What is BitLocker?
BitLocker lets you encrypt the hard drive(s) on your Windows 7 and Vista Enterprise, Windows 7 and Vista Ultimate or Windows Server 2008 and R2. BitLocker will not encrypt hard drives for Windows XP, Windows 2000 or Windows 2003. Only Windows 7, Vista and Server 2008 include BitLocker. BitLocker drives can be encrypted with 128 bit or 256 bit encryption, this is plenty strong to protect your data in the event the computer is lost or stolen. BitLocker protects your hard drive from offline attack. This is the type of attack where a malicious user will take the hard drive from your mobile machine and connect it to another machine so they can harvest your data. BitLocker also protects your data if a malicious user boots from an alternate Operating System. With either attack method, BitLocker encrypts the hard drive so that when someone has physical access to the drive, the drive is unreadable. Now if you are a network admin and you need to harvest data from a hard drive when a machine fails, our tools include the functionality to prompt the admin for the recovery key so the hard drive can be accessed. We’ve done a good job at ensuring the data does not end up in the wrong hands, while making it easy for authorized users to access the data in the event of a failure.
What does BitLocker do?
Again, BitLocker encrypts the hard drive(s) to protect the Operating System from offline attacks. Server 2008, 2008 R2, Windows 7 Enterprise, Windows 7 Ultimate, Windows Vista Enterprise, and Windows Vista Ultimate all include BitLocker functionality. Windows 7 Professional and Windows Vista Business Edition and the Home Editions do not include BitLocker. The RTM versions of Vista only allow BitLocker encryption of the C: drive. SP1 for Vista, and Windows 7 include the ability to encrypt all of the hard drives belonging to the Vista and Windows 7 machine. Server 2008 (and R2) include the ability to encrypt all of its attached hard drives as well. BitLocker on a Server 2008 (and R2) server might not make sense for your servers in the Data Center, but using BitLocker on servers in remote offices makes a lot of sense. How many remote offices have their servers in secure Data Centers? They don’t! If you’re lucky, your server sits in a locked closet. If you’re unlucky, it sits under someone’s desk. Deploying BitLocker to these machines makes perfect sense because if those machines are stolen, their data is encrypted and protected from the types of attacks that they would be exposed to. Another piece to protect these remote servers is the Read Only Domain Controller functionality. I won’t go into it here, but it gives you the ability to provide fast logon experiences for your remote users while ensuring that all of the domain credentials are not stored on these remote office servers.
Windows 7 extends BitLocker functionality to removable drives, we call that functionality BitLocker to Go. BitLocker to Go gives you the ability to encrypt your thumb drives and even USB hard drives. You even have the ability to enforce BitLocker to Go via Group Policy, this Group Policy can ensure that users can only store corporate data on encrypted drives.
What does BitLocker not do?
BitLocker does not protect the computers contents while Windows is running. Again, BitLocker is built for offline attacks, once the operating system is up and running. Windows 7 and Vista will protect your data from unauthorized access. When 7 (and Vista) is up and running, unauthorized access can come in the form of:
- A malicious user trying to log onto the local computer. Windows 7 (and Vista) can protect itself by enforcing strict password policy and complexity. Please ensure that if your data is important enough to encrypt, that you also require complex passwords and/or two factor authentication. Two factor authentication takes the simple passwords or easy to guess passwords out of the equation so that they are no longer a risk.
- A malicious user connecting to the computer over the network to harvest data from the local computer. If the user has access to your physical network, the malicious user can try to connect to your machine over the network. Again, strict user permissions on the local machine and on your network as a whole, will prevent malicious users from accessing your network.
Other ways to protect your data:
RMS, EFS, IPSec. I’ll give you more detail in my next post.
Until next time!