds Platform Measurements (hashes) </li></ul><ul><li>Anchors chain of trust for keys and credentials </li></ul><ul><li>Protects itself against attacks </li></ul>TPM 1.2 spec:
    10. 10. BDE Disk layout and key storage System <ul><li>OS Volume Contains: </li></ul><ul><li>Encrypted OS </li></ul><ul><li>Encrypted Page File </li></ul><ul><li>Encrypted Temp Files </li></ul><ul><li>Encrypted Data </li></ul><ul><li>Encrypted Hibernation File </li></ul>System Volume Contains: MBR, Loader, Boot Utilities (Unencrypted, small) <ul><li>Where’s the Encryption Key? </li></ul><ul><li>SRK (Storage Root Key) contained in TPM </li></ul><ul><li>SRK encrypts FVEK (Full Volume Encryption Key) protected by TPM/PIN/USB Storage Device </li></ul><ul><li>FVEK stored (encrypted by SRK ) on hard drive in System Volume </li></ul>SRK 1 2 3 OS Volume PIN USB-hosted key FVEK
    11. 11. BDE: Available Authenticators <ul><li>Default: Trusted Platform Module (TPM) </li></ul><ul><li>TPM + USB Startup Key 1 </li></ul><ul><li>TPM + PIN </li></ul><ul><li>USB Startup Key 1,2,3 </li></ul><ul><li>USB Recovery Key 3,4 </li></ul><ul><li>Numeric (Text) Recovery Password 4 </li></ul><ul><li>Windows Server 2008: TPM + USB + PIN </li></ul><ul><li>A Startup key with a TPM is different than one without a TPM </li></ul><ul><li>Used only on non-TPM computers </li></ul><ul><li>A non-TPM startup key and a recovery key are the exact same thing. </li></ul><ul><li>Not used routinely, for recovery only </li></ul>TPM TPM+USB TPM+PIN USB Key (Recovery or Non-TPM) 123456-789012-345678- Recovery Password (48 Digits) TPM+USB+Pin
    12. 12. BDE architecture Static root of trust measurement of early boot components
    13. 13. <ul><li>Create a 1.5GB active partition </li></ul><ul><ul><li>This becomes your “system” partition—where OS boots </li></ul></ul><ul><ul><ul><li>The TPM boot manager uses only 50MB </li></ul></ul></ul><ul><ul><li>Windows runs from on your “boot” partition—where the system lives </li></ul></ul><ul><li>Enable TPM chip (via system BIOS) </li></ul><ul><li>Enable BitLocker in Security Center </li></ul><ul><ul><li>Update hard disk MBR </li></ul></ul><ul><ul><li>Encrypt Windows “boot” partition </li></ul></ul><ul><ul><ul><li>Generate symmetric encryption key </li></ul></ul></ul><ul><ul><ul><li>Store key in TPM </li></ul></ul></ul><ul><ul><ul><li>Encryption begins after reboot </li></ul></ul></ul><ul><li>Enabling BitLocker </li></ul>
    14. 14. BDE passwords and PINs... <ul><li>BIOS password </li></ul><ul><ul><li>Required to enable TPM in BIOS </li></ul></ul><ul><li>Owner password </li></ul><ul><ul><li>After TPM initialization </li></ul></ul><ul><ul><li>Required for Disabling TPM, Clearing TPM, Recycling </li></ul></ul><ul><ul><li>In domain: hash stored in AD computer object </li></ul></ul><ul><li>Administrator password </li></ul><ul><ul><li>Required for enabling BDE </li></ul></ul><ul><li>BDE PIN (Optional) </li></ul><ul><ul><li>Required for accessing encrypted BDE volume </li></ul></ul><ul><li>Recovery password </li></ul><ul><ul><li>Can also be on USB token </li></ul></ul><ul><ul><li>In domain: can be stored in AD computer object </li></ul></ul><ul><ul><li>Required for recovering BDE data after PIN loss, TPM errors, boot file modification </li></ul></ul>
    15. 15. BDE Recovery options <ul><li>Based on GPO: </li></ul><ul><ul><li>BitLocker setup can automatically escrow recovery keys and owner passwords into AD </li></ul></ul><ul><ul><li>Setup may also try to backup keys and passwords onto a USB dongle or to a file location </li></ul></ul><ul><ul><ul><li>Default for non-domain-joined users (e.g., Ultimate SKU) </li></ul></ul></ul><ul><ul><ul><li>Working with third parties for web service-based key escrow </li></ul></ul></ul><ul><li>Recovery password known by the user/administrator </li></ul><ul><ul><ul><li>Recovery can occur “in the field” </li></ul></ul></ul><ul><ul><ul><li>Windows operation can continue as normal </li></ul></ul></ul>
