From f0ae34d710c4b7172cc34c2354ff678384f1a867 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 2 Sep 2020 15:56:22 +0530 Subject: [PATCH 1/4] Update bitlocker-countermeasures.md --- .../bitlocker/bitlocker-countermeasures.md | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index 981252ffbf..4bef840b55 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -23,12 +23,12 @@ ms.custom: bitlocker **Applies to** - Windows 10 -Windows uses technologies including Trusted Platform Module (TPM), Secure Boot, and Measured Boot to help protect BitLocker encryption keys against attacks. +Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. Data on a lost or stolen computer is vulnerable. -For example, there could be unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. +For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer’s hard disk to a different computer. -BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started by: +BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started. This mitigation is done by: - **Encrypting volumes on your computer.** For example, you can turn on BitLocker for your operating system volume, or a volume on a fixed or removable data drive (such as a USB flash drive, SD card, and so on). Turning on BitLocker for your operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed. - **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer’s BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that leverage TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability. @@ -39,7 +39,7 @@ For more information about how to enable the best overall security configuration ## Protection before startup -Before Windows starts, you must rely on security features implemented as part of the device hardware and firmware, including TPM and Secure Boot. Fortunately, many modern computers feature a TPM and Secure Boot. +Before Windows starts, you must rely on security features implemented as part of the device hardware and firmware, including TPM and secure boot. Fortunately, many modern computers feature a TPM and secure boot. ### Trusted Platform Module @@ -48,14 +48,14 @@ On some platforms, TPM can alternatively be implemented as a part of secure firm BitLocker binds encryption keys with the TPM to ensure that a computer has not been tampered with while the system was offline. For more info about TPM, see [Trusted Platform Module](https://docs.microsoft.com/windows/device-security/tpm/trusted-platform-module-overview). -### UEFI and Secure Boot +### UEFI and secure boot Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system’s bootloader. The UEFI specification defines a firmware execution authentication process called [Secure Boot](https://docs.microsoft.com/windows/security/information-protection/secure-the-windows-10-boot-process). -Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. +Secure boot blocks untrusted firmware and bootloaders (signed or unsigned) from being started on the system. -By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. +By default, BitLocker provides integrity protection for secure boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader cannot run and acquire the BitLocker key. ### BitLocker and reset attacks @@ -71,8 +71,8 @@ The next sections cover pre-boot authentication and DMA policies that can provid ### Pre-boot authentication -Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. -The Group Policy setting is [Require additional authentication at startup](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol1arequire-additional-authentication-at-startup) and the corresponding setting in the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication. +Pre-boot authentication with BitLocker is a policy setting that requires the use of either of the user input, such as a PIN, or a startup key, or both to authenticate prior to making the contents of the system drive accessible. +The group policy setting is [Require additional authentication at startup](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol1arequire-additional-authentication-at-startup) and the corresponding setting in the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication. BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. If Windows can’t access the encryption keys, the device can’t read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key. @@ -82,19 +82,19 @@ This helps mitigate DMA and memory remanence attacks. On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways: -- **TPM-only.** Using TPM-only validation does not require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign in experience is the same as a standard logon. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor. +- **TPM-only.** Using TPM-only validation does not require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard logon. If the TPM is missing, changed, or if BitLocker detects changes to the BIOS, UEFI code or configuration, the critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options which require an additional authentication factor. - **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key. - **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume cannot be accessed without entering the PIN. TPMs also have [anti-hammering protection](https://docs.microsoft.com/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN. - **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it cannot be used for access to the drive, because the correct PIN is also required. -In the following Group Policy example, TPM + PIN is required to unlock an operating system drive: +In the following group policy example, TPM + PIN is required to unlock an operating system drive: ![Pre-boot authentication setting in Group Policy](images/pre-boot-authentication-group-policy.png) Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured. -On the other hand, Pre-boot authentication prompts can be inconvenient to users. +On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization’s support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation. @@ -112,9 +112,9 @@ You can use the System Information desktop app (MSINFO32) to check if a device h ![Kernel DMA protection](images/kernel-dma-protection.png) -If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: +If kernel DMA protection is *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: -1. Require a password for BIOS changes +1. Require a password for BIOS changes. 2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Please refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) 3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607): @@ -130,12 +130,12 @@ This section covers countermeasures for specific types of attacks. ### Bootkits and rootkits -A physically-present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. +A physically present attacker might attempt to install a bootkit- or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. The TPM should observe this installation via PCR measurements, and the BitLocker key will not be released. This is the default configuration. A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise. -Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. +Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of secure boot that provides additional resilience against malware and physical attacks. Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure). ### Brute force attacks against a PIN @@ -151,7 +151,7 @@ It also blocks automatic or manual attempts to move the paging file. ### Memory remanence -Enable Secure Boot and require a password to change BIOS settings. +Enable secure boot and mandatorily prompt a password to change BIOS settings. For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user. ## Attacker countermeasures @@ -190,7 +190,7 @@ Computer Configuration|Administrative Templates|Windows Components|BitLocker Dri This setting is **Not configured** by default. -For secure administrative workstations, Microsoft recommends TPM with PIN protector and disable Standby power management and shut down or hibernate the device. +For secure administrative workstations, Microsoft recommends a TPM with PIN protector and to disable Standby power management and shut down or hibernate the device. ## See also From 49a0e659efff649a31d0b7e686a4454f68adb1cd Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 7 Sep 2020 18:21:37 +0530 Subject: [PATCH 2/4] Update bitlocker-countermeasures.md --- .../bitlocker/bitlocker-countermeasures.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index 4bef840b55..c11eb7f811 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -71,7 +71,7 @@ The next sections cover pre-boot authentication and DMA policies that can provid ### Pre-boot authentication -Pre-boot authentication with BitLocker is a policy setting that requires the use of either of the user input, such as a PIN, or a startup key, or both to authenticate prior to making the contents of the system drive accessible. +Pre-boot authentication with BitLocker is a policy setting that requires the use of user input, such as a PIN, or a startup key, or both to authenticate prior to making the contents of the system drive accessible. The group policy setting is [Require additional authentication at startup](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol1arequire-additional-authentication-at-startup) and the corresponding setting in the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication. BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. @@ -112,9 +112,10 @@ You can use the System Information desktop app (MSINFO32) to check if a device h ![Kernel DMA protection](images/kernel-dma-protection.png) -If kernel DMA protection is *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: +If kernel DMA protection is *not* enabled, follow these steps to protect Thunderbolt™ 3-enabled ports: 1. Require a password for BIOS changes. +**Question: What is the source from which the user can get this password?** 2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Please refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) 3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607): From 049479f485a0197496983274ab181e04a168eaa9 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 22 Oct 2020 13:56:49 +0530 Subject: [PATCH 3/4] Update bitlocker-countermeasures.md --- .../bitlocker/bitlocker-countermeasures.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index c11eb7f811..208613647c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -115,7 +115,6 @@ You can use the System Information desktop app (MSINFO32) to check if a device h If kernel DMA protection is *not* enabled, follow these steps to protect Thunderbolt™ 3-enabled ports: 1. Require a password for BIOS changes. -**Question: What is the source from which the user can get this password?** 2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Please refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) 3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607): From b53f8146eaa9849a304f507fd4bf8fcc528eefcf Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 14:48:46 +0530 Subject: [PATCH 4/4] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A|