Neil MacDonald

There’s a story behind the title of this blog

Recently, I had a discussion in regards to Microsoft’s BitLocker with a client. One of the issues I call out in my research on BitLocker is that (unlike competing third party products), Microsoft doesn’t have an option to synchronize the pre-boot PIN with the Windows login credential. In a securely deployed system leveraging the TPM, the end-user enters a PIN to unlock the drive, Windows boots and then they are prompted for their Windows credential.

Net/Net the user is prompted twice and must enter two different credentials. Competitor’s solutions for full drive encryption enable the Windows password to be synched to the preboot environment so that the credential entered to unlock the drive also logs them into Windows – a “single sign on” so to speak where one credential is entered.

Clearly, there are many enterprises that prefer the latter scenario. However, Microsoft considers the synch of of the Windows credential a potential security risk, so it doesn’t support this option.

However, many organizations licensed under Software Assurance”on the Windows OS get rights to BitLocker with the Enterprise version of Windows 7 (in other words, it appears to be “free”).

Hmmmm. What to do?  End user acceptance versus security versus free.

The client had decided to implement BitLocker with no preboot authentication, thus the end-user would only be presented with the Windows login prompt.

Essentially, while the drive is technically encrypted, there are no controls on the retrieval of the encryption keys. As soon as you boot, the drive is unlocked.

So I asked them “If an encrypted drive automatically unlocks on boot with no checking of credentials, is it really encrypted?” (kinda like “if a tree falls in the forest and no one is there to hear it, does it make a sound?”)

I explained to them that this was a grey area, and that I could not endorse the deployment of BitLocker in this way. I’m not a lawyer, but it sure seemed to me that the drive can’t be considered to be encrypted if anyone (including the bad guys, including if the device is lost or stolen) can boot it and have the drive unlock itself.

So I asked them if they had consulted with their legal counsel.

Good news — they had.

Bad news — their legal counsel took the same position I had taken. Deploying BitLocker in this way didn’t enable them to claim compliance with a requirement they had to encrypt their laptop drives.

By the way, does Windows 8 change this?

No and Yes – see this research note for clients

No – Microsoft doesn’t support the synching of Windows credentials to the preboot environment. So the same problem remains for laptop users.

Yes – For fixed device scenarios, Microsoft now supports a form of automatic network-based authentication that can be used as a form of authentication credential instead of a user-entered PIN. This works well for fixed desktops and servers encrypted with BitLocker, but requires Windows 8 and Windows Server 8.

If you’ve deployed BitLocker on Windows 7 with no preboot authentication, you might want to check with your legal counsel to get their position on whether or not this meets internal and/or regulatory requirements to encrypt hard drives.

1 Comment »

Category: General Technology Information Security Microsoft Microsoft Security Windows 7     Tags: Best Practices, Endpoint Protection Platform, Information Security, Microsoft, Microsoft Security, Windows

Share

Tweet