|
Published: April 04, 2007
Until just a few years ago, laptop computers were still relatively rare in most
organizations. Laptops were typically issued only to workers who traveled extensively
and to executives. Today, laptops are more powerful than ever, but they are also
ubiquitous. They are no longer assigned to a select few—they even outnumber desktop
computers in some organizations. And as their storage capacity increases, they become
increasingly valuable repositories for all types of sensitive data.
The tremendous increase in the number of laptops has been accompanied by a corresponding
increase in the number of lost or stolen laptops. Laptop security is a serious problem
for most midsize to large organizations. A recent study by the Ponemon Institute,
"Confidential Data at
Risk," states that "eighty-one percent of 484 survey respondents report
that their organizations have experienced one or more lost or missing laptop computers
containing sensitive or confidential business information in the past 12-month period."
Although the replacement costs are significant, the direct and indirect costs of
a security breach when a stolen laptop has important or sensitive data stored on
the hard disk drive can be significantly greater.
Some kinds of information are protected by federal or national laws, some by state,
provincial, or regional laws, and some by industry regulations. The number of laws,
jurisdictions, and sensitivity classifications is growing as the number of laptops
increases. Loss of a laptop computer could expose an organization to significant
fines and civil liability, depending on the amount of effort that was expended on
preemptive security measures. And the direct and indirect costs after a security
breach can include difficulty in retaining customers and the loss of credibility
and reputation.
Microsoft provides tools to address security concerns for laptop computers. Properly
encrypted data on a laptop can make it much harder for sensitive data to be retrieved
if the laptop is lost or stolen. By using Microsoft® BitLocker™ Drive Encryption
(BitLocker) and the Encrypting File System (EFS) appropriately, sensitive data can
be protected from a wide range of common attack vectors.
This guide, the Microsoft Data Encryption Toolkit for Mobile PCs Security Analysis,
provides specific details about the levels of security that can be achieved using
BitLocker and EFS. The Enterprise and Ultimate editions of Windows Vista™ support
the full range of security features described in this guide, and a significant and
useful subset is available in Microsoft Windows® XP. Several levels of protection
are available, depending on the features and configurations applied. In the most
secure configurations, a malevolent attacker would require an extraordinary amount
of resources to decrypt the data on a hard disk drive.
The Security Analysis will help you understand how features in Windows Vista
and Windows XP help mitigate or reduce specific security risks in your organization.
This guide will help you to: - Identify common threat vectors and risks in your environment.
- Understand how to mitigate specific risks and threats by using BitLocker and EFS,
individually and in combination.
- Prepare to mitigate security threats that are not addressed by BitLocker or EFS.
- Understand selected security features and technology available in Windows Vista.
The security features discussed in this guide were developed using industry-accepted
technologies. For example, the Microsoft implementation of the cryptographic algorithms
used for BitLocker and EFS are certified according to the US Federal Government
Federal Information Processing Standard (FIPS) 140-1, and the implemented algorithms
are all mature. This adherence to industry-accepted technologies is important because
some state and national data privacy laws provide exemptions or mitigating factors
for organizations that can show they have made good-faith efforts to follow best
practices for data security. Who Should Read This Guide?
This guide is intended for security specialists who are responsible for policy and
technology decisions or recommendations for dozens to thousands of client computers,
especially laptops. The technology and related threats are not generally applicable
to a home user or home network. You should read this guide if your responsibilities
include: - Making decisions about or recommending security policy and technology.
- Implementing server or client security policy.
- Evaluating security technology.
- Integrating security policy with other computer management policies or technologies.
The information contained in this guide is advanced and detailed, and is not intended
as a primer on security, encryption, file systems, or other fundamental topics of
security and system administration. Chapter Contents
This section provides overviews of the chapters in this guide. Chapter 1: Risk Discussion
introduces the security threats that can be addressed by BitLocker and EFS. It also
includes a discussion of the scenarios used throughout the rest of the Security Analysis
to provide a more concrete framework for discussing risks and benefits. Chapter 2: BitLocker Drive Encryption
focuses on the BitLocker Drive Encryption technology introduced in Windows Vista.
