Simplified Bitlocker for Admins and Policy makers

An easy to understand summary of possible bitlocker FVE options and their applications.

RobertKet

This is just some executive / low level technical information on Microsoft's FVE/Bitlocker and what the various options gain so far as security of the encryption. Originally this was just an email I sent out to one of our executives that I thought may be useful for others to quickly share some ideas on proper utilization of Bitlocker in their organization. Utilized Technet for references. For drives that are not boot drives, you have limited options for configuration but they should always require manual entry of the password keys and not be stored on volumes that are not also encrypted via Bitlocker. This also really only applies if they’re using a Microsoft operating system.

 

Alternatives for other OSes: Linux – DMCrypt/LUKS, MacOS – FileVault, Andriod – FDE, ChromeOS – eCryptfs.

 

The basics… most to least secure Bitlocker options:

  1. Bitlocker with SecureBoot + TPM + USB/PIN Combo + Network unlock (Max)
  2. Bitlocker with TPM enabled and USB key/Pin combo for boot. (Higher)
  3. Bitlocker using network unlock and TPM plus Key/Pin combo. (Higher)
  4. Bitlocker using TPM and USB key only. (High, with proper USB key usage)
  5. Bitlocker using TPM and Pin only. (High, when using proper requirements on pins)
  6. Bitlocker using Network unlock and USB key only. (High, with proper USB key usage)
  7. Bitlocker using TPM and Pin only. (High, when using proper requirements on pins)
  8. Bitlocker using USB key only. (Normal. More vulnerable to password cracking methodologies.)
  9. Bitlocker using Pin only (Normal. More vulnerable to password cracking methodologies.)
  10. Bitlocker using network unlock only (Lower. Can potentially be tricked even when not on true WSU network with a knowledgeable attacker)
  11. Bitlocker without pre-boot settings (Lowest. Does not really provide true volume security, but may prevent a malicious attacker from manipulating files without booting it first)

 

Here is some more detailed information that you could provide to other people as general recommendations if you’d like or what more information on what they’re able to set. If not listed here it is either fine leaving or should only be changed by very technical admins.

 

Options

Description

Security Implications

Recommended Setting

Allow Network Unlock

When connected to a network within the trusted zone (applied though network DNS configuration) a device will automatically unlock at startup without user being required to do any actions unless other features are enabled on top of this.  Network key requires a certificate to be installed locally.

Slightly weakened and can be tricked via local network settings. So long as it can validate the certificate and the DNS settings are correct the computer will always start. Not considered secure without a TPM/pin/key according to Microsoft.

Enabled combined with a TPM module and preferably a PIN/Key where possible.

Require Additional Authentication

Enables the use of pins, passwords, USB keys, pin and USB combo, or only the TPM. Can also be utilized without a TPM by having a USB key, Pin, or combo.

When using this feature the most secure combination is both requiring TPM/UEFI and a secondary auth such as a drive or PIN.

Enabled. Requiring both a TPM and Key/Pin where possible. Allow TPM startup key with PIN (OR) Allow startup PIN with TPM (OR) Allow TPM startup key with PIN (OR) No TPM with Pin/Key combo.

Allow Enhanced pins

Allow the usage of complex characters in Bitlocker pins.

This basically changes the numerical PIN to an actual password allowing all character types and case.

Enabled when not utilizing a TPM or when greater data security is desired. Without a TPM this should always be enabled with an appropriate pin length setting.

Minimum pin length

Changes the allowed length of Bitlocker startup pins. 4-20 digits.

This should be set longer and combined with enhanced pin on devices that do not have other protections.

With a TPM and utilizing additional security layers: Optional.

 

With only a TPM and no additional layers: 8 characters enhanced  pin optional.

 

Without TPM or additional layers: 14 character enhanced pin.

Users can change pin

Allows a regular user to change and manage their pin directly from the computer.

Could allow users to accidently brick their drives if they don’t understand the implications of what they’re doing or forget their pins and have no recovery options.

Up to department, may introduce additional complexity in management.

Configure use of password for operating system drives

Only applies when not using a TPM, and matches up with the enhanced pin portion. Defaults to 8 character minimal, and can utilize domain based password complexity.

Without the TPM its much easier to break into a device by removing the drive an utilizing password cracking techniques.

Required for all bitlockered devices that do not have a TPM or use a USB key. Preferably combined with a key. Password complexity enabled is preferred if domain joined and on site.

Require use of smartcards on fixed data drives/removable data drives.

Does not apply to on boot, only to external drives or non OS drives. Adds the usage of smartcard when changing bitlocker options. Prevents even those with admin elevation from making changes without having a specific smartcard.

Protects the actual bit locker options for non boot devices .Enable or disable use of PKI enabled smartcard before making bitlocker changes.

Optional and may not be possible in our environment.

Require password on fixed data drives/removable data drives.

Does not apply on boot, only to external drives or non OS drives.  Requires a password to be required when changing bitlocker options. Prevents even those with admin elevation from making changes without knowing the specific device bitlocker option password.

Protects the actual bit locker options for non boot devices. Important if wanting to prevent more complex attack scenarios or accidental bricking.

Optional but preferred enabled with required complexity where possible to prevent accidental bricking.

Write access requires bitlocker fixed data drives/removable data drives.

All connected devices required to be bitlockered before they can be written to.

Enforces that all writeable and executable devices be bit lockered prior to usage.

Optional, hard to enforce if users BYOD their own removable media or have media that is not owned by WSU.

Hardware based encryption for OS / Fixed Data / Removable

Enables the usage of a TPM where available.

Should always been enforced if the hardware in use has a TPM module due to the additional layer of security, basically defends against device removal then attack scenarios.

Enabled when possible.

Bitlocker drive recovery options.

Determines what can be utilized in the event that a user loses a piece of their bitlocker access information like a PIN or Key.

Very dependent on relative security of the platform.

 

For highest security only the admins should store bitlocker recovery information either in AD or in recovery passwords stored securely in a password vault or domain.

 

Allow data recovery agent. Recovery password or AD DS storage.

 

If backing up recovery information to AD ensure “do not enabled bitlocker until recovery information is stored in AD DS”

Memory overwrite

Determines if memory will be overwritten on boot.

TPM and Bitlocker keys are stored in memory to aide in decyption. Normally cleared during a restart.

Disabled. Do not allow memory to hold this information during a restart, as it can be used as an attack vector by unplugging the computer after restart command is sent.

a