    16. 16. How about Embedded Security for HP ProtectTools? Supported applications: <ul><li>Secures cryptographic keys: </li></ul><ul><ul><li>Microsoft Encrypting File System </li></ul></ul><ul><ul><li>Personal Secure Drive </li></ul></ul><ul><ul><li>S/MIME </li></ul></ul><ul><ul><li>Any CAPI or PKCS#11 based application </li></ul></ul><ul><li>Two-factor authentication </li></ul><ul><ul><li>802.1x EAP-TLS based </li></ul></ul><ul><li>Enhanced SecurID </li></ul><ul><ul><li>Protects access to SecurID seed </li></ul></ul><ul><li>HP protectTools Credential Manager access </li></ul><ul><ul><li>Client-side credential caching SSO </li></ul></ul><ul><li>User pre-boot authentication </li></ul><ul><li>DriveLock </li></ul><ul><ul><li>Drivelock password secured using TPM </li></ul></ul><ul><li>Available on TPM 1.1 and 1.2 </li></ul>
    17. 17. But...there’s more than Technology... “ 54321 TO SILENCE ALARM” “ REPEAT CODE TO RESET”
    18. 18. Agenda <ul><li>Introduction </li></ul><ul><li>BitLocker Drive Encryption (BDE) </li></ul><ul><li>Encrypting File System (EFS) </li></ul><ul><li>Rights Management Services (RMS) </li></ul><ul><li>Conclusion </li></ul>
    19. 19. EFS investments <ul><li>Smartcards provide strong protection for laptop and shared workstation scenarios </li></ul><ul><li>Client Side Encryption – protection against malicious server administrators </li></ul><ul><li>Investments in group policy controls on encryption </li></ul><ul><li>Re-key wizard </li></ul><ul><li>Key backup notification </li></ul>
    20. 20. EFS with Smartcards <ul><li>Smartcards can be too slow to be used for every file access </li></ul><ul><li>Accelerated mode: </li></ul><ul><ul><li>Derive a symmetric software key using the private key on the smartcard </li></ul></ul><ul><ul><li>Use this key to encrypt/decrypt files </li></ul></ul><ul><ul><li>The symmetric key can only be derived using the smartcard’s private key </li></ul></ul>Smartcard Private Key Derive a symmetric key AES-256 key Use as Software Private Key (Accelerated) Cache in LSA Use to encrypt FEK RSA mode Accelerated mode
    21. 21. EFS with remote files Client side encryption Local EFS encryption [Keys and certificates live on the client] Client connects to remote server share SMB protocol No need to enable Trust For Delegation Encrypted file sent to server File Share
    22. 22. EFS Group policy enhancements
    23. 23. EFS Re-Key Wizard <ul><li>Allows users to better manage their EFS certificates and encrypted files </li></ul><ul><li>Especially useful when switching to smartcard encryption </li></ul><ul><li>Provides a choice of EFS services </li></ul><ul><ul><li>Choose a certificate </li></ul></ul><ul><ul><li>Create a new certificate </li></ul></ul><ul><ul><li>Back up the certificate </li></ul></ul><ul><ul><li>Re-encrypt old files with new certificate </li></ul></ul>
    24. 24. EFS key backup improvements <ul><li>TOP customer pain point (90% of issues reported on newsgroups). Data lost due to keys not being backed up </li></ul><ul><li>Vista Key and certificate backup notification </li></ul><ul><ul><li>Major usability and reliability improvements </li></ul></ul><ul><ul><li>ON for workgroups, OFF for domains </li></ul></ul>
    25. 25. Agenda <ul><li>Introduction </li></ul><ul><li>BitLocker Drive Encryption (BDE) </li></ul><ul><li>Encrypting File System (EFS) </li></ul><ul><li>Rights Management Services (RMS) </li></ul><ul><li>Conclusion </li></ul>
    26. 26. Information Author The Recipient RMS Server SQL Server Active Directory 2 3 4 5 <ul><li>Author defines a set of usage rights and rules for the file; Application creates a “Publishing License” and encrypts the file </li></ul><ul><li>Author distributes file </li></ul><ul><li>Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “Use License” </li></ul><ul><li>Application renders file and enforces rights </li></ul><ul><li>Author receives a client licensor certificate (CLC) the first time they rights-protect information </li></ul>1 How does RMS work?
