Latest posts by Kyle Beckman (see all)
- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
One of the most common questions I get about BitLocker Drive Encryption is the need for PINs on boot volumes (a.k.a. the C:\ drive). Do I really need to set a PIN that needs to be entered every time I start my BitLocker-encrypted device? Believe it or not, you may not need a boot PIN depending on what version of Windows you’re using.
One quick note: The discussion here assumes that you’re using a Trusted Platform Module (TPM) on the BitLocker-encrypted system. All of the major computer manufacturers make them available by default (or as an add-on) on most Enterprise- and Business-grade systems. You can use configurations without a TPM, but the most secure configurations require the TPM.
Windows 7 ^
If you’ve read my article on the Group Policy settings to use for BitLocker in Windows 7, you may remember that I reference the Best Practices for BitLocker in Windows 7 from Microsoft. The recommended Best Practice from Microsoft is to set a PIN of at least seven numerals on Windows 7.
Depending on the type of system, this is fairly easy to implement. With a laptop or a single-user computer, assigning a PIN should, in theory, be a painless proposition. Every time the system boots, the assigned user can enter his/her PIN and access a login prompt. The biggest challenge I’ve seen (and heard from other IT pros) is dealing with PIN management.
First, many users forget their PIN, whereas others write it down and store it in close proximity to the encrypted system to keep from forgetting it. This compromises the integrity of the PIN and defeats the purpose of having it in the first place.
Second, Windows 7 doesn’t support standard users/non-Administrators changing their own PINs. And what about shared systems such as reception desks and other multi-user systems—especially those in public areas? Do you tell everyone the PIN or have a common PIN for everyone to use?
In shared computer environments and desktop/office environments, I would recommend evaluating why you’re encrypting the systems. If your main goal is to protect the systems from offline attack, such as compromising local security (adding local accounts, giving domain account higher access, etc.) or preventing offline access to data, a PIN may not be necessary as long as you don’t have any Direct Memory Access (DMA) devices such as Firewire or Thunderbolt and can physically secure the system.
These DMA devices can be disabled in Windows 7 if they aren’t needed by the end user; if they are, you’ll still need a PIN. Removing the PIN still allows someone unfettered access to the logon screen, but machines that remain in facilities your organization controls can be monitored for these kinds of attacks, and user accounts can be locked out by repeated bad logins.
With laptops, things are a bit more complicated due to the mobility of the device. PINs may be a good Best Practice to prevent attacks to a booted system, but you still run the same risk of users writing down PINs and storing them in their laptop bags. If you do choose to go with PINs, I highly recommend regular user education beyond what you may already be doing for passwords. You may also want to look into Mobile Device Management (MDM) software for Internet-based management of not just your smartphones and tablets but also laptops so you can attempt remote wipes of lost and stolen laptops.
Bottom line: BitLocker PINs in Windows 7 prevent DMA attacks and unfettered access to the logon screen. If you don’t have DMA ports or if you disable them, you may not need a boot PIN if the system can be physically secured and monitored. But, you still need to evaluate your organization’s security needs and balance that with ease of use for your end users.
Windows 8/8.1 ^
If you’re looking for reasons to justify implementing Windows 8.x, make sure to add the improvements to BitLocker to your list. Windows 8.x now supports more types of devices than Windows 7 supports, many of which may not have keyboards attached regularly or at all. Some devices, such as the Microsoft Surface Pro 3, have built-in onscreen keyboards that can be used for BitLocker boot PIN entry, but not all vendors include this functionality in their devices. If they don’t, you’ll have to equip every Windows 8 tablet that gets assigned to an end user a keyboard and require the user to connect it every time he/she boots the device.
As in my previous post, we’re going to assume that you’re using a Trusted Platform Module (TPM) on BitLocker-encrypted systems. All of the major computer manufacturers make them available by default (or as an add-on) on most Enterprise- and Business-grade systems, and you’re going to need it if you don’t want to use a PIN on Windows 8 devices.
The first change in Windows 8/8.1 devices is a change in the hardware certification that Microsoft makes OEM manufacturers adhere to when producing devices. Devices that support InstantGo (formerly known as Connected Standby in Windows 8) can’t have Direct Memory Access (DMA) ports such as Firewire and must have memory that isn’t easily removable. The removal of ports that could be susceptible to DMA attacks and memory that is soldered to the motherboard significantly reduces the attack vectors of those logo’ed devices. Second, devices attached to DMA ports don’t load drivers until a user has logged in to the system. This prevents an attacker from attaching a device to pull the BitLocker encryption keys via one of those ports to a system that is logged out.
The second change is the addition of a new Group Policy option that can be used in conjunction with BitLocker. From a Windows 8+ (or Server 2012+) system, edit a Group Policy Object (GPO) in the Group Policy Management Console (GPMC). Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options and find the Policy Interactive logon: Machine account lockout threshold.
Machine account lockout threshold policy in the Group Policy Management Console
Setting this policy will cause a BitLocker-encrypted system to lock down after the configured number of invalid logon attempts. Here’s how it works:The BitLocker-encrypted system boots up into Windows. The person that doesn’t know the password to log in starts entering bad passwords. After several attempts, he receives the message: “That password isn’t correct. Be careful—if you keep entering the wrong password, you’ll be locked out to help protect your data. To sign in, you’ll need a BitLocker recovery key. Press Ctrl+Alt+Delete to sign in.”
Machine account lockout threshold warning in Windows 8.1
After the configured number of failed attempts, the system will forcefully reboot. When the system boots back up, the user will receive the message: “You’re locked out! Enter the recovery key to get going again.”
Windows 8.1 BitLocker You're locked out screen
Bottom Line: With Windows 8.1, PIN’s aren’t as necessary (if at all) due to enhancements in the OS.