Print

Course Transcript

Data Protection in Windows 10

Overview of Data Protection

Configure File System Permission

Configure File System Encryption

Configure BitLocker & Device Encryption

Practice: BitLocker without TPM

Course Introduction

Learning Objective

After completing this topic, you should be able to

1.

All right. Imagine this situation, maybe you've experienced this. You have a laptop, you leave it in the taxi, and you are headed into the hotel. And then oh no, my laptop is lost. Or imagine a situation where you accidently forward an e-mail or a document or left it on USB stick and the USB stick gets lost. What will we do in those situation where we have lost corporate data? How do we protect it from being exposed to who knows who. So what we want to do in this section is talk about enterprise data protection technologies and there is a range of different ways in which we can secure this data. We can encrypt it, of course, we can apply permissions to it, or we can also use a containerization, which is the new technology in Windows 10 which keeps corporate data separate from personal data, corporate application separate from personal applications. So this will enrich technologies built into Windows, they help us avoid information leakage.

Back to top

Data Protection in Windows 10

Learning Objective

After completing this topic, you should be able to

1.

All right, let's talk about data protection in Windows 10. I'm excited about this topic. There are some really epic technologies here that can make a big difference in terms of keeping our corporate data safe. So let's have a look at it. Now, to get things started, we want to talk about danger – danger, danger, Will Robinson. What is a big danger? Well, organizations face many security challenges around protecting their data. This is actually quite alarming. If you look at some of the surveys and statistics, they did some studies where they surveyed senior business managers. And over 50% of them admitted that they've accidentally leaked information; over 80% said they use their personal e-mail for their work e-mail. I remember actually a particular case when I was living in a different state in my other life. I remember the news one day where a school official leaked some scandalous information. It was one of the local colleges there. And it was a list of all the students who have been accused of sexual misconduct. And it was a big scandalous thing because some of the people on the list were...well, they were innocent, they were just accused of it. But others no doubt were guilty. But everyone on campus knew about it. And that was a scary information leakage scenario. And the thing is those types of thing show up in the news frequently. Another famous example was when the G20 Summit, a few years back, somebody in the organization of that event accidentally sent the itinerary of all the world leaders to some other third-party and that was the result of AutoComplete. So, for me, I use AutoComplete all the time. And it's funny because I've made this mistake, right. I've got a couple of friends named Dan and my boss is named Dan and I've accidentally sent e-mail to the wrong Dan before. AutoComplete can't tell the difference. So I'm sure you are in the same boat, right. How about you? Do you have stories as well?

[Heading: Data Protection in Windows 10. Organizations face many security challenges around protecting data including offline attacks, system disposal, rising costs, and BYOD pressures.]

Now the bottom line is we need company data to be safe, no matter where it goes, no matter what device it's on. But we also need to still make it available, but only to authorize users. And we need to do this without a lot of contortions because – well – there is a lot of existing solutions out there to try to help with information protection. And they use kind of a mode-based kind of model where a user has to kind of like switch to different modes. So they've got like their work self on their device. And then, when they need to do something personal, then they have to kind of like contort over here and then they can do the personal stuff. And then, when they have to do something work related, then they've got to – you know – come back over here into this mode over here. So we want something that doesn't require contortions and that's easy to use. And, from an IT administrator perspective – you know – you and I are responsible for the stewardship of our organization's data. So we need a solution that works well for the users, but we also need one that's strong and helps us manage the security – a flexible solution.

Back to top

Overview of Windows Data Protections

Learning Objective

After completing this topic, you should be able to

1.

Microsoft has been developing Data Protection Technologies for a long time starting way back with the development of NTFS, right here. An NTFS is file system protection, right, and permissions. And in Server 2012, they have actually expanded NTFS with the help, you know, of Windows 8. And that is it supports claims now and conditional-based access. So not only can you control if a user has permission based on the groups they're a part of, you can also control whether or not they have access based on an attribute in active directory. Like, for instance, what country they're part of or who their manager is? That's claims-based access or what is also known as Dynamic Access Control, and it's integrated with NTFS. Now that's just one example. There are several others here. I don't want to talk about each of these. Then there is EFS over here. Now, I remember, when I was starting out actually, I was working with a customer that was a manufacturing firm. And then they actually were looking specifically for a way to protect their laptops because they had one stolen by a competitor. So there were some corporate espionage going on. Well, EFS provides file-based encryption, so it can secure some of those devices. So user can encrypt files, basically. It's user-based, certificate-based, file-based encryption. And so that would be useful in many cases, but then that's per user. It's not device protection. So then we have BitLocker. Microsoft developed a BitLocker to address some of the gaps that EFS had. And so BitLocker actually encrypts the entire volume. So we've got more device protection there.

So we're encrypting the entire operating system. We're encrypting the entire data volume. The other thing that's great about BitLocker is it actually takes a measurement of the system. So it's aware of the system that it's on. So, if you try to steal the hard drive and do an offline attack, BitLocker will prevent that. And then you can also configure BitLocker with TPN. That's the preferred approach. And that provides additional protection against certain types of hardware attacks. So this is a great technology. And nevertheless, both BitLocker, EFS are encryption technologies. Well, these can be challenging in a couple of different ways. It can be challenging in terms of provisioning it and then supporting it. Well, that's total migraine territory there. So this is another area that Microsoft has been improving. So, with BitLocker, there has been enhancements with almost, like, every edition of Windows. So, for instance, BitLocker is applied. It's called Device Encryption. And it's applied to a lot of devices. It's not limited to just enterprise edition any longer. In fact, devices that are rated or support, what is called, Connected Standby – which Microsoft renamed and calls it InstantGo – well, they took the pain out of provisioning by just automatically encrypting those devices. You have a Connected Standby or InstantGo device. Basically it's going to be encrypted. And, when you actually turn it on and you go through the initial out-of-box experience, encryption is immediately applied to it. So it's just a few clicks. And so that's an example of where they're trying to take some of the pain out of that and just improve the provisioning and the usage of BitLocker. And then, in terms of recovery and support, Microsoft has MBAM, the Microsoft BitLocker Administration and Monitoring kit that comes from MDOP, the Microsoft Desktop Optimization Pack. So these other types of tools is what I'm getting at. So these all come in and they provide and address some of the concerns in terms of administering and provisioning BitLocker.

Now I actually talk about BitLocker at length in later video. So we'll explore some of these things I'm talking about again later on. Another important protection scheme, I should say, is RMS – right here. And RMS stands for Rights Management Services. Now the reason why we have Rights Management Services is because the protection that you see with BitLocker, EFS, and NTFS are all protecting data at rest. RMS will protect the data no matter where it goes. So now we're extending information protection. And we're embedding it in the actual file itself. So you may have actually experienced this before where you've received a document from somebody that has Information Rights Management – that's another name for it – and it's preventing you from forwarding the e-mail or preventing you from printing that document. That's like Digital Rights or Information Rights Management. And that's what RMS provides for us here. Now there are two types of RMS. There is an RMS that on-premise still. There is an infrastructure that you can deploy in your organization. It's a challenging point there because that infrastructure can be expensive in some cases, but that allows you to actually build out internally an RMS template and some RMS rules. So your users can actually create documents, apply templates, and provide basically protections to the content that they are creating. So they can create a memo and restrict it to only internal employees, that sort of thing. But it's an on-premise solution. So that infrastructure is required. So Microsoft also has now cloud-based RMS. And this is something they developed in recent years. It's called Azure RMS. And the point of the Azure RMS is to kind of extend RMS capability and to address some of the limitations with on-premise RMS. And that is business to business exchange of data and doing that with Information Rights Management protection guarding that information.

So you've got secure data exchange with Azure RMS without as much kind of involvement or infrastructure as you might expect with on-premise. All right, so we've got several important data protection technologies. These are still in play. Some of them have been around since Windows 2000 – like EFS and NTFS – or earlier. Nevertheless, these are still part of our strategy and protecting our data, but there is more. So moving over here now, let's talk about some additional technologies and improvements that are targeting data protection or information protection in Windows 10. So Windows 10 can take advantage of these, but it also has a secure application environment. Thanks to universal Windows application model. This is really a development of the WinRT APIs. And here you've got security as kind of implemented in applications as best practices. So you've got apps running in secure isolated container – so just out of the gate. These applications are more secure than standard Win32 applications in many cases. There are also technologies that these apps can adapt. So, for instance, if they get compiled in Visual Studio, they'll automatically have DEP – Data Execution Protection. You could also apply things like address randomization. So these are technologies that make this application model secure. There is also support for the latest in terms of Windows authentication method, so like Microsoft Passport and Windows Hello. Those are big parts of protecting our application data.

