virtual techdaysINDIA │ 9-11 February 2011

virtual techdays

Desktop Security with Windows 7 AppLocker & BitLocker to GoAviraj Ajgekar│ Technology Evangelist │Microsoft CorporationBlog: http://blogs.technet.com/aviraj │ aviraj@microsoft.com

AgendaBitLocker enhancements and capabilities Trusted Module Management PINsEncrypt Data Volumes and Removable storage devicesRecover Encrypted DataAppLocker Enforce Rules & Audit Only ModeAppLocker Management using PowerShellAppLocker ArchitectureAppLocker Deployment Best PracticesAppLocker Vs Software Restriction Policies

BitLocker & BitLocker to Go

Overview of BitLocker

+Extend BitLocker drive encryption to removable devices

Create group policies to mandate the use of encryption and block unencrypted drives

Simplify BitLocker setup and configuration of primary hard drive

New Features of BitLockerBitLocker

Improved Setup WizardAutomatic 200MB hidden boot partitionNew Key Protectors

BitLocker To GoSupport for FATProtectors: DRA, passphrase, smart card and/or auto-unlockNew GPOs to improve enterprise managementEdition AvailabilityBitLocker To Go Reader

Trusted Platform Module (TPM) TPM

Version 1.2 or laterwww.trustedcomputinggroup.org/specs/TPM

www.trustedcomputinggroup.org/specs/PCClient

TPM

Version 1.2 or laterwww.trustedcomputinggroup.org/specs/TPM

www.trustedcomputinggroup.org/specs/PCClient

USB

System boot from USB 1.x and 2.x

USB read/write in pre-operating system

environment

USB

System boot from USB 1.x and 2.x

USB read/write in pre-operating system

environment

BIOS

Trusted Computing Group BIOS

Physical presence interface

Memory overwrite on reset

Immutable CRTM or secure update

BIOS

Trusted Computing Group BIOS

Physical presence interface

Memory overwrite on reset

Immutable CRTM or secure update

Hard Disk

Requires at least two partitions

Separate partitions for System and OS

Hard Disk

Requires at least two partitions

Separate partitions for System and OS

Configuring the Trusted Platform Module

DEMO

• Set Ownership of the TPM• Block or Allow TPM Commands • Turn Off and Clear TPM

Configuring BitLocker Group Policy Settings

DEMO

• Enable BitLocker Encryption Without a TPM

• Configure BitLocker Group Policy Settings

Disk Layout and Key StorageOperating System Volume Contains

Encrypted OSEncrypted page fileEncrypted temp filesEncrypted dataEncrypted hibernation file

SystemSystem Volume Contains

MBR

Boot Manager

Boot Utilities

FVEK

3

4

Operating System Volume

SRK1

VMK2

Where’s the Encryption Key?1. SRK (Storage Root Key) contained in TPM

2. SRK encrypts the VMK (Volume Master Key)

3. VMK encrypts FVEK (Full Volume Encryption Key) – used for the actual data encryption

4. FVEK and VMK are stored encrypted on the Operating System Volume

BitLocker on Removable Drives

Drive Type

• Removable data drives

• USB flash drives

• External hard drives

Unlock Methods

• Passphrase• Smart card• Automatic

unlocking

Recovery Methods

• Recovery password

• Recovery key• Active

Directory backup of recovery password

• Data Recovery Agent

Management

• Robust and consistent group policy controls

• Ability to mandate encryption prior to granting write access

File Systems

• NTFS• FAT• FAT32• ExFAT

Encrypting Drives Using BitLocker and BitLocker To Go

DEMO

• Add a Data Recovery Agent• Encrypt FAT-Formatted Disk Drive• Configure BitLocker To Go

Using the Manage-BDE Command-Line Tool

DEMO

• Encrypt and Decrypt a Drive Using Manage-BDE

Data Recovery Scenarios

Lost or forgotten authentication methods

Upgrade to core files

Broken hardware

Deliberate attack

Data Recovery Methods

Develop Strategy

Active Directory

Data Recovery Agents

Windows Recovery Environment

Managing and Recovering Data

DEMO

• Unlock FAT-Formatted Drive• Manage and Decrypt BitLocker

Protected Disk Drive

AppLocker

Application Control - Situation Today

• Users can install and run non-standard applications• Even standard users can install

some types of software• Unauthorized applications may:• Introduce malware• Increase helpdesk calls• Reduce user productivity• Undermine compliance efforts

Windows 7 AppLockerTM

• Eliminate unwanted/unknown applications in your network

• Enforce application standardization within your organization

• Easily create and manage flexible rules using Group Policy

DEMO

• AppLocker Identity Service• AppLocker Audit Only Mode• AppLocker Enforce Rules & Policies• AppLocker Custom Error Messages

PowerShell CmdletsCore needs scriptable through PowerShellBuilding blocks for a more streamlinedend-to-end experienceInbox cmdlets

Get-AppLockerFileInformation Get-AppLockerPolicySet-AppLockerPolicyNew-AppLockerPolicy Test-AppLockerPolicy

DEMO

• AppLocker Management using PowerShell

Architectural OverviewProcess 1

Appid.sys

AppIDSRP

Kernel

AppID/SRP Service

SRP UM

ntoskrnl

Process 2

ntdll

Process 3

CreateProcess

CreateProcessNotification

LoadLibrary SaferIdentityLevel

QueryPolicy

Deployment Best Practices• Create a desktop lockdown strategy• Inventory your applications• Select and test rule types (allow / deny) in a lab• Define GPO strategy and structure• Build a process for managing rules• Document your AppLocker design• Build reference computers• Test and update the policy using audit-only• Enable rule enforcement• Maintain the policy

AppLocker Vs. Software Restriction Policies

Session Summary

BitLocker enhancements and capabilitiesBitLocker to Go for Removable Storage DevicesBitLocker Recovery Agents & ToolsAppLocker protect digital assets by preventing unwanted software from runningAppLocker provides an improved management experience making it easier to maintain a list of approved applications

EVENT OVERVIEW

Microsoft®

tech·ed India │2011

March 23-25│B a n g a l o r e

- Event Dates: 23 - 25 March, 2011

- Event Venue: Lalit Ashok│ Bangalore (India)

- 2010 Attendee Profile: CXO’s:3%│CXO’s -1/-2:13%│Architects : 8%│Developers : 54% │ IT Pro’s : 22% │Students │ Media/Press

- Event Theme: Learn │Connect │Explore │Evolve

- What’s in it 4 Audience: Strategic direction in Keynotes│Deep-Dive Technical Training │Free Certification │Software Access │ Networking│ Hands on Labs │Demo X

- Expected Attendance: 3,500 Tech Audience (onsite) │100,000 Tech Audience (satellite locations) │300 CXO & CXO-1 (onsite)

Participate&

“Stay Ahead of the Game”

www.microsoftteched.in

virtual techdaysINDIA │ 9-11 February 2011

virtual techdays

Email: aviraj@microsoft.com Blog: http://blogs.technet.com/aviraj

Thank You