Solved

BitLocker or other product?

Posted on 2014-02-14
40
761 Views
Last Modified: 2014-02-24
we have about 800 laptops which must be encrypted. im not sure which product should be used in future.
BitLocker is one option since its free,but im not sure how easy it is to manage all of them.

can somebody give me the pros and contras for that product,or name me something that fulfills our needs?

the idea is,to encrypt the whole drive and if problems occur,to decrypt again.

we are considering mcaffee EPO,one thing im worrying about,is also that safeboot feature.from there,its no possible to boot the OS thru F8.

any other thoughts and suggestions?
0
Comment
Question by:DukewillNukem
  • 12
  • 12
  • 11
  • +2
40 Comments
 
LVL 7

Expert Comment

by:Sivaraj E
ID: 39858490
Dear User

You can give try with this on one laptop and if you feel this is okay to you then do it on all others.

http://www.truecrypt.org/

Free open source software.

Regards, Shiva
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39858563
Truecrypt? That is not very comfortable for management of 800 machines.
Managed solutions That I know are bitlocker and "Symantec Encryption desktop 10".

About bitlocker: do all editions you have feature BL? Win7 pro does not.
0
 
LVL 7

Expert Comment

by:Sivaraj E
ID: 39858585
Hi McKnife,

It was my suggestion, taking this solution is up to him to decide, I just given him the alternate encryption method, may be for his update.

Regards, Shiva
0
 

Author Comment

by:DukewillNukem
ID: 39858590
I`d rather go for BL itself than any other freeware.
my question is still,how easy can i manage hundreds of devices? we all have Win 7 enterprise
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39858602
@Shiva: true, no problem, but consider the number of machines. With truecrypt it will be a horror. Password change management? Not possible. SSO? Not possible. Manageability is low.

@Duke: What would you like to do? Encrypting those automated is possible. Creating backup keys and uploading them to AD is possible, too. Another question: do they feature TPM chips?
0
 
LVL 7

Assisted Solution

by:Sivaraj E
Sivaraj E earned 72 total points
ID: 39858625
@McKnife : I agree with you.

@ Duck : If you decide to go BL, The the following link will be use full to you.

http://www.concurrency.com/blog/enable-bitlocker-automatically-save-keys-to-active-directory/

Regards, Shiva
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 286 total points
ID: 39859143
Remember to remind OP's that Full Disk Encryption is only protecting the drive in the case of theft, and the OS has to be completely off for that protection to apply, not hibernating or sleeping. Please read my article for more info: http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html

BL is very easy to manage, it is harder to recover from. TPM binds the HDD to the hardware if the Mobo goes, then you had better have had backup's of the data on the HDD. TPM is a mixed bag, it offers protection that isn't much of a factor for most of us. Cold-boot and evil-maid attacks are not something you have to worry too much about in most businesses. Gov't and Banking, then maybe, but most of us, not so much.
I'm all for security, but I'd forgo the TPM in favor of recoverability if you do not have your users data backed up, and most people don't. If you don't backup then use PIN-Only.
-rich
0
 
LVL 6

Assisted Solution

by:Biniek
Biniek earned 71 total points
ID: 39860579
I suggest You to use BitLocker + MBAM for 800 laptops.

Microsoft BitLocker Administration and Monitoring (MBAM):
http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/mbam.aspx

MBAM will help You to install,deploy  and manage Bitlocker

You have to remember that BitLocker keys are not protected if You will save it in AD, better solution is using MBAM ( all keys are saved in encrypted SQL database ) and You will get very good support for managing recovery keys and Reset a TPM Lockout, etc, all recovery operation will monitored and audited.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39860656
The keys are protected in AD if you run the provided VBS file that sets the ACE's on the schema so that only those designated groups or user can read them from AD
http://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx#BKMK_1
You do not HAVE to use TPM btw, it can be PIN only, and recovery data can still reside in AD.
I've not used MBAM but it could probably be of use to such a large deployment.
-rich
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39861202
I'd like to comment on RichRumble's "BL is very easy to manage, it is harder to recover from. TPM binds the HDD to the hardware if the Mobo goes, then you had better have had backup's of the data on the HDD"
- No, we can recover the drive on any computer using the recovery key. Reference: FAQ http://technet.microsoft.com/en-us/library/hh831507.aspx#BKMK_AltPC
On keys in AD: those are protected by default. No script needed. The scripts mentioned are not for this purpose.
0
 