Now, EDP, enterprise data protection – right here...now EDP is an intelligent, also meant to be convenient kind of protection for Word documents and applications. And it's really one of the next big areas of investment from Microsoft. I like to think of it this way. I like to think of EDP is having its head in RMS and its feet in the cloud. And that's because its job is to create enforced boundaries between work and play, right, without those contortions that we're talking about. And it's really meant to address the gaps with RMS. The problem with RMS is the user has to be, you know, aware that they need to apply the protections. Whereas EDP – well, the user is simply, you know, accidentally maybe copying a file over an EDP, then alerts them, "Hey, you can't do that," because that's a personal application. That's not a work application. So enterprise data protection is an important enhancement. And in addition, from an IT standpoint, a really useful addition to protecting my corporate data.

Back to top

Overview of EDP

Learning Objective

After completing this topic, you should be able to

1.

So now we're going to talk about EDP. What does EDP stand for? Well, it stands for Enterprise Data Protection. Or, because this is so cool, I like to call it epic data protection because it can containerize our data. So here is what I mean by that. EDP creates these policy containers. It has an awareness of the different types of applications and the different types of data in your organization and it can create these boundaries between them. And these boundaries between them are enforced by policies and they can be audited. EDP has a powerful set of features to make it convenient and easy for users to use. They don't actually have to switch between these two different modes. They don't have to go back and forth between these because the policy and EDP is able to automatically detect the sources of the data, the type of application, and enforce these policy-based boundaries.

So here is a look at the features of this epic data protection. We've got of course enforced policy boundaries which is these containers I was referring to. And what this allows us to do is it allows us to encrypt and designate applications and data that belongs to the organization as opposed to data that belongs to the user. And this gives protection to that data, but it also allows us to target our management. So we can actually wipe this data out if we need to, if the device gets lost or stolen or the person is no longer in the position they were before. So we've got some insight into this. Another important thing is it supports multiple devices. And then this is a big point that Microsoft makes about this solution and that is it's an integrated UI for users. And the reason this is important to Microsoft is because they surveyed the marketplace and found a lot of third-party solutions offer a similar type of approach but requires a mode switching. But the whole target for this protection is really specifically looking at the gap that exists for accidental data leakage.

So the situation or the scenario that we're really targeting is the fact that users with other protections, they have to be intentional. They have to say, "I want to apply this secure template" like in RMS. Or the device itself might be protected, but that's all. That's the entire device is encrypted or something like that. So there is a gap between device protection and kind of user applied protections and that's accidental data leakage, right. Like a user using AutoComplete and addressing the wrong party or they forget what is on the clipboard, so they place something in Twitter, right. That's corporate sensitive and they accidentally send that – those types of scenarios. That's what this is intended to address. And it's intended to be kind of forgetful. It's applied, the system is enforcing these boundaries, but the user doesn't have to think about it. In fact, it will remind the user if they try to cross this boundary, then they will get an alert saying, "That data is not a corporately approved application. So you can't move the data between them." And there is a couple of different ways in which this can actually be configured.

So you can set up kind of a hard boundary preventing any exceptions at all, moving from personal to business. Or you might set it up so that a user would be alerted and informed that they're moving across this boundary. And then they can simply say, "Yes, I know that this is corporate data. But I need it to actually do this in the personal space." So, for instance, someone who might advertise a corporate campaign but use social media to do that. So there might be a way of allowing that user to kind of obtain and override. And, of course, any of those types of activities – overriding the policy here – those can be audited. So the IT organization has different ways in which they can enforce those policies so that user can be productive at the same time, provide some safeguards around the information. So, in summary, this is what EDP does for corporate data. It isolates it, it allows for auditing, keeps it encrypted in both transit and at rest, and it's highly manageable. The whole solution is driven by mobile device management. Now what do you need in order to enable this solution? Well, if it's driven by management, we're going to need MDM – so something like, Intune, System Center Configuration Manager. There's support for this solution for other applications. But this is what we're going to use to actually enable it for our devices. Optionally, we can apply that encryption in transit and apply some other rules to our data when it's in transit preventing, you know, like attachments from being printed and that sort of thing with the help of RMS. So that's integrated into this solution. And then enlightened app. Well, what are enlightened apps? We'll also have a look at this.

So here is what enlightened applications mean. It means basically that these applications can recognize whether the data is personal or the data is enterprise and then it can have a response in regards to that designation. This also means it can protect the data whether it's at rest, it's in use, or that data is actually in motion – it's coming in or it's going out. And, for instance, if it designates that the data is personal in that application, then no policy is going to be applied to it. No policy for those personal apps and personal data. But, for those applications which it identifies as enterprise, well, then it can protect that data whether it's at rest or it's in flight or in transit and apply the policy. The policy will follow the data in the application. So there are also things here that might take place where if it is enterprise data, it's going to block it and prevent it from being sent to a nonenterprise application. Or it might secure it through VPN connections. So enlightened apps are applications that can integrate and take advantage of EDP policies.

[Heading: Enlightened Apps for Enterprise Data Protection. In Local (productivity apps), the Data Ingress checks for enterprise tag on data; the Data in Use is set to Enterprise or personal; the Data Egress protects the enterprise data; and the revoke option under event handling closes and cleans up the content, the screen lock option closes the content, and screen unlock option reopens the content. In Network capable (channel apps), the Data Ingress checks for enterprise tag on data AND unwrap files; the "Data in Use" turns VPN on or off; the Data Egress blocks the data that is sent to non-enterprise hosts or wrap files for transport; and the revoke option under event handling stops the enterprise sync completely, the screen lock option stops the uploading of the content, and the screen unlock option resumes the uploading of the content.]

Back to top

Standard Permissions

Learning Objective

After completing this topic, you should be able to

1.

We're going to talk about standard NTFS permissions. Now NTFS has been around for a while. Some of you are probably pretty familiar with how NTFS works. But stay with me, I might share with you a couple of secrets or two that you didn't necessarily know about how NTFS works. All right, NTFS is file system based security, which means when you format your volumes, you apply – of course – a file system to it. And Windows 10 supports NTFS that's the primary file system we use. There is a new file system called REFS but that's for servers. It also has a very similar type of protection system. So many other things we talk here would apply to that context as well. Now NTFS is file system protection which means it's providing protection for that file when it's sitting on that driver in that volume. And what that means is every file that's stored in that volume – that's an NTFS volume – well, there is some metadata. Some additional information that's stored about that volume that kind of guards it. And so we keep track of things like who owns that, who created the file. We keep track of a DACL. These are permissions. Discretionary access control list is what that stands for. Think about that for a minute, the DACL – discretionary access control list. So what we're doing is we're controlling access on a discretionary basis. And so it's a list of who has what kind of permissions, who can read it, who can write it, who can change it. And then we've got SACL down here. And SACL is referring to auditing.

So SACL relates to the word system access control list. And there, we're actually just tracking what is taking place. Now NTFS also supports EFS. EFS is an extended attribute to NTFS. So there is some encryption and some other features to NTFS. But, in terms of security, this is what NTFS offers. Now what I want to do is get into how NTFS permissions really work? Now NTFS has been around for some time. And a basic understanding I think is available to most of us, but there are some details. One of the things about NTFS that makes it challenging sometimes is the fact that it's not on the surface, it's not intuitive. So there are some rules about the way the NTFS permissions work. But, if you don't understand or haven't read it or haven't studied it, then it will allude you in terms of why is it behaving this way and not this way. So what I want to do is kind of break it down for you a little bit more of the details and share with you how NTFS permissions really work.

Now, for starters, we need to remember that we have a security descriptor. NTFS has this metadata that's associated with the file, folder, and even a disk. And inside the security descriptor are these key fields. There is an entry for who owns the file or folder. There is an entry for who has permissions. So there is this discretionary access control list. This is going to be the focus of our conversation going forward. So this is who has read/write permission. And what is actually in this list is a list of users and groups and technically it's their SIDs. So we've got the SID, which is the security identifier. And that's because it's a security identifier that uniquely identifies that object and it's tied to security account in Active Directory or maybe the local machine. So we're listing which accounts, which group accounts as well have what permissions. Now, if we have auditing enabled, we would have a list of who we're auditing and what we're looking for in here as well. Now you can actually see the security descriptor pretty easily. If you go to an NTFS volume, you right-click on a file and you go to the properties of it. In the advanced view, you'll actually see a section or a tab dedicated to who owns it. You'll see one dedicated to auditing and you'll see one dedicated to permissions. And what you're looking at is the security descriptor – pretty cool. So now let's dig into how permissions work. Let's start with a quick overview of NTFS permissions. They have several important features to them that are these permissions are set to either Allow or Deny. These permissions are cumulative. These permissions can be inherited. And there are two kinds of permissions – standard or special permissions. And we're going to dig into each of these here in a moment.

[Heading: Security Descriptor. NTFS provides ACL-based protection for disk, file, and folder objects. ACLs are located in the Security Descriptor.]

