One of the key themes of Windows Vista is security. An important Vista security
feature is the enhanced protection against malware through the new Microsoft
Internet Explorer (IE) phishing filter and the newly built-in spyware scanner
Windows Defender and Malicious Software Removal Tool (MSRT). Equally important
is the brand new architecture for better honoring the principle of least privilege
—the Vista feature referred to as User Account Control (UAC).
Another key Vista security feature is BitLocker Drive Encryption (BDE). Before
I explain how BDE works, let me tell you how your organization can benefit from
BDE. Be aware that BDE is available only in the Vista Enterprise and Vista Ultimate
editions.
What BDE Can Do
BDE can better isolate the data on your Windows client computers and protect
it from theft when the clients are offline (i.e., when the OS is shut down).
Despite the BitLocker Drive Encryption name, BDE ensures that all the data on
the volume is in an encrypted state when the Vista system is powered off. As
such, BDE offers protection against the theft of the confidential corporate
data that employees often carry around on their laptop computers.
It’s important to stress that BDE offers only offline protection:When
someone gains online (local or network) access to a BDE-protected volume and
the OS authorizes that person or process to access the data, data is transparently
decrypted and unprotected as needed by the user or process. BDE nicely complements
the other data protection and encryption technologies Microsoft offers:Encrypting
File System (EFS) and Rights Management Services (RMS). Enterprises that want
encrypted file sharing should look at EFS, which is bundled with Windows 2000
and later OS versions and has been significantly enhanced in Vista. Enterprises
that want permanent protection and encryption of data, even when the data is
removed from a protected volume (BDE) or folder (EFS) and attached to, for example, a
Microsoft Outlook email message, must look at RMS —the RMS client is also
bundled with Vista.
Because BDE uses a filter driver for encrypting and decrypting data (after
the initial encryption), BDE has a minimal impact on system performance. During
my lab tests, I noticed a 10 to 15 percent performance hit on my BDE-enabled
Vista system. Initial BDE encryption takes about 1 minute per gigabyte on an
average Vista computer system (Intel Pentium 4 with 1GB of memory).
BDE protection for a Windows volume is never enabled by default and must always
be turned on manually. Also, BDE not only protects a volume’s user data
and Windows system files but also the hibernation file, the page file, and the
temporary files. In the initial Vista release, only the system boot volume can
be BDE-protected. At the time of writing, Microsoft planned to support BDE protection
of different volumes in the upcoming Vista Service Pack 1 (SP1) and Windows
Longhorn Server.
BDE also makes the OS itself more resilient in the face of attacks. BDE includes
a file integrity checking feature that automatically assesses the status of
boot files such as the BIOS, Master Boot Records (MBRs), and the NTFS boot sector
when the system boots and before the OS starts. If a hacker has inserted malicious
code in one of the boot files or has modified one of them, BDE will detect it
and block the OS from starting. Microsoft refers to this feature as the static
root of trust measurement for early boot components. This feature is available
only on computer systems that have a Trusted Platform Module (TPM)1. 2 chip —a
special security chip that I explain in more detail below. BDE also provides
a recovery mechanism that allows selected administrators to regain access to
the encrypted BDE volume when the OS can’t start due to a boot file integrity
error.
BDE can also offer pre-OS multifactor authentication. Before Vista starts,
BDE can prompt users to authenticate by providing a secret that’s stored
on a USB token and/or by entering a PIN. Preboot authentication protects Windows
from attacks that attempt to bypass OS-level access checks and get to the data
on a Windows-protected volume by booting from a Linux CD-ROM or floppy disk.
Finally, though this isn’t the most compelling reason for using BDE
—BDE can speed up the process of decommissioning computers. Enterprises
often invest considerable time and effort in erasing old computers’ hard
disks. . But you need only erase the BDE decryption keys on a BDE-protected volume
to make the data completely useless.
Before we go further, I want to remind you that BDE isn’ t available
in all Vista versions. It’s only included in the Vista Enterprise and
Vista Ultimate editions —the two versions that target high-end home and
business users. For a good overview of the different Vista editions and their
features, have a look at http://www.microsoft.com/windowsvista/getready/editions/default.mspx.
To write this article, I used the release to manufacturing (RTM)version of Vista
Ultimate.
How BDE Works
BDE is a hybrid cryptographic application that combines the functions and features
of several cryptographic primitives. BDE uses a symmetric encryption scheme for
encrypting BDE-protected volumes and digital signature technology to check the
integrity of the boot files.
Figure 1 shows the BDE architecture and operation. The encrypted symmetric
encryption key (also referred to as the Full Volume Encryption Key —FVEK)and
the boot files are stored on a special system volume. BDE can access the symmetric
encryption key and thus decrypt the BDE-protected volume only if the user can
provide a valid PIN or other secret that ’s stored on a USB token or TPM
chip at system startup. (Remember the pre-OS authentication I mentioned above.)
Previous
Register