LVL 6

Expert Comment

by:Biniek
ID: 39861264
I'd like to update my information about protection of BitLocker keys, My intention was, situation taht in MBAM we can separate access to recovery key from Administrators roles.
0
 

Author Comment

by:DukewillNukem
ID: 39864274
thank you for the replies. are there any contras regarding BL then? i saw: "BL is very easy to manage, it is harder to recover from"  what does that mean? i have to deliver our management a proof of concept and i want to make sure nothing is missing there. any other concerns?
i understand,that for recovery a device must be logged in the domain,otherwise the recovery key is not available. correct?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39864486
That is correct, the recovery keys are only available to certain accounts on the domain. By harder to recover from I was speaking about the process in relation to another product like TrueCrypt, where all you need is the passphrase, failing that the recovery key.
-rich
0
 

Author Comment

by:DukewillNukem
ID: 39864586
rich: what do you mean with "only available to certain accounts on the domain" ?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39864600
The keys are protected in AD (when you use AD as the backup for the keys backup) and can only be accessed by certain groups and users. Schema Admins specifically and by default have permissions to read those keys in AD, you can grant others too.
Be sure to read all you can about the process before presenting:
http://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx
-rich
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39864635
I oppose to "BL is harder to recover". Let's look at some scenarios:
mainboard (and eventually with it the TPM) dies
->mount the drive on another machine and use the recovery key.
User forgot the BL password (if passwords are used) or forgot his USB key (if USB keys are used)
->use the recovery key, or, if present (recommended) a "master USB key" that holds a second key to the drive. This is possible.
We can give the users password and key, so that in case they forget one, there's still the other.

Getting the recovery key can be made possible to anyone (each to his own machine) or just to domain admins (/schema admins), which is the default.
0
 

Author Comment

by:DukewillNukem
ID: 39867062
what about the TPM chips? how can their keys be stored?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39867067
What do you think you can do with those keys? In what situation would that be useful, i don't see it.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39867164
You have to read the previously linked article, it's really all there, you can backup the TPM keys in AD as well. The Schema has to be modified (the article tells you how) and then the keys can be stored there.
-rich
0
 

Author Comment

by:DukewillNukem
ID: 39867173
how do i Reset a TPM Lockout for instance on 500 laptops?  thats something that must be possible from central point of administration...
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 286 total points
ID: 39867220
500 should not lockout at the same time, so one at a time is very reasonable. The default failed attempts is 32, so I've never actually done one! http://technet.microsoft.com/en-us/library/jj571536.aspx
http://technet.microsoft.com/en-us/library/jj889441.aspx
After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.
-rich
0
 

Author Comment

by:DukewillNukem
ID: 39867382
of course it wouldnt happen. but im just sayin, in case of ,when the worst scenario happened..i want to be able to restore those devices back to business in usable time
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39868098
Duke, I participated in your other thread where you describe your disaster with McAfee Encryption. To be honest, I would not blame McAfee, but the guys who did not have a tested recovery concept in the first place.
In order to get a recovery concept for Bitlocker, please look at realistic disaster scenarios. Multiple devices facing TPM lockouts is nowhere next to realistic.

Consider what could go (terribly) wrong on multiple devices at the same time: nothing. At least not if you are not relying on the BL feature netunlock, which you don't have to.
What else? Single devices could fail to start because users forgot their PIN/password/USB key - there, as I mentioned, the recovery key will be handy, think about how it could be provided. But you don't need to fear lockouts if you give them two keys (again, as mentioned before): password and startup key.
What else: hard drive corruption. Always possible, does not need to be looked at if you already have a backup concept.
Anything else? I don't think so.
0
 

Author Comment

by:DukewillNukem
ID: 39870802
McKnife: well,right no its not clear what caused that issue with mcaffee: a software bug or human error.still investigating.

one more thing: from what I`ve seen,to enable BitLocker; the  AD schema must be extended/upgraded,correct?

we´re still running on 2003 domain-and forest functional level, do i have to upgrade to 2008 R2 to make bitlocker running?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39870818
You have to extend the schema to put the keys in AD, you can use BL without extending the schema, but to backup the keys into an easily accessible location you have to extend the schema. BL and Bl-2-Go work without having to extend, but the ease of backing up the keys to AD cannot be achieve without extending the AD schema.
-rich
0
 