The other thing I want to bring to your attention is that technically, at least the terminology Microsoft uses is that, these permissions are put inside the DACL as ACEs. Each time you add a user or a group and you indicate if they have an Allow or Deny permission, what you're doing is you're adding what is called an access control entry or an ACE. And, simply speaking, what the system does is it looks to try to match ACEs to the user who is accessing it, process these ACEs, and effectively it kind of does a calculation or determine what their effective permission is. So that's what an ACE is if you see that in the documentation. All right, so more with NTFS permissions now. As we saw in the summary, NTFS permissions can be Allow or Deny. So we can add users or groups and grant them specifically ACE entries. Let's say they have Allow Modify or they have Allow Read or they have Allow Full Control. We can also use this other column over here and we can say they are denied Full Control or they are denied Read permission if you want to. I should point something out that when you're actually editing this list right here and creating ACEs – and this is a screenshot from the properties of a file or folder. It might look really familiar to you. And what you see here basically is the fact that you're making explicit permission changes, right. Adding a user and granting them something in the Allow column or the Deny column. A quick word here about Deny. And that Deny can either be explicitly selected or you can be implicitly denied. If you're not in the list at all, then you don't have access. NTFS is not going to grant you access. So two types of permissions – Allow or Deny.

Now these permissions are also cumulative, which means if you have Read and you also have Allow Write, you have Allow Read and Write. So those get added together, they are cumulative. A quick example of this is let's say, for instance, that you have a file and you need to grant me access to it. So you can add my username to your permissions, create an ACE for me, indicate that I am allowed Read permission. Now, if another administrator comes in behind you and adds a group and I happen to be a member of that group and they grant that group Modify permission, well, then because these permissions are cumulative, I have Allow Read and I have Allow Modify – they are cumulative. And so, essentially, I've got Modify permission. So that's an important thing to take note of. Another important thing to take note of is often times Deny permissions will usually trample out. That's a good general rule. It's also good general rule to avoid using the Deny column because it just complicates your troubleshooting.

All right, the next thing we want to talk about is how to edit these permissions. And this has a lot to do with going into the Security tab. And, when you're greeted by the initial Security tab properties page, you can access what are called standard file permissions. It's only when you go into the advanced view that you're working with, special permission – so to speak – and standard permissions. You can also work with your NTFS permissions in the command line. There are some PowerShell tools and then there is also an enhanced Cacls tool. Used to be called Cacls, but Microsoft added an "i" in front of it because of the enhancements and User Account Control, which are called integrity levels. So now we have icacls. Both of those allow me to work with permissions from the command line. Now let's talk about standard folder permissions which – in many ways – are not much different than file permissions, but there is a subtle difference because a folder object is different than a file object. And, like the file, you can access folder permissions from the Security tab or you can access them through the command line as well.

Back to top

Advanced Permissions

Learning Objective

After completing this topic, you should be able to

1.

Okay. So let's have a look now at the special or advanced NTFS permissions. Advanced or special NTFS permissions can also be found in the properties page. And what makes them different than your standard permissions is that they are granular and very specific. So let's take, for instance, the read permission that's found on the properties of a file. That read permission, if it's a standard permission, it's actually multiple read. It's read the data; it's read the attributes; it might include read permissions. So the read standard permission is actually a combination of multiple reads. The way I think of it is kind of like of soup. I know strange. But I've already thought of it as kind of like chicken soup and that there are multiple ingredients to chicken soup, not just chicken. But, if you were to break the ingredients down, that's where we get the advanced or specific permissions – the ingredient permissions.

Now here's a useful table that describes special permissions compared to standard permissions. So, like I was saying before, here is our read standard permission. So think of that as read soup. Well, what are the ingredient permissions? Well, we've got List Folders/Read Data, Read Attribute, Read Extended Attributes. Then we've got Read Permissions down here. And so we got multiple reads that make up the read standard permission. These over here are my granular specific permissions. Now the advantage to this is you can actually assign either standard permissions or you can break into the advanced properties page and actually assign very specific permissions if you need to. Say, for instance, you've got a particular application that's writing to a transaction log. And there is a service account that needs to be able to write to this folder where that log is stored. But you want to follow best practices and that is don't grant more privileges or permissions than what is required. So you can rely on special permissions. So do just that. For instance, you can grant just write data permission to that account and that's all you grant. You don't actually have to grant additional permissions so that it has a least privileged, least access, you're following best practices. And so this gives you the ability to kind of address your permission needs, modify your permissions. So you follow best practices, but you're also accomplishing what you need to accomplish.

Back to top

Permission Precedence

Learning Objective

After completing this topic, you should be able to

1.

Now, for my veterans out there who have been doing NTFS kinds of work for a while, here is one of those areas that is a little less known and one that is a bit more obscure and definitely not intuitive. And that is how it processes permissions. There is a characteristic to NTFS called permission precedence. And so what I want to do now is explore NTFS permission processing and how precedence plays a role into that. Now we need to start with this idea of inheritance in NTFS. How does NTFS permission inheritance work? Well, we know the basic idea of inheritance, right, is the fact that you can set permissions on a folder object. And then the child objects, the other folders and files inside, well, they'll receive their permissions from that parent object. Now one of the great things about NTFS inheritance is that it's manageable. You can turn it off entirely if you want to or what you can do is you can also scope it. So you can actually set NTFS permissions here on this folder and say I wanted to only target some files, but not subfolders and subfiles or I only want it to apply to this folder and not be inherited by files. So you can actually control or scope inheritance. Let me show you how that works.

Now here is an NTFS question or kind of a principle that we often think about and that is Deny and Allow. You probably have heard this many times before, and that is Deny trumps Allow. I don't know, maybe you haven't. But I've heard it a lot. And, when I first learned about NTFS permissions, this is what they taught us – Deny trumps Allow. But does Deny always trump Allow? Well, the short answer is no, it does not. Let me show you why. And this is interesting stuff right here. The reason why Deny doesn't always trump Allow is because there is a precedence in regards to the way NTFS permissions are applied. So you can see here, we've got this precedence order. And, the one at the top of the list, that's the one that trumps everything else. So explicit Deny does trump all of the other types of permissions, all the other entries or ACEs inside your access control list. But an explicit Deny isn't the only type of Deny here. We've got another one right here and that's an inherited Deny. And this is interesting. Notice that an explicit Allow can trump an inherited Deny. So quick example of this.

Let's say, for instance, I've got a folder up here. And I grant you permission to this, but I explicitly deny me on that folder. Then we've got some files down below. And, of course, I know it's not real practical for me to be denying myself. So I'm denied at the folder. But then down below is this file and what you could do is you could grant me Allow permission on the file. And, even though I'm denied at the folder level, that Deny is inherited by the file. But, your explicit Allow for me, grants me access to the file. So by explicitly adding me to that file's list – and you're not changing inheritance here – you're simply adding an additional ACE or entry to the permission that says, "Jason Allow Read." Then I am actually able to read it even if in that same permission, I'm seeing inherited Deny.

Back to top

Combining NTFS and Share Permissions

Learning Objective

After completing this topic, you should be able to

1.

Okay. So now here we're going look at an important principle and that has to do with what happens when we mix NTFS permissions with other permission systems. And this right here, we're using sharing as an example. But it could be other types of permissions as well. It could be application permissions. Now this is a typical type of scenario. What I want to, first off, do is establish the scenario what is happening and then describe how permissions play a role in this. So let's begin with this idea that over here we've got this user who wants to access a resource that's stored on a server and it's stored on the D drive of the server. So the administrator creates a shared folder. This shared folder is providing access to this NTFS resource. And then the user then can use Microsoft file and print sharing and the sharing client that's built into this – into a Windows machine – to send request to the shared service over here. And the shared service then will talk to NTFS and retrieve the files. So you see that's what is happening. So here is the user using a network path. We call that a UNC path \\the name of the server\the name of the shared folder and so that sends a request over the network to received here through the networking stacked by the server. And then there we have this shared folder object over here called Resources. Now resources are mapped to a very specific location in the file system. So that gets translated. The shared server says, "Hey NTFS, this user wants access to your web files folder." And so NTFS then supplies that to the shared service who then sends the content back and provides the data the user is looking for.