It discusses how you can use BitLocker to help mitigate specific security threats
described in Chapter 1, and includes configuration samples that you can use as starting
points to develop a robust BitLocker implementation in your organization. Chapter 3: Encrypting File System
describes how EFS works and how you can use it to help mitigate specific threats
in your environment.
Chapter 4: BitLocker and EFS Together
shows you how to combine BitLocker and EFS to mitigate threats more effectively
than either technology by itself. Chapter 5: Choosing the Right Solution
provides discussions and tools to help security specialists choose the appropriate
combination of features and configuration items for their particular organizations. Style Conventions
This guidance uses the style conventions that are described in the following table. |
Element
|
Meaning
| | Bold font |
Signifies characters typed exactly as shown, including commands, switches, and file
names. User interface elements also appear in bold.
| | Italic font |
Titles of books and other substantial publications appear in italics.
| | <Italic> |
Placeholders set in italics and within angle brackets – <file name>
– represent variables.
| Monospace font |
Depicts code and script samples.
| | Note |
Alerts the reader to supplementary information.
| | Important |
Alerts the reader to essential supplementary information.
| More Information
In addition to this Security Analysis, the
Data Encryption Toolkit for Mobile PCs includes other documents and tools
that you may find useful: - The Planning and Implementation Guide describes how to plan for and implement
BitLocker and EFS to protect your mobile PCs.
- The Microsoft Encrypting File System Assistant tool (EFS Assistant) helps you automate
the process of finding and encrypting sensitive files on computers that run Windows
XP and Windows Vista.
- The EFS Assistant Administrator's Guide explains how administrators can deploy
and manage the EFS Assistant on domain-joined computers to provide consistent protection
across business units or an entire enterprise.
Many valuable resources are available to help decision makers achieve a broader
context or a deeper understanding of security issues in Microsoft Windows networks.
A great starting place is the
Security Guidance page on Microsoft TechNet.
Specific advice for addressing the security requirements of domain management can
be found in the
Best Practice Guide for Securing Windows Server Active Directory Installations. Support and Feedback
The Solution Accelerators – Security and Compliance (SASC) team would appreciate
your thoughts about this and other Solution Accelerators. Please contribute comments
and feedback to
secwish@microsoft.com. We look forward to hearing from you.
Solution Accelerators provide prescriptive guidance and automation for cross-product
integration. They present proven tools and content so you can plan, build, deploy,
and operate information technology with confidence. To view the extensive range
of Solution Accelerators and for additional information, visit the
Solution Accelerators page on Microsoft TechNet. Acknowledgments
The Solution Accelerators - Security and Compliance team (SA-SC) would like to acknowledge
and thank the team that produced the Data Encryption Toolkit for Mobile PCs Security
Analysis. The following people were either directly responsible or made
a substantial contribution to the writing, development, and testing of this solution. Development Leads
Mike Smith-Lonergan - Microsoft
David Mowers - Securitay, Inc. Program Manager
Bill Canning - Microsoft Content Developers
Paul Flynn - 3Sharp, LLC
Tommy Phillips - Butternut Software
Paul Robichaux - 3Sharp, LLC Editor
Steve Wacker - Wadeware LLC Reviewers
Vijay Bharadwaj - Microsoft
Tom Daemen - Microsoft
Mike Danseglio - Microsoft
Kurt Dillard - Microsoft
Jeff Hatfield - Wireless Ink Inc.
Erik Holt - Microsoft
Russell Humphries - Microsoft
David Kennedy - Microsoft
Douglas MacIver - Microsoft
Josh Phillips
Greg Petersen - Avanade Inc.
Ben Wilson - ASG Group Product Managers
Alain Meeus - Microsoft
Jim Stuart - Microsoft Release Manager
Karina Larson - Microsoft Testers
Gaurav Singh Bora - Microsoft
Sumit Ajitkumar Parikh - Infosys Technologies Ltd.
Swaminathan Viswanathan - Infosys Technologies Ltd.
Swapna Rangachari Jagannathan - Infosys Technologies Ltd.
Neethu Thomas - Infosys Technologies Ltd. |