    27. 27. AD RMS in Windows Server 2008 <ul><li>RMS component is included in the operating system </li></ul><ul><li>AD RMS is now a Server Role </li></ul><ul><ul><li>Use Server Manager to install AD RMS </li></ul></ul><ul><ul><li>Easy server deployment </li></ul></ul><ul><ul><li>Componentized setup installs dependencies automatically </li></ul></ul><ul><li>Native x64 support </li></ul><ul><li>Self-Activation </li></ul><ul><ul><li>No dependency on external MSN RMS Activation Service to enroll the first RMS root server </li></ul></ul>
    28. 28. Challenges in External Collaboration <ul><li>Option 1 : Use .NET passports </li></ul><ul><ul><li>. NET passports are not suitable for Enterprises </li></ul></ul><ul><ul><li>In Windows RMS, administrators need to trust the namespace </li></ul></ul><ul><li>Option 2: Create accounts for partners </li></ul><ul><ul><li>Adds complexity in the Windows infrastructure </li></ul></ul><ul><ul><li>Increases operational costs in maintaining external accounts in internal AD </li></ul></ul>
    29. 29. Challenges in External Collaboration <ul><li>Option 3 : Create RMS trusts </li></ul><ul><ul><li>Partners do not implement RMS </li></ul></ul><ul><ul><li>Exchange of RMS public key is a non-secure and manual process </li></ul></ul><ul><li>Option 4: Use 3 rd party product </li></ul><ul><ul><li>Adds costs to the RMS implementation </li></ul></ul><ul><ul><li>Relies on external party to host partners accounts </li></ul></ul>
    30. 30. Solution: AD Federation Service <ul><li>Uses Active Directory Federation Service (ADFS) </li></ul><ul><ul><li>Requires AD RMS to work with ADFS </li></ul></ul><ul><li>Establishes trust once </li></ul><ul><ul><li>Can be re-used for other applications </li></ul></ul><ul><li>Partners manage their AD accounts </li></ul><ul><ul><li>No Identity lifecycle management </li></ul></ul>
    31. 31. External RMS collaboration via ADFS Contoso Fabrikam RMS WebSSO <ul><li>Assume author is already bootstrapped </li></ul><ul><li>Author sends protected mail to recipient at Fabrikam </li></ul><ul><li>Recipient contacts RMS server to get bootstrapped </li></ul><ul><li>WebSSO agent intercepts request </li></ul><ul><li>RMS client is redirected to FS-R for home realm discovery </li></ul><ul><li>RMS client is redirected to FS-A for authentication </li></ul><ul><li>RMS client is redirected back to FS-R for authentication </li></ul><ul><li>RMS client makes request to RMS server for bootstrapping </li></ul><ul><li>WebSSO agent intercepts request, checks authentication, and sends request to RMS server </li></ul><ul><li>RMS server returns bootstrapping certificates to recipient </li></ul><ul><li>RMS server returns use license to recipient </li></ul><ul><li>Recipient accesses protected content </li></ul>AD AD FS-A FS-R 1 RAC CLC PL 2 4 3 5 6 7 8 9 RAC CLC 10 UL 11 12