All right, so that's the basic scenario. Now let's mix permissions into this. So, when a user goes to access these resources, they are crossing multiple permission systems. Multiple permission systems meaning that there are permissions enforced by the NTFS file system. But there is also another set of permissions enforced by sharing. In fact, if you go to the properties of this folder right here, you'll see two tabs - you'll see a sharing tab, and you'll see an NTFS Security tab. And so the question becomes is well what actual level of access does a user have? Do we grant them NTFS permissions and ignore the Share tab? Or do we grant them just shared permissions and ignore what is on the NTFS tab? Well, the answer to that is no to both of those. Instead, both permissions are applied. And what the net result is the user is granted the most restrictive set of permissions. And that's because these are independent permission systems. The sharing service is doing its job and NTFS is doing its job and they are not consulting with each other. They're not sharing permissions. Instead, they are – each one – independently providing access to the user based on who the user is. And the net result is going to be whichever one is the most restrictive, that's going to be the amount of access they have. So let me give you an example of this. This user tries to access this shared folder. And imagine for a moment that this shared folder has read permission assigned for this user. NTFS on the other hand over here, let's say, we're granting full control for that user. So, on the Share tab, this user is part a group that has read. And, on the NTFS Security tab over here, that user is being granted full control.

What is the net result for this user? Well, they have read permission, that's what they have. They have read permission because the shared service says, "You only have read permission." Now it doesn't matter if we switch this around. If we totally turn this around and this here has full control and over here we're granting read, user still only has read permission because – in this example – NTFS says, "Well, they only have read permission." So sharing grants some access, but NTFS is restricting them to just read permission. You see it's whichever one is the most restrictive. Now you may have heard me share this before in other places. When I talk about this – if you've heard share – how would it combine NTFS and shared permissions and that is this. I actually had a dream about this once.

So, years ago, I was thinking about NTFS permissions and shared permissions and I saw two golden hoops in my dream. You know how dreams are that they were NTFS and shared permissions. And I was trying to pass some things through them, I don't know if a cow was trying to jump through them or something. But I knew that one of those hoops was smaller than the other one. And so, effectively, whichever the smaller hoop is, that's the largest size item I can pass through both hoops or both pipes or however you want to look at it. So here we've got two different hoops. Now the reason I think this is so valuable is because it plays into troubleshooting. If users are trying to gain access to something and they don't have access to it, then the first thing you should ask yourself is what hoops are they passing through? And that will help you then determine where you should actually control or change your level of access. And, it's not just NTFS permissions and shared permissions, you could also have a firewall right here that's controlling or eliminating their access or there could be application permissions that are also being applied to this as well. So, by considering how they're accessing it, what hoops are passing through and what is the smallest tube, you would be able to close in on why they are being granted limited access. So this is an important principle to understand when calculating and troubleshooting permissions.

Back to top

Conditional Access

Learning Objective

After completing this topic, you should be able to

1.

All right, let's have a look now at NTFS conditional access. This is a newish type of technology meaning it's been around for a couple of years. It's not new with 10, but 10 can certainly do it. This was introduced with Windows 8 and Server 2012. And NTFS conditional access really extends NTFS powers and capability. So what is conditional access in NTFS? Well, consider this with me for a moment. Consider the fact that especially in larger organizations that we're actually providing access to resources based on groups. And that gets really challenging when we have a lot of complex situations where access to resources requires more and more groups. So let me give you an example. Let's say, for instance, we have some resources that we want to grant different levels of access based on what region the users are part of who are accessing that. So we might be part of an international company and we've got users from different regions and so we create groups for each one of those regions.

On top of that we might have another level of access – we have to define – based on what department the user belongs to or who the user's manager is. And so we start creating groups based on departments. We might start creating groups based on management, maybe we're also concerned about levels of access based on the status of that user, so whether it's a full time employee or maybe some other type of status distinction we're making, so now we're creating other groups. So we have groups for this type of configuration or this type of access, groups for this type of access, group for this type of access, and we end up having thousands of groups because we have to really kind of demonstrate or represent. Maybe represent all the different combinations that we need to use in order to control access. Well, that becomes a big burden on several fronts. So it becomes a burden on the IT front, becomes a burden in terms of the Kerberos tickets because there are limitations in terms of how much groups it can store, and then it just becomes a headache when it comes to troubleshooting access. So Microsoft introduces a way to control access based on conditions.

So the answer to the question what is conditional access? We're granting access not just on user groups, we're now also granting access based on what are called claims. That is we're leveraging information in Active Directory – not just groups, but attribute information. So the user account in Active Directory – not only do we list what groups are part of, but we list things like their address, what region they're part of, who their manager might be, and other pieces of information. All of those attributes can also be included now in the Kerberos ticket because Kerberos is claims aware. And, with it being claims aware, we can take that information and control access to the resources. This actually translates into a reduction in the number of groups because it opens up the ability to take a resource – a file or folder – go to the NTFS properties, and explicitly indicate what we want to control. We can say, for instance, we want to allow user's read access – unless they're from Canada – then we want to grant them full control because maybe it's, you know, intellectual property or we have some sort of compliance reason. Whatever the situation might be, we've got the ability to not only grant access based on groups but to grant access based on these things called claims. Now this is governed basically by Windows Server 2012's Dynamic Access Control. So there are several parts to the way conditional access works. You need to have Windows Server 2012. And, with the right components in place, you can set up and use conditional access.

Now here is a look at some of the components required for Dynamic Access Control. Remember, with Dynamic Access Control, what we're doing here is providing conditional access. And so we can actually leverage a central policy right here. This central policy can be distributed by Active Directory's Group Policy and Windows 2012 Servers. And this can be combined with file classification so that in the content of the files can help drive what kind of the permissions are accessed or applied to it. And it can be done automatically. So it helps if you have an example here. Let's say, for instance, we've got a document and that document contains customer information and some credit card information. File classification in Windows 2012 Server can see this and read that and detect that is credit card information. And then it can take action. And that action, you know, could be a couple of different things one of which is applying a central policy to it which immediately applies conditions that says, "Well, this needs to be read-only and we're not going to actually allow this file to be printed. So we can integrate it with RMS if we want to." And we can apply particular permissions against it and say, "Only users with certain claims can have access to this." We can say, "Users from the finance department have full control, but everyone else does not." That kind of automatic content detection is done with the help of file classification and Dynamic Access Control central policy and the help of claims-based conditional access.

Now the claims themselves...when a user goes to access the resource – they present to the actual system who they are in their access token. This includes their user identifier or SID, the groups they're part of. But what is new is it Kerberos also supports in the access token any claims that have been configured as part of the central policy. So then that's how we can actually leverage conditional access based on user claims. Now the user is not the only one that can offer a claim, you can also turn on device claims. So the device can actually indicate that it's a laptop or it's a smartphone or it's a desktop of a certain sort and so device claims can also be leveraged for a conditional access. Now here's a look at another example of this. Here we see that we've got a user who is part of the finance department. We have a resource here that's also been tagged or classified as belonging to the finance department. So file classification can indicate that this file belongs to finance. And so you can have a central access rule – a conditional access rule – in NTFS on the properties of this file. It can specifically say, "We're going to allow access to this file if the user department and the resource department matches." So you can use these conditional access statements using like Boolean logic like this and this then equals this. Those types of scenarios are available to you and it enriches the NTFS permission system.

Back to top

Troubleshooting Permissions

Learning Objective

After completing this topic, you should be able to

1.

Now things don't go always as planned. Users are able to access resources that they should not be accessing. And then we have those problems where users are trying to get to where they are supposed to get to, but they can't. So, pulling their hair out, they're calling helpdesk. Let's talk about how we can help them get access to those resources. And so let's talk about troubleshooting NTFS permissions. So the first question we want to look at is how do I test or troubleshoot NTFS permissions? So let's talk about some tricks, some tips, some things. So watch for...first thing I want to mention is that Microsoft makes this a little easier for us because they have this option on the properties of the file called effective permissions. It's really a way to indicate a user, maybe the user in question, who is having trouble. And it shows you what their actual permissions are. Now one thing to be aware of is this is calculating your NTFS permission. So it's not taking into account like the Share tab or a firewall or application permissions. So it's just looking at the effective NTFS permissions, but hey, it's very, very useful.

Now, if you also need to kind of evaluate or monitor access to an object over a period of time, you can do that with the help of security auditing. So there's a two step kind of process with that. Number one – you go in, you have to enable what is called Object Access Auditing, turn on a policy on the machine where the resource is located. So, if it's a local Windows 10 machine, then you need to define the policy against that local machine. If it's on a server, then you're going to turn the policy on the server. After the policy is turned on, and that's in policies...after the policy is turned on then you can come back to the object. And then you can go to the SACL, the Security tab. And there is a auditing section there – an Auditing tab. And it's not called SACL in the interface, but that's what it's technically in the security descriptor. And, there in the Auditing tab, you can indicate what and who you want to audit. So you can put like the everyone group in there. And you can audit full control. That's just going to gather everything or you can be very specific. And you can audit a particular group or user if they're having trouble accessing it or there is some suspicion as to who is accessing this object. So you got auditing available to you, which reports security events around that object, access events around that object in the security log in Event Viewer. You also have effective permissions, which is really handy.

