This article, the fifth of seven in a series covering the Microsoft Desktop Optimization Pack (MDOP), will detail the Microsoft BitLocker Administration and Monitoring tool (MBAM).

BitLocker, introduced in Windows Vista/Server 2008, addressed the lack of hardware level encryption desired by many organizations. BitLocker initially proved valuable on laptops and tablets. As more devices became equipped with a TPM module, a chip required for BitLocker implementation, organizations began to enable BitLocker on a larger scale through the encryption of desktops. Hardware level encryption protects user created data, secures against boot sector viruses, and allows for machines to be decommissioned without formatting the hard drive first.

With the release of Windows 7/Server 2008 R2, Microsoft made strides in BitLocker implementation and administration. The deployment, management, and reporting features still lacked though. While BitLocker could easily be setup on a case by case basis, wide scale distribution was difficult. Microsoft’s BitLocker Administration and Monitoring tool (MBAM) addresses the three biggest pitfalls with a wide scale BitLocker implementation. These are: Deployment/Management, Reporting, and Cost of Support.

(more…)

This tutorial in seven parts describes in detail how to configure Active Directory for BitLocker and gives valuable best practice tips.

You don’t have to go very far to hear a story about a laptop computer being stolen that contained the names and personal information of hundreds, thousands, or even tens of thousands of people. Whether they realize it or not, many organizations have employees that are carrying around company trade secrets or the personal information of employees, contractors, customers, patients, and/or students. In most cases, loss of these devices could have regulatory, legal, monetary, or reputation implications for not only the organization who lost the data, but for those whose personal information was lost.

What about your company’s sensitive data? What would happen if your closest competitor had the laptop of someone from your marketing or sales department and all of the data that resided on it? What if a missing laptop from a doctor at your hospital landed on the desk of a local news reporter? What if a faculty member at your university left a laptop in a coffee shop never to be seen again? These are all very real situations that could happen to your organization if you’re not taking precautions to ensure that data stored on these devices is protected from unauthorized access.

(more…)

In this article, you will learn how to create a Windows PE 3.0 installation that you can use to unlock BitLocker encrypted drives with the manage-bde command.

A while back, I claimed that hard drives in business PCs should always be encrypted for various reasons. Even though many third-party encryption solutions are available, BitLocker would always be my first choice because it is perfectly integrated into Windows. Unfortunately, by default this is not the case for Windows PE.

A disadvantage of hard drive encryption is that you can’t easily access the system drive for troubleshooting if Windows is unable to boot up properly. Imagine a high-ranking manager coming to your office one morning, telling you that her laptop doesn’t boot up and that she has important data on the encrypted system disk that she desperately needs later today. Ah, and by the way, her flight leaves in an hour. What will you do?

(more…)

Perhaps you believe your office is your well-protected castle. You think nobody can access your disks and, because you don’t have laptop users, you don’t need BitLocker disk encryption in your organization. This post provides seven reasons why you are wrong. In my view, hard disk encryption is a must for all PCs in your organization. BitLocker alone justifies the deployment of Windows 7 Enterprise or Ultimate instead of Windows 7 Professional.

1. Confidential data

It is true that the most common use of BitLocker is to protect the data on stolen laptops. Since you are probably an IT pro, you know that anybody can access the data on an unencrypted disk without requiring any passwords by booting up from a second drive. Thus, hard disk encryption is the only way to protect the data on a stolen laptop. However, who says that the disks in your PCs or servers can’t be stolen? Did you ever wonder what a disgruntled employee could do with the easy-to-remove hot-plug hard disks in your servers? If you use RAID, you might not even notice the theft for a while. I suppose, your organization protects all your valuable printed documents in a safe. Do you have the same security precautions for your valuable digital data?

(more…)

I’ve been using TrueCrypt drive encryption for some time for my external hard drives. Some days ago, I moved to BitLocker and I am quite happy with it. In this post I explain why. Please note that this comparison is about device-hosted encryption and not about system drive encryption.

No system image backups

The one thing I disliked most about TrueCrypt is that I couldn’t use my external drive for system image backups because the Windows 7 Backup and Restore applet no longer recognized this drive. You might say that this is not TrueCrypt’s fault. However, for me, it didn’t matter whose fault it was as I was just robbed from an important function of my external hard drive.

(more…)

Last year, Intel introduced a new system platform called Atom^TM, which consumes less power compared to standard CPUs and is highly integrated. A new type of PC developed around this platform: the netbook. Although the Atom offers very little CPU power, certain advantages of the netbooks make them attractive to mobile home and business users alike: compact size, long-lasting battery charge, and low price.

