Windows Security: Part 6
In my last blog posting I discussed the Encrypting File System (EFS) that is built into every Windows operating system since Windows 2000 and how EFS works. Although EFS is effective as a security control against data security breach-related risks, a major limitation is that it does not provide whole disk encryption, making it susceptible to certain kinds of attacks. A perpetrator who has local access to the same hard drive on which Windows resides can, for example, boot a non-Windows operating system to access EFS-encrypted files and directories or copy the entire encrypted contents of a lost or stolen PC’s hard drive to a completely different computer to view the information in clear text. Windows BitLocker encryption, which is available in Vista (see footnote below) and Windows Server 2008, addresses this limitation nicely by encrypting the entire contents of a Windows volume, thereby protecting all the data therein from a wider variety of attacks.
BitLocker’s functionality does not stop there, however. It works with version 2 of the Trusted Platform Module (TPM 1.2) to protect against the integrity of a Windows system from being compromised if that system has been offline by performing Integrity checks on initial boot components. Consequently, information decryption can occur only if: 1) critical system components have ostensibly not been tampered with, and 2) the encrypted drive has stayed within the original system. If BitLocker detects tampering with any system files or information, the system halts the startup process
Predictably, how BitLocker actually works is a little more complicated. If BitLocker is to function to its fullest potential, the
- System must have TPM version 1.2. System integrity checks can nevertheless be performed if this requirement is not met, but the Administrator must save a special startup key that must be stored on removable media, e.g, a flash drive.
- System with a TPM must also have a BIOS that is Trusted Computing Group (TCG)-compliant. The BIOS sets up a chain of trust during startup prior to the operating system boot process; it must support the TCG-specified Static Root of Trust Measurement. If a system does not have a TPM, a TCG-compliant BIOS is unnecessary.
- System BIOS must support the USB mass storage device class. This includes the ability to read small files stored on a USB flash drive before the operating system boots, regardless of whether the system does or does not have a TP.
- Hard disk must have a minimum of two partitions, with the system (boot) partition having both the operating system and files are needed to load the operating system after the BIOS has initialized the system hardware. BitLocker must not be enabled on this partition, nor can this partition be encrypted through any other means. .
- File system must be NTFS.
- System drive should have a minimum of 1.5 GB.
Like anything else, BitLocker is not perfect. One widely advertised attack against it is to launch a “Cold DRAM” attack in which the temperature of the hard drive is reduced to the freezing point. In reality, however, what this kind of attack shows is that if someone has physical access to a hard drive, that person can ultimately defeat any security control.
Although EFS is not bad, BitLocker is much better for several reasons. First, it keeps users out of the loop altogether. With BitLocker the decision to encrypt files is made by a system administrator, not any user. Second, BitLocker simplifies encryption and key management. There are no individual keys to store and manage. Furthermore, as stated earlier, whole disk encryption greatly reduces the risk that an unauthorized person will be able to decrypt the contents of a BitLocker-encrypted hard drive. And finally, BitLocker even protects EFS encryption keys.
Footnote – Vista BitLocker is actually available only on Vista Business Enterprise and Ultimate Editions of Vista.