Now one of the reasons why you might find yourself in a troubleshooting situation with NTFS is because the file or folder has moved. So the question I want to look at now is do NTFS permissions change if we move objects around from NTFS volume to NTFS volume? Or what happens if we just move it to a different folder on the same volume? Good question. Well, there are different types of file operations, right. So we have copy. We have move. So let's talk about what happens if you copy it. Now, if you copy a file, you're creating a duplicate of it. So there is going to be more than one instance. And, in that case, that's not any different than creating a new one. So you right-click, create new. What happens? Well, that file inherits permissions from its parent. Same is true of copy – if you copy a file, you're essentially creating a new one. And so it's going to inherit permissions from its parent. So the original permissions, they are not a factor. However, what happens to permissions if you move a file? Well I'm glad, you asked. And the short answer is it depends. The reason it depends is because...well, let's look at this. If I actually move a file to a different NTFS volume, then it actually inherits permissions. The reason it inherits permissions is because a move between NTFS volumes is technically not a move. What it technically is, is a copy and delete operation. So it duplicates the original file. So then it's going to inherit from the parent and then deletes the original over here. And so that's what a move is between volumes.

But there is a different story if you're doing a move within the same volume. If you're doing a move within the same volume, you get different behavior. And the reason you're getting different behaviors is because the actual file isn't being copied nor the bits being picked up and put back down into a different place on the drive. Instead what happens when you move within the same volume, all it changes is the pointer – the reference. So this file is going to have a new parent, but the actual bits don't come off the disk and are written back down. And therefore, it actually keeps the original permissions or retains the original permissions. So that's something to watch out for. If you're expecting the permissions to change when you move this file to this folder, they are not going to by default. They're going to remember the old permissions because all that's being edited is the pointer. Now a final comment I want to make about this is the fact that when you're moving or copying files to another volume that doesn't share NTFS – like a FAT drive here, like a USB stick...well, FAT doesn't support NTFS permissions, so the permissions are just dropped all together. Now there is a way to override the default behavior of moving and copying, and that's the use instead Robocopy. Robocopy is a built-in tool. It's a fan favorite and allows you to actually copy files, folders, and subfolders. And there is dozen or so switches that go along with it. They allow you to indicate how you want it to be copied. So this includes the ability to selectively choose, copy just folders with content, or copy folders and subfolders even if they're empty. And then also options and parameters to control whether or not you want to retain permissions or you want to mirror a location. So Robocopy is a rich tool for moving and copying files. And it also supports NTFS permissions.

Back to top

Explaining EFS

Learning Objective

After completing this topic, you should be able to

1.

Have you ever wondered what EFS stands for? Have you ever wondered why EFS files are green? Have you ever wondered how to share an EFS file? We're going to talk about the encrypted file system here, a lot of great stuff. So what does EFS stand for? Well, this is the answer to your first question, isn't it? Encrypted file system. Now the EFS is really not a file system by itself, it's actually an extended attribute and part of NTFS. It allows you to encrypt files on a per user basis. Now EFS provides transparent cryptography. What that simply means is the user can easily go to the properties of the file, turn on encryption, and it's encrypted. Or they can actually create a folder, mark that for encryption, anything they stick on the folder becomes secure, becomes encrypted.

Now it's transparent because the user is not actually opening up the file and trying to provide, you know, an encryption key. That's not needed or any of that, it's transparent. They just encrypt it by the file system and they can open and close the file just like they normally would. That's because EFS is using user certificates. So, when the user goes to encrypt a file for the first time, well, the file system looks for certificate that includes the users' name and private and public key. And, when it finds that certificate, it will use that certificate to enable EFS. Now, if it doesn't have a certificate, it will make one. In an enterprise – in an organization with public key infrastructure – you can actually go and ask Active Directory Certificate Services and say, "Hey, I'm supposed to encrypt files here, can you give me a certificate to do so?" And you can have one automatically issued where the user automatically enrolls in certificates. And that means you have to set up your infrastructure to support that. All right, now this is NTFS and one final comment here is because the file is encrypted, it gets its title green. So there is subtle, but visual indicator that file has been protected and encrypted.

All right, let's double-click into this topic here and let's explore how EFS works. Now, in order to understand how EFS works and how it ties to certificates, let me explain that we're not dealing just with certificates; we're also dealing with another set of keys as well. So, to explain this, every file that gets encrypted has this header. And, if I open up this header here, you can see that there are a couple of important fields. There is what is call the data decryption field and then there might be some date recovery fields. Now the data decryption field is a one I want to bring your focus to. And this field has in it what is called the file encryption key. Now the file encryption key which is also called the FEK, but you want to be careful saying that too faster, slowing your speech because it might come out differently. So FEK might work much better. So we got the file encryption key over here, and this is known as a symmetric key. This is not part of the certificate. This key is unique to this file. So that if the key is compromised – that happens to be stolen somehow – then the only files that it would be affecting is just this particular file. There is not a master key here which would allow them to access the other files. So this is a file encryption key for this particular file. It's symmetric so it's not public/private; it's just one key. This one symmetric key encrypts a file and decrypts a file. Encrypts a file and decrypts a file, so it's actually used to encrypt the content and also decrypt the content.

Now what happens is after you indicate the file needs to be encrypted, this FEK gets created. It encrypts the data. Then the FEK gets stored up here in this data decryption field – kind of like locking your house, sticking your house key right underneath the mat. Now that doesn't seem all that secure, does it? Well, here is where the certificates come in. Then the user certificate what it does is it comes in here and it takes the public key of the user certificate and it encrypts this header right here. So the header gets protected. And essentially to be exact it's going to protect this one particular part where the users' FEK is stored. And it encrypts that one part, so that's like putting in a box and put a padlock on it. That's what the user certificate does. So, when the user wants to go and decrypt this file, what they do is they take their private key from their user certificate. They take the private key, they open this up – right – the data decryption field that exposes the FEK that they can then use to actually decrypt the file down here. So we're using two different keys – asymmetric keys to protect the file encryption keys, file encryption keys to actually protect the data inside the file. Now that might seem kind of strange, why do that? Just skip the whole file encryption key and just go straight with the user certificate keys.

Well, the reason why they do that is because symmetric keys are faster. So the file itself is going to vary in length, it could be a really long file; it could be a short file. Symmetric keys are going to handle the various size of files and be able to apply cryptography or encryption to it in a better performing way than the public/private key pair of a user certificate. So it makes sense to use the user certificate, public and private key to secure the file encryption keys, and use and rely on symmetric file encryption keys to protect the data inside the file. Just so it's a performance issue. Cryptography demands a lot from processors. This is an optimization.

Now this brings up another important point. What happens if something goes wrong with that user certificate? Remember, in order to actually decrypt this, we're using the users' private key. So let's say the users' profile gets corrupted or the user removes the private key off the system, which you can do. You can export the user certificate along with the private key off the system. And then you can't decrypt the files anymore and that would really secure these encrypted files. Well, if that happens and the user can't get back to the key, can't find it, or for whatever reason this file needs to be decrypted but we don't have the original user private key – well – then what we're going to do is resort to using a recovery agent. And also inside this file right here is what is known as data recovery fields. So that same file encryption key might be listed in the header more than once. And, when it's listed in the header more than once, it might be protected by recovery agent certificates. So that in the event we have to recover some files that belong to a user or the IT portion of our organization, we can rely on a data recovery agent to come and recover the files. Now this has some implications for you. If you decide to implement EFS, you have to account for this. You have to be prepared for data recovery. So that means you have to decide how you're going to recover encrypted files in the event that you need to do so.

Back to top

Configuring EFS

Learning Objective

After completing this topic, you should be able to

1.

Well, I want to show you now how to configure EFS, couple of different ways in which you can do this. For instance, one of the ways in which you can do this is by going to the properties of the file. You can also encrypt the files and use EFS from the command line. There is a command line tool called cipher that can help you do that. And then managing the user certificates that can be done through the certificate MMC. And then a lot of the configuration for EFS from a corporate standpoint can be managed and juggled from Group Policy. Now, to have a look at how you actually encrypt the file in the local system, it's pretty straightforward. You just go to the properties of the file. There is an Advanced button right there, and you can turn on encryption, so also the option to dig into the details to look at those headers. So you can actually see the data decryption field and the data recovery field. They're not presented that way in details. But nevertheless, you can see what kind of users or what certificates have been used to protect that file. And you can also share it to other users and add their certificates to it. So you can see what users you've shared the file to. Now, from the server standpoint or Active Directory standpoint, you can use Group Policy to actually control EFS. This means turning it off altogether if you need to and as well as configuring other settings that relate to the certificates and how EFS is being implemented in your organization.