    32. 32. Exchange 2007 and RMS Author using Office 2003 / 2007 The Recipient SQL Server Active Directory 4 5 6 <ul><li>Author sends e-mail through Exchange 2007 Server </li></ul><ul><li>Exchange 2007 Server examines the message properties, determines if RMS policies should be applied </li></ul><ul><li>Exchange 2007 Server makes request to RMS to apply policy to email and obtain a usage license. </li></ul><ul><li>RMS authenticates user, creates usage license, logs transaction. </li></ul><ul><li>Recipient synchronizes email with Exchange 2007 Server; message and usage license delivered to user. </li></ul><ul><li>Recipient opens email; policies enforced. </li></ul>1 4 2 3
    33. 33. But...there’s more than Technology... All must enter through electronic mantrap Fence ends here Sign says, “road is for cars only”
    34. 34. Agenda <ul><li>Introduction </li></ul><ul><li>BitLocker Drive Encryption (BDE) </li></ul><ul><li>Encrypting File System (EFS) </li></ul><ul><li>Rights Management Services (RMS) </li></ul><ul><li>Conclusion </li></ul>
    35. 35. Technology comparison BDE EFS RMS Encryption AES 128 (RSA32.LIB) AES 128 (Crypt32.DLL) AES 128 (Crypt32.DLL) Data Awareness Blocks Files App defined; docs/email Master Key TPM + SW Identity, Dongle, File SW, Smart-card Obfuscated SW (lockbox) Content Key Same as root key Same as root key Server Protects What? Windows and Data Directories and Files Documents (including use) Protects Who? Machine Owner, User Users Document Owners Protection Local, removable media Local, removable media, remote Remote, removable media Who is god? Local admin, net admin Local admin, net admin Document owner, RMS admin Supports other security systems? Yes Yes (ISV’s only) No (RMS is a security platform for applications) Data Recovery Mechanism Dongle, File, Network; Manual Key Entry Local or AD based policy RMS server policy Killer Client Scenario Lost or Stolen laptop Multi-user PC Protected Document Sharing Killer Server Scenario Branch-Office Server Protect Documents on File Shares from Admin RMS support in Sharepoint and Exchange Killer Admin Scenario Just switch it on. (also Force Recovery) My Documents encrypted by default Establish corporate information policy
    36. 36. What feature should I use? <ul><li>Who are you protecting against? </li></ul><ul><ul><li>Other users or administrators on the machine? </li></ul></ul><ul><ul><li>Unauthorized users with physical access? </li></ul></ul>Some cases can result in overlap. (e.g. Multi-user roaming laptops with untrusted network admins) Scenarios BDE EFS RMS Laptops X Branch office server X Local single-user file & folder protection X Local multi-user file & folder protection X Remote file & folder protection X Untrusted network admin X Remote document policy enforcement X
    37. 37. Overview <ul><li>Introduction </li></ul><ul><li>BitLocker Drive Encryption (BDE) </li></ul><ul><li>Encrypting File System (EFS) </li></ul><ul><li>Rights Management Services (RMS) </li></ul><ul><li>Conclusion </li></ul>
    38. 38. Questions?
    39. 39. Download the HP Security Handbook! <ul><li>Go to: </li></ul><ul><li> </li></ul>
    40. 40. More information <ul><li>“ Windows Security Fundamentals” </li></ul><ul><li>Jan De Clercq – Guido Grillenmeier </li></ul><ul><li>ISBN 1555583407 </li></ul>
    41. 41. Thank You <ul><li>Info Collected By Vinayak Nandikal </li></ul><ul><li>Courtesy HP Technology </li></ul>