Because netbooks are designed to be taken with you everywhere, their small size makes it easier for you to forget them and for criminals to steal. A lost netbook containing sensitive data could  be a real threat, particularly to enterprises whose very survival can depend on the security of their data.

(more…)

In my last article I discussed the BitLocker to Go features from a user’s perspective. Today I will take a closer look at the features that are of interest from a system administrator’s point of view.

I think it is important to have just one USB stick encryption solution in a corporate environment because it simplifies the work for help desk personnel. If an end user calls because he or she is unable to access the data on an encrypted memory stick, and you don’t even know what encryption software has been used, things can get difficult.

(more…)

BitLocker to Go is a new feature in Windows 7 that allows you to encrypt data on removable drives such as USB sticks. I believe that BitLocker to Go will be more popular than BitLocker for fixed-drive encryption, which I reviewed in my last article. Portable drives get lost much easier simply because they are smaller than laptops. Because they often contain important business data, unencrypted memory sticks pose a considerable security risk for any organization.

Of course, flash drive encryption isn’t anything new. Many portable storage devices come with their own encryption software and there are also free tools such as TrueCrypt that support USB stick encryption. However, in corporate environments, BitLocker to Go has some important advantages over these free solutions. In this article, I will discuss BitLocker to Go from the end user’s perspective. In my next post, I will cover the management features.

(more…)

This article reviews Windows 7 BitLocker and BitLocker to Go in detail and gives tips how to install and configure BitLocker.

BitLocker was introduced with Windows Vista and, as far as I know, it was not very popular. This might be because it is available only for Windows Vista Ultimate and Windows Vista Enterprise. But the main reason probably is that it is complicated to set up. I compared BitLocker to TrueCrypt a year ago and concluded that the Open Source tool is the better drive encryption solution. BitLocker in Windows 7, however, has significantly improved. In this article I discuss BitLocker’s system drive encryption, and in my next post I will review BitLocker-to-Go, the new encryption solution for removable storage devices.

BitLocker for Vista was too complicated to set up once the operating system is installed. Users had to shrink the system partition to make space for the BitLocker partition. Microsoft acknowledged that this was too difficult for end users, and too time consuming for administrators, and released the BitLocker Drive Preparation Tool, which is part of the Ultimate Extras and is also available for Windows Vista Enterprise.

(more…)

Josh from the InfiniteAdmin blog has an interesting post about solid state disk (SSD) encryption. He raised doubts that drive encryption tools such as TrueCrypt are secure enough if applied to SSDs. Like memory sticks SSDs are flash drives that usually work with NAND technology. Therefore, these concerns also apply to USB sticks.

(more…)

TrueCrypt 5 is available for some days now. Today, I found time to have a look at the new version of my favorite free encryption tool. The most noteworthy new feature certainly is its ability to encrypt system drives/partitions. Until now TrueCrypt was only an alternative to the Encrypting Files System (EFS) under Windows. Now, Truecrypt 5 also competes with Vista’s Bitlocker. In this post, I explore the pros and cons of both crypto tools.

(more…)

There has been a lot of media coverage about Bitlocker recently. It is supposed to be a solution for laptop users who want to encrypt their whole hard disks under Vista. You can’t encrypt your whole system partition with Truecrypt, but, in my view, is a much better solution if you want to secure confidential data.

Update: Please, also check out my review about TrueCrypt 5.

(more…)

How many passwords do you use? I’ve already given up counting mine. The list just keeps getting longer and longer, since i use a new password for every application or web site. (I hope you do this too.) Of course, it’s hard to remember all of them. So I save them in an encrypted file using Locknote. Infinite Password Generator offers another solution for this password problem. Instead of saving your passwords with a password manager, you generate the password each time you need it. Sounds strange, but it works.

(more…)

The major problem with any password-saving software is that passwords have to be loaded into the computer’s memory when you want to access them. This is a security risk. Passwordsaver (PWS) is a USB stick that solves this problem. It doesn’t show the passwords on the computer screen, but on its own tiny display.

(more…)

I just had a quick look at Folder Lock for Windows. It has more or less the same functionality as TrueCrypt which I discussed recently. It can make folders invisible and encrypt them as well. The advantage of Folder Lock is that you don’t have to reserve space on your hard disk for your encrypted folders. It can encrypt an existing folder. However, it is not free. It costs $30.

Update: Please, also check out my review about TrueCrypt 5.