[Heading: EPS GPO Setting Configuration. The EFS services can be centrally enabled, disabled, or set to require a smart card using Active Directory Group Policies. Like permissions, EFS must be defined at the actual file or folder, where it should be enabled. A screenshot of the "EFS Doc01.txt Properties" page is displayed. This page has four tabs, which include the "General" tab. This tab includes an "Advanced" button. When this button is clicked, the "Advanced Attributes" page opens. This page includes a checkbox for "Encrypt contents to secure data." A screenshot of the "Group Policy Management Editor" window is displayed. Running along the top of the window is the menu bar that includes the "File" menu. Below the menu bar is the toolbar that includes the "Open" button. The window is divided into two sections. On the left-hand side, the navigation pane is displayed, which contains various nodes and subnodes. On the right-hand side, the contents of the selected node or subnode are displayed. The "Encryption File System" subnode is selected. The presenter clicks this subnode and the "Encrypting File System Properties" dialog box appears. This dialog box has three tabs: General, Certificates, and Cache. The General tabbed page is open that includes the "Elliptic Curve Cryptography" section.]

All right. Let's have a look now at EFS best practices and some tips around recovery. Starting with the fact that managing EFS is best done through Group Policy and through, you know, centralized configuration. One of the factors you have to be aware of is that users can start using EFS for their own files whether you enable it or have a policy for it or not. So that means you run the risk of them encrypting their own files. You not knowing about it, and then the possibility of you not being able to get back into those files if it's, you know, intellectual property that belongs to the corporation. So, if you're not going to use EFS, it might be a good idea to disable it. And that can be done also centrally. If you are going to use it, well, there are some really important things that you want to enable centrally. You're going to want to back up your user certificates and keys. And you can have those backed up into Active Directory, have a good recovery plan in place, right. Those are going to be some important things. And then take advantage of EFS. And that it supports things like folder redirection and being able to protect, you know, the user stores where the users are storing their data. So you can actually use it to encrypt the documents folder, for example. So these are just some good recommendations around EFS.

Back to top

BitLocker Overview

Learning Objective

After completing this topic, you should be able to

1.

The next data protection technology I want to look into is BitLocker. BitLocker isn't new. It's introduced back with Windows Vista, but it's really critical to protecting our devices. So let's explore the features and characteristics of BitLocker, and we'll start with an overview. First question we want to ask and answer is what exactly is this BitLocker thing? Well, BitLocker is disk encryption. And it's an important feature because it allows businesses to protect mobile devices, to protect machines that might be at risk physically from being stolen. So this could include desktops that are exposed into maybe public spaces or servers even. Just think of the fact that there are thousands of laptops that go missing every week. And they have, of course, corporate data on there, sensitive information on it. In fact, one study I read said something like over a half of million laptops are stolen or lost every year in US airports. That's a real danger to your corporations when they're a corporate-owned laptop. And it's got company information on there, intellectual property on there. So BitLocker comes to the rescue and helps us secure those devices.

Right. So here is how BitLocker actually provides that protection. One of its primary jobs is to encrypt the operating system drive and the data drive, the entire volume. And so you can select which volumes it protects. With the operating system drive protected, of course, you're protecting key critical parts of the device, the OS and then keeping your data safe. Well, if you have a separate volume for that, well, BitLocker can encrypt that as well. And this means it's going to protect it from a range of different types of attacks, including attacks that are offline where the drive is stolen. And they try to attack it from a different operating system. One other final point I want to make is that unauthorized users can't get access. But, of course, BitLocker needs to provide authorized users access. And so there is a couple of different ways in which you can implement BitLocker. Users can basically put in a PIN number to access their systems or maybe a smart card. Or you might rely strictly on TPM chips to make it even more convenient for them. Or you might have some sort of a network detection feature that unlocks the drive when the drive or the device is in the corporate network. So you've got several different ways in which you can implement BitLocker protections as well. So these are a quick summary of some of the things that BitLocker can do for us.

Now, in order for BitLocker to accomplish or provide those kinds of protections, let's talk about the different components that contribute or that BitLocker requires. You need to have at least two hard disk partitions. You're going to have, of course, an operating system partition. But you also need to have this guy, right here, that's your system partition. This is the one that contains those boot files. Now there are several additions that actually support BitLocker. In previous Windows releases like Windows 7, it required Enterprise edition. Starting with Windows 8, we've got support for both Pro or Enterprise edition. But, if you don't have Pro or Enterprise, you still might have encryption available to you. And I'll talk to you about device encryption coming up. Now, for boot validation, you really need to have TPM. In fact, if you're going to do BitLocker, it's really recommended that you have a Trusted Platform Module chip or TPM because TPM is going to give you added protection. It's also going to give you boot validation. What that means is BitLocker is going to become aware of your system. It takes measurements, basically, of your BIOS and your firmware and of the motherboard and the key hardware components and software components. And so it recognizes when it's no longer attach to the original systems. So, if someone does rip out that hard drive and tries to do an offline attack, BitLocker knows at that point that it's an offline attack, because it can no longer validate the boot environment. So that's another important protection in regards to certain types of attacks. And it mentions here that TPM does require degree of complaints with the Trusted Computing Group. And it's recommended that you have UEFI firmware, but you can also have a TCG-compliant BIOS.

Back to top

BitLocker and Device Encryption

Learning Objective

After completing this topic, you should be able to

1.

Now, to help you understand BitLocker, the next thing I want to do is compare BitLocker to EFS. So, if you're familiar with the way EFS works, EFS is kind of a per-user encryption scheme and it's particularly targeting files. So you got file encryption. You have the ability to manage it centrally here with Group Policy. It doesn't require any special hardware. We're not doing disk encryption. We're not doing boot validation. EFS is per user. Now compare that to BitLocker Drive Encryption. With BitLocker Drive Encryption, it's not per user. Instead, what this says is it's disk encryption. So it's device protection. We still have some of the centralized controls and management controls that we have with EFS. So it supports Group Policy, and we have recovery agents or recovery keys we can implement.

Now this third and final column is another type of implementation of BitLocker. This here is called BitLocker To Go. And as you can see that it, basically, is using some of the features that BitLocker provides. And it's applying those to removable data or like a removable drive. So that's where the special hardware comes in for BitLocker To Go. Under BitLocker Drive Encryption is special hardware, well, that's referring to the TPM chip. BitLocker To Go is protecting a removable drive. So we're not relying on TPM there. So there is a difference there in that column or that row, I should say, in regards to special hardware. We're still doing full-disk encryption though with BitLocker To Go. So we're protecting the actual flash drive, encrypting it with a BitLocker algorithm. But we're not relying on TPM, and then there is centralized policy for that. So here are three different encryption technologies from Microsoft. And you can see that they are really designed for different case scenarios. EFS is user based and file specific. You can use this in combination with BitLocker Drive Encryption, which is device specific. And then, when it comes to removable drives, you can apply BitLocker protection with BitLocker To Go.

Now here is another comparison. But this time we're comparing it to another type of device protection called device encryption. So we've got BitLocker here – traditional BitLocker, which we can enable either going into Control Panel or we can enable actually through imaging. There is also centralized management through Active Directory Group Policies. Or you can use the MDOP tool – MBAM, so the Microsoft BitLocker Administration and Monitoring is what that stands for. BitLocker also supports a variety of different places to store or escrow your recovery keys. And then it's only allowed for Pro and Enterprise editions. And then there is the requirement for that separate system partition. Another mention here of TPM chip is recommended. Now compare that to device encryption. Device encryption was introduced to support any edition of Windows and to also provide some level of protection because we are so relying on these mobile devices. Well, we want to keep them protected. So device encryption comes along and says, "We will protect it out of the box automatically in a very similar fashion that BitLocker does." BitLocker being something more designed for businesses, device encryption for personal devices. And what we've got here is we've got automatic encryption for devices that support InstantGo or Connected Standby. This is a device. It's a Windows 10-certified device. It's got special functions and hardware and software features that support what is called Connected Standby or InstantGo and also supports device encryption. Now this was something that doesn't have a dependency on the different editions of Windows, but it does have a dependency on the cloud. So you have to have a cloud account, Microsoft account, or an Azure Active Directory account. And the benefit here is also using the cloud for your recovery. So your keys are escrowed and protected there in OneDrive.