Author Comment

by:DukewillNukem
ID: 39872680
one more thing: if the recovery key needs to be "written back into AD" this seems not to be possible without being logged on to the domain. test have püroved that it doesnt work thru VPN either....i see that as a big drawback.

doe anyone have info about that or can confirm it?
0
 

Author Comment

by:DukewillNukem
ID: 39872686
we´re still running on 2003 domain-and forest functional level, do i have to upgrade to 2008 R2 to make bitlocker running?
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 71 total points
ID: 39872705
Has been answered before: works with 2003 SP1 at least after a schema upgrade. See it confirmed here: http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx
You can save recovery information in AD DS if your domain controllers are running Windows Server 2003 with Service Pack 1 (SP1) or Service Pack 2 (SP2), Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2. You cannot save recovery information in AD DS if the domain controller is running a version of Windows Server earlier than Windows Server 2003 with SP1.

Should work over a VPN, I don't see why not, but cannot reproduce it for you. Is the schema already upgraded?
0
 

Author Comment

by:DukewillNukem
ID: 39872759
no,not yet. we we will upgrade in about two weeks.
here a some drawbacks regarding BL:

-There are commercially available tools that claim to be able to crack BL
-Anyone with an ADM account can suspend BL or decrypt a drive
(BL allows anyone with local machine administrative rights on the workstation to suspend or disable BL  )
-No support for non-TPM enabled machines
-Pre-Boot environment: BL has no No single sign on-right?
-Weaker security
-TPM password doesn’t change
-BL requires TPM version 1.2 or higher-correct?
-Lock Outs: If a user forgets their PIN in BL, after certain number of tries there is a small timeout between repeated attempts.  If the TPM believes it is being hammered, it will enter lockout mode.  During this time a user can still enter the correct PIN and get in, but the Service Desk will need to be contacted to reset the TPM so it is no longer in lockout mode.Forgotten Windows passwords are handled no differently than if BL was not installed-right?

-in testing the TPM password did not change after repeated uses to reset the TPM.  (This may be security concern)
-non-English keyboards are not directly supported

-Recovery: The BL recovery solution requires a call to the Service Desk for a Challenge/Response recovery, or a self-help website.  If the recovery is due to a hardware change, the Service Desk will need to remotely connect to the machine to suspend and resume BL so that the user isn’t prompted for a recovery key each time the machine boots

Authorized users / administrators: BL does not assign a specific set of users to a device and does not require the synchronizing of passwords between the local machine and a backend database.

if you have time,I dbe extremely grateful if you could review my concerns and give a statement about it.

thank you so much for help.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39872781
Duke, after a few lines, I stopped reading. Where does this originate from?
0
 

Author Comment

by:DukewillNukem
ID: 39872906
McKnife: im sorry,i know its a lot. i picked this up from forums like mcaffee and put them together.but these are the pro/contras which need to be given a look at.

before we deploy BL,a proof of concept must be delivered which shows those points listed above and convinces our management.
being in the business for some time,i know that not everything is accurate what MS promises.therefore i have to list all and make a comparison which "justifies" a product. reardless if its MS,mcaffee or anything else
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39872965
Ok, we can discuss certain points, but crap like "-Weaker security" should not be discussed. Meaningless, because very generalized. OK, I'll do a quick and dirty commenting which can be refined later:
--
-There are commercially available tools that claim to be able to crack BL - sure, everybody can crack anything in minutes ;-) . Too generalized. Please name those tools and circumstances.
-Anyone with an ADM account can suspend BL or decrypt a drive
(BL allows anyone with local machine administrative rights on the workstation to suspend or disable BL  ) - correct. Admins are admins.
-No support for non-TPM enabled machines - what should that mean? We CAN use BL without.
-Pre-Boot environment: BL has no No single sign on-right? -Right
-Weaker security ???
-TPM password doesn’t change - so what? How would anyone break that?
-BL requires TPM version 1.2 or higher-correct? -read the MS technet docu
-Lock Outs: If a user forgets their PIN in BL, after certain number of tries there is a small timeout between repeated attempts.  If the TPM believes it is being hammered, it will enter lockout mode.  During this time a user can still enter the correct PIN and get in, but the Service Desk will need to be contacted to reset the TPM so it is no longer in lockout mode.Forgotten Windows passwords are handled no differently than if BL was not installed-right? - last one is right. But what about hammering? Why would users try and try and try?

