- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
Protecting sensitive data is a requirement in today’s computing environments. BitLocker Drive Encryption gives organizations running Windows 7 Ultimate and Enterprise, Windows 8 Pro and Enterprise, and Windows Server 2008 (and later) the ability to easily encrypt OS volumes, fixed data drives, and removable disks. But, just because you’ve encrypted the drive doesn’t mean your security job is done.
Stealing recovery information
The most crucial part of BitLocker that needs to be protected is the BitLocker recovery key. The BitLocker recovery key is generated whenever any drive is encrypted regardless of whether it is an OS drive, a fixed data drive, or a removable data drive. Each encrypted drive has a unique recovery key, which means that one computer could have multiple recovery keys depending on how many drives on the system have been encrypted using BitLocker. This recovery key is the only “backdoor” way into the drive.
When a drive is encrypted, the end user can save the recovery key to a Microsoft account (in Windows 8 and up only), save it to a USB flash drive, save it to a file, or print it.
BitLocker Drive Encryption - How do you want to back up your recovery key?
Saving the recovery information to a file or a USB flash drive is a massive security risk (and a fairly easy attack vector) unless you properly protect the file. BitLocker creates a file called BitLocker Recovery Key $IdentifierofDrive.txt. This text file contains the recovery key you need to access all the data on the encrypted drive. If you’re storing these text files on a file server or USB thumb drive, all an attacker needs to do is search for the file name on your network. Store these in an offline encrypted volume, a password vault, or some other protected location that is also backed up if this is how you’re escrowing BitLocker recovery keys. (For the record, I don’t recommend backing up BitLocker recovery information this way.)
Whether you’re looking to recover a lost BitLocker recovery password, recover data from a BitLocker-encrypted drive, determine if BitLocker is secure enough for your organization, or possibly do something more nefarious such as hacking into a BitLocker-encrypted computer, you should know what data recovery options are available to you (and how to prevent bad guys from using them against you!).
BitLocker recovery key example
Saving to a Microsoft account is slightly better for a standalone system because it gives you an escrowed copy of your recovery key; however, I wouldn’t recommend this method for corporately-owned assets because it gives control of the recovery key to the end user. Should the user’s Microsoft account credentials be phished or stolen, an attacker just needs to go to https://onedrive.live.com/recoverykey to access the recovery keys for BitLocker-encrypted drives. If you’re going to use this, enable two-factor authentication on your Microsoft account.
BitLocker recovery keys in a Microsoft account
If these are domain-joined computers, make sure you’re backing up the recovery key in Active Directory so the recovery keys aren’t being printed on paper or stored as text files. (This is the way I would recommend escrowing your BitLocker recovery information.) In a Group Policy Object that applies to your computers, go to Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption and set Choose how BitLocker-protected fixed drives can be recovered in each of the sections: Fixed Data Drives, Operating System Drives, and Removable Data Drives. Make sure you set the Omit recovery options from the BitLocker setup wizard and Do not enable BitLocker until recovery information is stored to AD DS for operating system/fixed data/removable data drives options. This ensures that end users or administrators who encrypt drives don’t accidentally put recovery keys somewhere they can be stolen.
Choose how BitLocker-protected operating system drives can be recovered
And, remember, users with Domain Admin or delegated rights to view BitLocker recovery information in Active Directory can easily go look at BitLocker recovery information in Active Directory Users and Computers. I’ve seen some organizations give their entire Help Desk the ability to view BitLocker recovery keys to assist end users. Does everyone really need access to this at the Help Desk?
BitLocker recovery passwords in Active Directory Users and Computers
Exploiting administrative rights
Users with Administrator rights on their computers have unfettered access to their systems. You can try to restrict them with Group Policy or third-party privilege management software; however, these users can work around these controls if they know what they’re doing.
If you have console access with Administrator rights to a BitLocker-encrypted system, you can run manage-bde -protectors -get C: (or whatever other drive is encrypted) to easily view the recovery key for later exploitation.
Using manage-bde to show the BitLocker recovery key
Or, you can just skip viewing the recovery information altogether and just remove BitLocker drive encryption completely by running manage-bde -off C:.
Exploiting physical access
Computers running Windows 7 can be attacked via Direct Memory Access (DMA) over Firewire and Thunderbolt ports by software such as Elcomsoft Forensic Disk Decryptor or Passware Kit Forensic. A few ways exist to protect against DMA attacks. First, disabling these ports will prevent this kind of access if the end user doesn’t need the DMA ports. If the user does need DMA-based ports, forcing a PIN of at least seven numeric digits prevents the system from booting to the point where the attacker in possession of the laptop can use the DMA attack.
And, if you need another justification to upgrade to Windows 8, the later OS releases from Microsoft don’t load drivers for DMA ports until after a user has logged in to the system. So, even if the system doesn’t have a PIN, an attacker can’t use DMA to access the drive.
What are your thoughts? Do you trust BitLocker for your Enterprise disk encryption? Are you doing something unique or different to encrypt data on your client or server systems?