So even, if you don't have Pro or Enterprise edition, you might actually have a device that's already being encrypted because of this automatic device encryption. All right. Now I'm going to look at some of the features that are new in Windows 10, so, for instance, with automatic device encryption, which we were just talking about. What is new in Windows 10 is the fact that it supports Azure AD, not just the Microsoft Account. Another new feature here is the fact that you can protect virtual machines with BitLocker. So you can see here the magic behind that is vTPM. And the v stands for, you guessed it, virtual. Right. So virtual TPM – Trusted Platform Module. And then here is a couple of features. There are several other features that Windows 10 BitLocker inherits from Windows 8 and 8.1, this is just a couple. You got improved protections from offline attacks. That's in reference to a certain known attack factor called Direct Memory Access attacks. And so there are some techniques in Windows 8.1 that avoids that. And there are some counter measures I should say that can respond to that. Another thing here is if you have an InstantGo or certified Windows device, there are specific types of ports that are not permitted like FireWire and Thunderbolt because those are attack factors that can be used to do an offline attack against a BitLocker-protected machines memory. And so those are not even permitted on certain certified Windows 10 devices to be a counter measure to these different types of offline attack, so some measures there. And then some self-service features here. The fact that users can change their own PIN code that they use when they want to unlock the device. So that's kind of a convenience measure but useful to kind of lower the total cost of ownership around supporting BitLocker. Now this isn't all of the features that come with BitLocker. But this is just a highlight of some that you can look forward to using.

Back to top

Configuring BitLocker

Learning Objective

After completing this topic, you should be able to

1.

All right. So we've talked a little bit about some of the new features in BitLocker, some of the what, some of the why. Now what I want to do is look more into the how – how it works and how to configure it. So let's get into configuring BitLocker. So now what I want to do is talk about how BitLocker works a little bit before we get into the configuration, and that's the key protectors. Now key protectors are important to understand because when you go to implement or configure BitLocker, you have to choose what kind of key protector you want to use. So let's start from the beginning here. The way this works is this drive gets protected with a file volume encryption key. The file volume encryption key is securely stored on that system, boot volume right there which is then protected by a set of key protectors. Now ideally, you're using a TPM chip to add additional protection to this. And then you can actually pair that TPM protection with one of these key protectors. And you can see that can include a PIN number, USB stick, and then recovery keys in the event that you need to have a recovery agent access a drive. There is a couple of situations where that might be required. Now, to get a good idea of what the key protectors are or the different implementation options are, look at this slide here – available key protectors.

So what we've got here is the operating system, fixed data and removable data drive, so different types of drives and the different key protector options. This includes TPM only, or you can combine that with a PIN number if you like. In many cases, TPM only is really all that you need, especially if the device is a Windows 10-certified device. So, just being certified with Secure Boot and with UEFI and a limited number of different serial port technologies combined with TPM and BitLocker, it's a pretty secure device. But, if you want added protection, then you might consider TPM and PIN. Or, if it's like not a certified device, then you might want to consider TPM and PIN. We've got kind of the less desirable key protectors like a USB stick. Then we've got options for convenience like automatic unlock or network unlock, so different kinds of key protector options. These are things you have to evaluate for your organization to decide how you best want to implement BitLocker, what is best for you when you go to implement BitLocker. And you can configure this either on the system or we can configure these key protectors with the help of Group Policy.

Now imagine this situation. Imagine you're doing some remote administration against a machine that has TPM and PIN BitLocker protection – could be a server, could be a desktop, could be a laptop, maybe in a docking station. Now what happens is you apply patch to it. You need to reboot it so that you can then do the next part of your administration. But BitLocker gets in your way because it's prompting for PIN number. And there is nobody in front of the machine to supply the PIN number because you're doing this administration from the other part of the building, right, from the convenience of your cubicle. So Microsoft introduced network unlock for those particular scenarios. The whole idea here is that a BitLocker-protected machine can become or made aware of the corporate network, can look for a WDS and DHCP server like, you know, normally looks for DHCP but also WDS with the additional intention in mind of unlocking and retrieving the key to unlock the system and not requiring a PIN number. So, when it's on the network, it just relies on TPM and the network detection and the infrastructure server to unlock it. So nobody has to be in front of the box physically. However, you still have BitLocker protection. Like if it's a server and someone steals it and takes off with it or it's a laptop and you're out and you're away from the corporate environment, you can't locate those servers, then it can prompt for the PIN number. So network unlock eases some of the administration issues that have, you know, resumed when you BitLock machines that are in your corporate environment. But at the same time, it makes it kind of intelligent, right. So then, when you're not on that network, you have the additional protection of requiring the PIN to unlock the device.

Back to top

Using BitLocker

Learning Objective

After completing this topic, you should be able to

1.

Now there are couple of different ways in which you can implement BitLocker. So let's talk about some key protector recommendations. If you've got Windows 8 devices or lower, Microsoft recommends that you use the standard TPM and PIN number – two-factor key protector combo – for your BitLocker implementation. You're not going to use a USB stick because those get lost, stolen, crushed, and they are pain to keep track of. But TPM and PIN number – those are pretty solid, give you great protection for the variety of different types of attacks. Now here is a good news. If you move up in the world, right, in terms of edition – so you're using Windows 8.1 and Windows 10 because of the enhancements they have made to BitLocker and to other parts of the operating system, you really only need TPM protection. You can get rid of that one additional layer of requiring a PIN number and that's because of the additional counter measures built into Windows-certified devices. You also have protection against rootkits with UEFI and Secure Boot. So, when you take in the full account of all the additional security features that are included in Windows 10, it makes the PIN number according to Microsoft less required, making using BitLocker more convenient. Then again, if you're paranoid, right, and you got a high-security system or you got some real important property on there, you want to ensure additional protection, you can take down the extra step. And you can go back to two-factor TPM and PIN even if it's a Windows 10-certified device.

Now configuring BitLocker has improved with Windows 10. You have few methods and some enhancements. Let's talk about these. You have automatic provisioning available to you that can be done especially with like an InstantGo device or it can be...BitLocker can be streamlined as part of the imaging process. So you can have BitLocker applied. User enabled means after the fact – after you've issued BitLocker – a user could go in. And there is a BitLocker control, and they can turn on BitLocker and manage it, you know, of their personally-owned device. Or it's a special used corporate-owned device, and the user is an administrator. So there is some user ability there. And so you can actually check it out for yourself, right. If you have your own laptop, you're an IT professional, and you're an admin on your local machine, you want to learn little bit more about how BitLocker works. So you can turn it on before you implement it for everybody else. And then we've got policy base, which is the way you do it for everybody else, right. This is how you're going to drive it centrally. So, with policy based, you're going to enable BitLocker, configure the different key protectors, your specific implementation along with how you're going to protect it for recovery purposes, right, your recovery strategy that can be implemented through policy. Now Microsoft also has an additional set of tools that you can add to the mix called MBAM. I'll talk about that here. I got another section dedicated to MBAM, but that can also be a part of tool that you use for provisioning and managing BitLocker.

Now, in terms of enhancements around this configuration conversation and that includes used space only, this is kind of handy. What this means is BitLocker can be applied to just the portion of the hard disk where you've got data on it. So this is especially useful if you got brand new hard drives. There is not much on them at all. You flip on used space only. Now the reason this is recommended for brand new hard drives and not recycle drives is because there are tools out there that can retrieve data even after you've deleted the data. So, if you are recycling hard drives, BitLocker with used space only is not recommended, you want to use BitLocker and encrypt the entire drive. Used space only is ideally an option you enable when you go to apply BitLocker to brand new systems.

You can have a preprovision that set up – so these two, kind of, go hand in hand – TPM autoprovisioning as well and then E drive support. So, if you have a hard drive with a cryptography built into it, it's got maybe a processor for E drive or encryption offloading. So advanced encrypted drives are supported by BitLocker as well. In fact, there are actually a lot of third-party vendors who used to be in the business of creating their own encryption software. Some of them actually have gotten out of the business and have started providing tools and utilities to support BitLocker instead because BitLocker is tried and true. Well, it's a well-received disk drive encryption technology. Now Windows 10 also supports BitLocker To Go. You can use this to protect removable drives, use the BitLocker algorithm, doesn't use TPM because this is BitLocker on the move, right. So you got a USB stick. It's encrypted. And then you're going to need to provide a password for it. So BitLocker To Go is available in those places where you want to lock down a removable drive.

[Heading: How BitLocker Protects Removable Drives? A screenshot of the "BitLocker TO GO Reader" dialog box is displayed. This dialog box includes a text field for password and the "Unlock" button.]

Back to top

MBAM

Learning Objective

After completing this topic, you should be able to

1.

Now, when BitLocker was first released, it was well received except in places which were not so simple. So those more complex environments, those more scalable larger organizations, well, those locations required centralized monitoring and a management tool that goes and compliments the built-in BitLocker feature. And it was not out there. So Microsoft developed one called the Microsoft BitLocker Administration and Monitoring. And so let's talk about MBAM as a way of providing additional centralized management of BitLocker-protected machines. Now our first question here is what is MBAM? Well, MBAM is part of desktop optimization or MDOP – Microsoft Desktop Optimization Pack. And MDOP is actually a collection of product. So MBAM is one of several different products specially designed in targeting volume license customers, enterprise customers. And I think it's useful because MBAM is bundled, right, with these other features as well, so that increases the overall value of MDOP. So, if you have MDOP, you actually get Advanced Group Policy Management, not just centralized BitLocker management as well.