-in testing the TPM password did not change after repeated uses to reset the TPM.  (This may be security concern) - please explain in detail
-non-English keyboards are not directly supported - no physical keyboard matter but you need to switch the input keyboard to en-us when entering a password in windows, because the preboot screen uses en-us!

-Recovery: The BL recovery solution requires a call to the Service Desk for a Challenge/Response recovery, or a self-help website.  If the recovery is due to a hardware change, the Service Desk will need to remotely connect to the machine to suspend and resume BL so that the user isn’t prompted for a recovery key each time the machine boots - we talked about recovery earlier, everything has been said: give the user a USB key and a password (pw only for win8+), if still on vista/win7, consider providing the recovery key to the end user.

Authorized users / administrators: BL does not assign a specific set of users to a device and does not require the synchronizing of passwords between the local machine and a backend database. - correct.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39873047
BL + TPM is security OVERKILL actually. The way to decrypt BL is the same as EVERY product, wait until the user boot's it up, get the decryption key from memory, or issue decryption commands at that time. No product can claim that is not possible because that is the function of the product, it is to give you access to the content, to get access to the content it has to be decrypted. If you read my article, I believe I linked it prior, you can see that Elcomsoft and Passware have BL decryption capabilities, but they rely on the product to be booted, taken out of hibernation or suspension or simlply at the lock-screen. Using firewire (physical access) the products can get access to DMA ram and get the decryption key for PGP, TC, BL and probably others. This is not an attack that drive encryption aims to solve, and it's in fact not an attack you have to worry about. If you can get to RAM you can get to ANYTHING in the machine already with no need to decrypt, just inject a trojan there, the drive is already decrypted because the key is in ram. It's nice an james bond to get the key for use later, but not needed since firewire gets you direct access to RAM.

Try the product out, then come back with problems you have with it, not what others say is a problem. Again like I said in my opening post, BL protects from OFFLINE physical theft of the data when the OS is OFF. It does not protect anything when it is running, suspended or hibernating.
-rich
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39873073
Small addition:
> It does not protect anything when it is running, suspended or hibernating.
It does protect hibernated OS'. BL does, Symantec Encr. desktop does, maybe most or all do. Before resuming, you need to reenter the pw/PIN, re-insert your USB drive.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39873187
I suppose I over generalized hibernation... BL can ask for those depending on how you have it setup, other FDE products do not ask or have the option and are able to be decrypted by the two aforementioned products. If BL is set to transparent it is the hibernation is decryptable, also sleeping or suspended modes are still vulnerable even with pin or usb-boot.
-rich
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39873202
Transparent mode, yes. Who uses that one without a PIN does not deserve it better.
0
 

Author Comment

by:DukewillNukem
ID: 39873386
boot order:
It may not be obvious, but the way the TPM secures the encryption keys is by ensuring that the way your system boots up or starts is always the same as it was at the time you enabled BitLocker.  This means if you are encrypting your system drive (C:) it is important that you set the boot order so that the Hard Drive is always first

is this true?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 286 total points
ID: 39873407
I thought that might be a UEFI only thing, but it's not:
http://technet.microsoft.com/en-us/library/ee449438%28v=ws.10%29.aspx
Even the Keyboard can have an affect, but I've never seen those happen yet, we've used BL for about 2 years.
The search that led me there:
https://www.google.com/webhp?#q=site:microsoft.com+bitlocker+bios+boot+order
Our users are not administrators of their machines and don't have the bios password, we do allow CD/USB boot first however.
-rich
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39873418
Duke, the way you lead the question gets somewhat exhausting, at least for me. You collected a heap of questions, you got quick'n'dirty answers - now, without any further comment, the next question comes in.
I suggest to read and try for yourself. BL judges the BIOS state, yes. Some changes in the BIOS will lead to BL asking for the recovery key, others won't and you can even configure that using GPOs. But that won't be your main concern for deployment, will it? Do your users change the BIOS settings all day? ;-)

Please ask new, separate questions instead of reviving this thread again and again.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 286 total points
ID: 39873435
Agreed, your questions I believe are answered. Most were obvious if you read what we linked, and or searched for some simple terms.
-rich
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Suggested Solutions

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now