It was about time, I needed to reinstall Vista on my Toshiba M7 now that all the drivers and applets were RTM. In fact they have been for a while now, but I never got around to it until today. In rebuilding this install I decided to go all out on the security front. Part of the reason was to test out the security settings I'll be showing you in an upcoming webcast series in a production setting and the other part was so I can sleep easier on the plane knowing my data is safe. So what did I do?
- BitLocker with 256-bit AES encryption with Diffuser
- TPM + PIN for Bitlocker key security
- Overwrite memory on shutdown
- Prevent installation of devices but allow for admin override
- Run as a standard user account
I decided to go overboard on the BitLocker encryption type just because I can but if you want to find out more about the BitLocker drive encryption algorithm check out the whitepaper. TPM + Key is the most secure of the four options but with my tendancy to forget or lose USB keys I figured TPM + PIN would suit me better. I'd either leave the USB key in the notebook bag which would defeat the purpose, or I'd forget it and end up on the road for a week with an unusable notebook. Overwrite memory on shutdown is a default setting but I left it in place. The information to decrypt your BitLockered drive is stored in memory during system operation and it is possible to snatch that if the attacker can reboot into an alternate OS and dump the memory contents. By leaving this enabled the memory is overwritten and this is no longer possible.
Finally I decided to keep running as a standard user as I have had very few UAC prompts once the system is set up. The last step I took was to prevent installation of devices but due to the fact that we often get new hardware and beg/borrow when we are in a bind, I did allow admin override which gives me a UAC prompt when I install a device (I.E. insert a USB device the first time).
All things said it is pretty locked down but there are some caveats to be aware of! First off 256 bit AES encryption does add about 2-3% CPU overhead but I haven't really noticed. We will see as time goes by and I become impaitent. Also overwriting memory on shutdown does cause the PC to take longer to shutdown/reboot. It took be about an extra 15 minutes to configure not including the time to encrypt the volume; however encryption takes place in the background and you can even reboot during the process without issue.