Now, if you don't want MBAM, right, then you can still use BitLocker, because BitLocker doesn't require special agent. It's just built into the Windows 10 Pro or Windows 10 Enterprise edition. I mean it's in the OS. Now the key phrase behind MBAM is centralized management. So think about the challenges of applying BitLocker-protected encryption to 5,000 client devices. Think about the challenges of monitoring those devices and ensuring they are in compliance. Think about the challenges that would go with recovering those devices, ensuring that you have a recovery path, right, in case something goes wrong. So well, something like MBAM when you have problems, when you have scale, scope, and complexity. So MBAM comes along and makes a difficult environment easier to manage. I think without MBAM and those kinds of complex environment, managing BitLocker comes close to being little bit impossible. Now, if you're an organization that needs to be sure you can report compliance when it comes to encrypted devices, MBAM is also important for you. So MBAM really sets out and seeks to make managing BitLocker easier and reduce the cost associated with device encryption.

So let's talk about some of the MBAM features and what it provides you. Remember, this is really useful where you have a lot of users and you need to provision BitLocker on multiple devices. So you have the ability to enable BitLocker and then manage other parts of BitLocker's life cycle, so things like exemptions and things like your recovery solution – in fact with recovery, there is a self-service portal, which can reduce cost, so users can log into web portal and recover their own machines – managing your TPM centrally and then detailed reporting. So MBAM has got an improved reporting feature or where some of the other reporting options that are out there. And what this can do is give you kind of immediate compliant status and alerts you to devices that are BitLocked or not. Then there is PowerShell support and integration with System Center. And then there is integration with other third-party products as well that's available. Another aspect to BitLocker MBAM that I want to mention is in some of the latest releases of MBAM. You also have support for high availability. So you got a SQL database that drives a lot of your MBAM configuration. And so there is high availability in that, so load balancing with that. If you have a complex multiforced environment, MBAM supports that. And another thing that MBAM supports is if you're government agency and you require device encryption that supports FIPS – which is the federal standard for device encryption, well, BitLocker and MBAM also supports that. So there are a host of features that makes MBAM very useful, especially for enterprises.

Now here is a look at how MBAM works. This is the architecture or topology. So let's walk through this. I want to point out that this does not include System Center. So System Center might also be something we've integrated into this topology. So we can redirect like compliance information, reporting information with System Center, but that's not part of this particular topology. Let's start over here. We've got our database functions on our database server where we're storing recovery data and compliance and where we can generate reporting. Then we've got our web-based administration portal here where we can interact with the MBAM features, the administrative features. We can also configure a self-service portal. So this allows users if they lock out their own devices – can actually go here and recover their own devices and that can reduce cost. So there is a component in MBAM that supports a self-service portal.

Then I want you to notice that there is a reliance here on Group Policy. So the IT administrator can configure and define MBAM Group Policy templates, deliver those, of course, through Active Directory. And then our clients here can receive those and then apply those, and then that can include a variety of different types of configuration. So for instance, one of the things you can do is you can require that the users have their devices encrypted immediately. You can have the devices encrypted in the background for TPM only. So the user may not even be aware of the fact that they're being protected with BitLocker. You can also require TPM and PIN number. In that case, what would happen is a screen would pop up requiring them to enter a PIN number to define the PIN number we want them to use to unlock the device. So we're using TPM and PIN as our key protectors in that case. And the user wouldn't be able to close the window down. They would be able to move it around in the event they're trying to read an important e-mail or something. But they would be prompted for that. You can also define a grace period where they have a certain period of time, where they can delay the encryption of the device. And you can set it to a zero-day grace period where BitLocker then gets deployed immediately. So you have multiple options. That's one of the benefits of MBAM is this centralized deployment.

Back to top

Recovery and Maintenance

Learning Objective

After completing this topic, you should be able to

1.

One of the challenges with good security is security is meant to keep bad people out. But, in the process of applying that security, you can also keep good people out. And so one of the things you have to plan for is what happens when the system needs to be serviced and you need to replace the motherboard? Or what happens when the firmware needs to be updated? So we need to talk now about recovery situations with BitLocker and how you can provide a path and maybe even multiple paths to restore those machines back to a functioning state and not keep yourself locked up because BitLocker is great security. So it keeps the bad guys out. And you want to provide a recovery path so that the good guys can still get to the data if you need to. Now there is basically three ways to configure BitLocker recovery. The first way is to rely on a recovery password. Now these are 48-digit passwords. And so you can set those up, and you can store them online. You can save them somewhere. You can print them out. Then you can also support them or enable recovery keys. And recovery keys are nice because you can store them in the cloud or you can store them in Active Directory. And so what that does is it takes the computer account and attaches another object to it where it stores those recovery keys. That requires a schema extension in Active Directory, but that creates a central repository where you're going to store your BitLocker recovery information.

Now organizations can also designate DRA. So DRA stands for data recovery agent, and I've also seen it is designated recovery agent. Whole idea here is this is an individual or individuals who have been configured with recovery certificates. And this enables in the option to go and recover data for an organization, especially an enterprise. So these are well-trusted individuals with the necessary credentials to access these keys and recover users' machines for them. And then MBAM also has an option to actually protect keys to escrow recovery keys and store it in its database along with a self-service portal for the added convenience of users recovering their own machines from that database and, of course, are going to provide legitimate credentials to do so. So there is a secure process you can enable with the help of MBAM so that users can recover their own machines. So you got several different options when it comes to BitLocker recovery.

So why is BitLocker recovery needed with their different situations which would throw the machine into a bad mood? And it will say to us, "Well, I will not go further until you supply me some recovery information." One of the key reasons it throws itself into a bad mood is if you come in there and you make a change to it. Now the change can be rather minor like changing the boot order. Or it could be something far more significant like failure of the disk or hardware chain, something along those lines. But the changes here tells BitLocker – especially if it's doing boot validation – that it suspects it's on a different system, may not be. But, when it's suspecting it's on a different system – it experiences those changes, its world gets rocked, and it requires at that point a recovery path. So what if you have to do a maintenance task on your system and it's protected with BitLocker? Will it go into recovery mode? It will if you don't first suspend it. So there is a special mode called suspending. This is not the same thing as decrypting. Because, if you disable BitLocker, then it will go through this decryption process. And, if you got a lot of data on the disk that could take a while, so what you do instead is you put it in suspend mode that doesn't decrypt it. But it puts in a position where it will receive changes, then recalculate its boot validations without throwing it into recovery mode. So things like modifying the TPM, changing the boot order, updating your firmware even if you're moving it to, you know, a new motherboard, and so you're putting your hard drive in a new system because you know you have some sort of component failure. Well, then you can put it in suspend mode. You can make your maintenance changes, and that will save you the hassle of either decrypting it or going through recovery.

[Heading: How BitLocker Protects Removable Drives? A screenshot of the "BitLocker TO GO Reader" dialog box is displayed. This dialog box includes a text field for password and the "Unlock" button.]

Back to top

Exercise: BitLocker without TPM

Learning Objective

After completing this topic, you should be able to

1.

I have another challenge here for you. Let's say you're in front of a workstation like I am here and you decided to configure BitLocker. So you go to BitLocker; you bring it up here the Control Panel settings; you attempt to turn it on; and you get this error message. So the challenge for us is how do I configure BitLocker for a device that doesn't have a TPM? Think about that for a moment. Where would you go? How would you do that? Feel free to pause the video while you're thinking about it and once you're ready, go ahead and resume it.

So the challenge in front of us is configuring this device to support BitLocker when it doesn't have a TPM. And actually, the answer is right here in this message. It gives us least a few clues. So where do we go? Well, this is a local machine. We could do this in an Active Directory into in our domain and configure this, but just for this individual machine I'm going to configure the local policy. Now the easiest way of doing that is to actually just bring up the local policy editor by typing gpedit.msc – like so – Edit group policy. And then we're going to configure the computer configuration. So again see it says Local Computer Policy - Computer Configuration. For BitLocker, we're going into Administrative Templates - Windows Components right here. And here's BitLocker Drive Encryption. And, if you remember that message, it tells me actually what category I need to step into next. So, if we go back into this message, it tells me that the policy is for OS volumes and it's Require additional authentication at startup. So that's really helpful here, I'm going to go to operating system drives right here and then the next thing I need to do is find the one that says require additional authentication at startup.

So there are actually a couple of these. This one here which is the newer one and then this one here which is legacy, we're going to go to this one here, click on this. There we go. I'm going to choose Enabled and right here Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive). So this is what we want to make sure we have turned on. Checkmark right there, hit OK. And that's it. That's what completes our challenge in response to turning on BitLocker for a machine that doesn't have a TPM. So, as you can see now, it's validating the PC's configuration. Well done.

Back to top