Embed Size (px)
Citation preview
© 2008 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice Produced in cooperation
with:
HP Technology Forum & Expo 2008
1
A Critical Analysis of
Microsoft Data Protection Solutions
2
AgendaIntroductionBitLocker Drive Encryption (BDE)Encrypting File System (EFS)Rights Management Services (RMS)Conclusion
3
AgendaIntroduction
BitLocker Drive Encryption (BDE)Encrypting File System (EFS)Rights Management Services (RMS)Conclusion
Investment in the Fundamentals
Operations InfrastructureCentralized Role ManagementFailover ClusteringWindows Virtualization Network Access ProtectionTerminal ServicesAD Read Only Domain ControllersWindows PowerShell
Key TechnologiesWindows Server 2008
Service HardeningWindows Advanced FirewallBitLocker Drive Encryption
Server CoreDynamic Partitioning
Next Generation TCP/IP64x64-bit Cores
Security Reliability Performance
Application PlatformIIS 7.NET Framework 3.0Resource ManagementFederated Identity
5
AgendaIntroduction
BitLocker Drive Encryption (BDE)Encrypting File System (EFS)Rights Management Services (RMS)Conclusion
BitLocker™ Drive Encryption
Designed specifically to help prevent a thief who boots another Operating System or runs a hacking tool from breaking Windows file and system protections
Helps provides data protection on your Windows client systems, even when the system is in unauthorized hands or is running a different or exploiting Operating System
Can use a v1.2 Trusted Platform Module (TPM) or USB flash drive for key storage
HP provides TPM1.2 in − Notebooks: 2400, 4400, 6400, 8400
Series− Desktops: dc7700, dx5xxx
In all Windows Server 2008 (Longhorn) versions
Only on Windows Vista Enterprise and Vista Ultimate Editions
BitLockerBitLocker
BDE is an option
Bitlocker™ features overviewBitLocker Drive Encryption (BDE)
−Prevents bypass of Window’s boot process−Ensures Boot Process Integrity (Secure Startup)
• Protects the system from offline software based attacks.−Protects data while the system is offline
• Encrypts entire Windows volume including both user data and system files, the hibernation file, the page file and temporary files
−Eases equipment recyclingPre-OS multi-factor authentication
−Dongle, BIOS, and TPM-backed SW IdentityTPM Base Services (TBS)
−Windows and 3rd party SW access to TPM
What is a Trusted Platform Module (TPM)?Smartcard-like module on the
motherboard that:Helps protect secrets Performs cryptographic functions
− RSA, SHA-1, RNG− Meets encryption export
requirementsCan create, store and manage keys
− Provides a unique Endorsement Key (EK)
− Provides a unique Storage Root Key (SRK)
Performs digital signature operations
Holds Platform Measurements (hashes)
Anchors chain of trust for keys and credentials
Protects itself against attacks
TPM 1.2 spec: TPM 1.2 spec: www.trustedcomputinggroup.orgwww.trustedcomputinggroup.org
BDE Disk layout and key storage
SystemSystem
OS Volume Contains:• Encrypted OS• Encrypted Page File• Encrypted Temp Files• Encrypted Data• Encrypted Hibernation File
System Volume Contains:MBR, Loader, Boot Utilities(Unencrypted, small)
Where’s the Encryption Key?1. SRK (Storage Root Key) contained in TPM 2. SRK encrypts FVEK (Full Volume
Encryption Key) protected by TPM/PIN/USB Storage Device
3. FVEK stored (encrypted by SRK) on hard drive in System Volume
FVEK
SRK1
2
3
OS VolumeOS Volume
PIN
USB-hosted key
1. A Startup key with a TPM is different than one without a TPM
2. Used only on non-TPM computers
3. A non-TPM startup key and a recovery key are the exact same thing.
4. Not used routinely, for recovery only
TPMTPM
TPM+USBTPM+USB
BDE: Available Authenticators• Default: Trusted Platform Module (TPM) • TPM + USB Startup Key1
• TPM + PIN• USB Startup Key1,2,3
• USB Recovery Key3,4
• Numeric (Text) Recovery Password4
• Windows Server 2008: TPM + USB + PIN
TPM+PINTPM+PIN
USB KeyUSB Key(Recovery or Non-TPM)(Recovery or Non-TPM)
123456-789012-345678-
Recovery PasswordRecovery Password(48 Digits)(48 Digits)
TPM+USB+PinTPM+USB+Pin
BDE architectureStatic root of trust measurement of early boot components
Volume Blob of Target OS unlocked
All Boot Blobs unlocked
Static OS
BootSector
BootManager
Start OSOS Loader
BootBlock
PreOS
BIOS
MBR
TPM Init
• Create a 1.5GB active partition−This becomes your “system” partition—where OS boots
• The TPM boot manager uses only 50MB−Windows runs from on your “boot” partition—where the
system lives• Enable TPM chip (via system BIOS)• Enable BitLocker in Security Center
−Update hard disk MBR−Encrypt Windows “boot” partition
• Generate symmetric encryption key• Store key in TPM• Encryption begins after reboot
Enabling BitLocker
BDE passwords and PINs...BIOS password
− Required to enable TPM in BIOSOwner password
− After TPM initialization− Required for Disabling TPM, Clearing TPM, Recycling− In domain: hash stored in AD computer object
Administrator password− Required for enabling BDE
BDE PIN (Optional)− Required for accessing encrypted BDE volume
Recovery password− Can also be on USB token− In domain: can be stored in AD computer object− Required for recovering BDE data after PIN loss, TPM errors, boot file
modification
BDE Recovery optionsBased on GPO:
−BitLocker setup can automatically escrow recovery keys and owner passwords into AD
−Setup may also try to backup keys and passwords onto a USB dongle or to a file location• Default for non-domain-joined users (e.g., Ultimate SKU)• Working with third parties for web service-based key
escrowRecovery password known by the
user/administrator• Recovery can occur “in the field”• Windows operation can continue as normal
How about Embedded Security for HP ProtectTools? Supported applications:Secures cryptographic keys:
− Microsoft Encrypting File System− Personal Secure Drive − S/MIME− Any CAPI or PKCS#11 based application
Two-factor authentication− 802.1x EAP-TLS based
Enhanced SecurID− Protects access to SecurID seed
HP protectTools Credential Manager access− Client-side credential caching SSO
User pre-boot authenticationDriveLock
− Drivelock password secured using TPMAvailable on TPM 1.1 and 1.2
“54321 TO SILENCE ALARM”
“REPEAT CODE TO RESET”
But...there’s more than Technology...
18
AgendaIntroductionBitLocker Drive Encryption (BDE)
Encrypting File System (EFS)Rights Management Services (RMS)Conclusion
EFS investments• Smartcards provide strong protection for
laptop and shared workstation scenarios• Client Side Encryption – protection against
malicious server administrators• Investments in group policy controls
on encryption• Re-key wizard• Key backup notification
EFS with SmartcardsSmartcards can be too slow
to be used for every file access
Accelerated mode:−Derive a symmetric
software key using the private key on the smartcard
−Use this key to encrypt/decrypt files
−The symmetric key can only be derived using the smartcard’s private key
Smartcard Private KeySmartcard Private Key
Derive a symmetric keyDerive a symmetric key
AES-256 keyAES-256 key
Use as Use as
Software Private KeySoftware Private Key
(Accelerated)(Accelerated)
Cache in LSACache in LSA
Use to encrypt FEKUse to encrypt FEK
RSA mode
Accelerated mode
EFS with remote filesClient side encryption
Local EFS encryption[Keys and certificates live on the client]
Client connects to remote server share
SMB protocol
No need to enable Trust For Delegation
Encrypted file sent to serverFile Share
EFS Group policy enhancements
EFS Re-Key WizardAllows users to better manage their EFS
certificates and encrypted filesEspecially useful when switching to
smartcard encryptionProvides a choice of EFS services
−Choose a certificate−Create a new certificate−Back up the certificate−Re-encrypt old files with new certificate
EFS key backup improvementsTOP customer pain point (90% of issues
reported on newsgroups). Data lost due to keys not being backed up
Vista Key and certificate backup notification−Major usability and reliability improvements−ON for workgroups, OFF for domains
25
AgendaIntroductionBitLocker Drive Encryption (BDE)Encrypting File System (EFS)
Rights Management Services (RMS)Conclusion
Information Information AuthorAuthor
The The RecipientRecipient
RMS ServerRMS Server
SQL Server Active Directory
2 3
4
5
2. Author defines a set of usage rights and rules for the file; Application creates a “Publishing License” and encrypts the file
3. Author distributes file
4. Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “Use License”
5. Application renders file and enforces rights
1. Author receives a client licensor certificate (CLC) the first time they rights-protect information
1
How does RMS work?
[Rev. # or date] – HP Restricted
AD RMS in Windows Server 2008RMS component is included in the operating systemAD RMS is now a Server Role
Use Server Manager to install AD RMSEasy server deploymentComponentized setup installs dependencies automatically
Native x64 supportSelf-Activation
No dependency on external MSN RMS Activation Service to enroll the first RMS root server
[Rev. # or date] – HP Restricted
Challenges in External CollaborationOption 1 : Use .NET passports
.NET passports are not suitable for EnterprisesIn Windows RMS, administrators need to trust the hotmail.com namespace
Option 2: Create accounts for partnersAdds complexity in the Windows infrastructureIncreases operational costs in maintaining external accounts in internal AD
[Rev. # or date] – HP Restricted
Challenges in External CollaborationOption 3 : Create RMS trusts
Partners do not implement RMSExchange of RMS public key is a non-secure and manual process
Option 4: Use 3rd party productAdds costs to the RMS implementationRelies on external party to host partners accounts
[Rev. # or date] – HP Restricted
Solution: AD Federation ServiceUses Active Directory Federation Service (ADFS)
Requires AD RMS to work with ADFS
Establishes trust onceCan be re-used for other applications
Partners manage their AD accountsNo Identity lifecycle management
ContosoContoso FabrikamFabrikamADAD
RMSRMS
ADAD
FS-AFS-AFS-RFS-R
11RAC CLC
PL
22
WebSSWebSSOO
44
3355
66
7788
99
RAC CLC
1010
UL
1111
1212
1. Assume author is already bootstrapped
2. Author sends protected mail to recipient at Fabrikam
3. Recipient contacts RMS server to get bootstrapped
4. WebSSO agent intercepts request5. RMS client is redirected to FS-R for
home realm discovery6. RMS client is redirected to FS-A
for authentication7. RMS client is redirected back to FS-R
for authentication8. RMS client makes request to RMS
server for bootstrapping9. WebSSO agent intercepts request,
checks authentication, and sends request to RMS server
10. RMS server returns bootstrapping certificates to recipient
11. RMS server returns use license to recipient
12. Recipient accesses protected content
External RMS collaboration via ADFS
Author using Author using Office 2003 / 2007Office 2003 / 2007
The The RecipientRecipient
SQL ServerSQL Server Active DirectoryActive Directory44
5566
1.1. Author sends e-mail through Author sends e-mail through Exchange 2007 ServerExchange 2007 Server
2.2. Exchange 2007 Server examines the Exchange 2007 Server examines the message properties, determines if message properties, determines if RMS policies should be appliedRMS policies should be applied
3.3. Exchange 2007 Server makes request Exchange 2007 Server makes request to RMS to apply policy to email and to RMS to apply policy to email and obtain a usage license.obtain a usage license.
4.4. RMS authenticates user, creates RMS authenticates user, creates usage license, logs transaction.usage license, logs transaction.
5.5. Recipient synchronizes email with Recipient synchronizes email with Exchange 2007 Server; message Exchange 2007 Server; message andand usage license delivered to user.usage license delivered to user.
6.6. Recipient opens email; policies Recipient opens email; policies enforced.enforced.
11
Exchange 2007 and RMSExchange 2007 and RMS44
22
33
All must enter through electronic mantrap
Fence ends here
Sign says, “road is for cars only”
But...there’s more than Technology...
34
AgendaIntroductionBitLocker Drive Encryption (BDE)Encrypting File System (EFS)Rights Management Services (RMS)Conclusion
Technology comparison BDE EFS RMS
Encryption AES 128 (RSA32.LIB) AES 128 (Crypt32.DLL) AES 128 (Crypt32.DLL)
Data Awareness Blocks Files App defined; docs/email
Master Key TPM + SW Identity, Dongle, File
SW, Smart-card Obfuscated SW (lockbox)
Content Key Same as root key Same as root key Server
Protects What? Windows and Data Directories and Files Documents (including use)
Protects Who? Machine Owner, User Users Document Owners
Protection Local, removable media Local, removable media, remote
Remote, removable media
Who is god? Local admin, net admin Local admin, net admin Document owner, RMS admin
Supports other security systems?
Yes Yes (ISV’s only) No (RMS is a security platform for applications)
Data Recovery Mechanism
Dongle, File, Network; Manual Key Entry
Local or AD based policy RMS server policy
Killer Client Scenario
Lost or Stolen laptop Multi-user PC Protected Document Sharing
Killer Server Scenario
Branch-Office Server Protect Documents on File Shares from Admin
RMS support in Sharepoint and Exchange
Killer Admin Scenario
Just switch it on.(also Force Recovery)
My Documents encrypted by default
Establish corporate information policy
What feature should I use?Who are you protecting against?
−Other users or administrators on the machine? −Unauthorized users with physical access?
Scenarios BDE EFS RMSLaptops XBranch office server XLocal single-user file & folder protection
X
Local multi-user file & folder protection XRemote file & folder protection XUntrusted network admin XRemote document policy enforcement X
Some cases can result in overlap. (e.g. Multi-user roaming laptops with untrusted network admins)
37
OverviewIntroductionBitLocker Drive Encryption (BDE)Encrypting File System (EFS)Rights Management Services (RMS)Conclusion
38
Questions?
Download the HP Security Handbook!Go to: www.hp.com/go/security
http://www.hp.com/go/security
40
More information
“Windows Security Fundamentals”
Jan De Clercq – Guido Grillenmeier
ISBN 1555583407
Thank You
Info Collected By Vinayak Nandikal
Courtesy HP Technology
