Export (0) Print
Expand All
39 out of 47 rated this helpful - Rate this topic

Best Practices for BitLocker in Windows 7

Updated: May 3, 2010

Applies To: Windows 7, Windows Server 2008 R2

We recommend that you familiarize yourself with the best practices in the following areas so that you can implement them appropriately in your deployment plan:

BitLocker Group Policy settings

There are four categories of Group Policy settings available for BitLocker Drive Encryption:

  • Global settings that affect all BitLocker-protected drives

  • Operating system drive settings

  • Fixed data drive settings

  • Removable data drive settings

The following table identifies the policy settings that we recommend for use with your BitLocker deployment. Policies should be applied to computers based on the level of protection needed, the unlock methods desired, and the recovery methods desired.

noteNote
This table does not include all available BitLocker Group Policy settings. See the BitLocker Group Policy Reference for a complete list of BitLocker Group Policy settings. Some settings cannot be applied to computers running Windows Vista.

 

Category Setting name Recommended setting

Global

Choose drive encryption method and cipher strength

Set to not configured.

Global

Prevent memory overwrite on restart

Set to not configured.

Global

Provide the unique identifiers for your organization

Set to enabled, and enter an identifier in the BitLocker identification field.

Operating system drives

Choose how BitLocker-protected operating system drives can be recovered

Set to enabled, save BitLocker recovery information to Active Directory Domain Services (AD DS) for operating system drives, store recovery passwords and key packages, do not enable BitLocker until recovery information is stored to AD DS for operating system drives, and omit recovery options from the BitLocker setup wizard.

For more information about storing BitLocker recovery information in AD DS, see Backing Up BitLocker and TPM Recovery Information to AD DS.

Operating system drives

Configure minimum PIN length for startup

Set to enabled, and require a personal identification number (PIN) of at least seven numerals.

Operating system drives

Require additional authentication at startup

Set to enabled, and require the use of a startup PIN with a Trusted Platform Module (TPM).

Fixed data drives

Choose how BitLocker-protected fixed drives can be recovered

Set to enabled, save BitLocker recovery information to AD DS for fixed data drives, store recovery passwords and key packages, do not enable BitLocker until recovery information is stored to AD DS for fixed data drives, and omit recovery options from the BitLocker setup wizard.

Fixed data drives

Configure use of passwords for fixed data drives

If your organization does not have a public key infrastructure (PKI), set to enabled, require password complexity, and set a minimum password length of at least 12 characters.

Fixed data drives

Configure use of smart cards on fixed data drives

If your organization has a PKI, set to enabled, and require the use of smart cards with fixed data drives.

Removable data drives

Choose how BitLocker-protected removable drives can be recovered

Set to enabled, save BitLocker recovery information to AD DS for removable data drives, store recovery passwords and key packages, do not enable BitLocker until recovery information is stored to AD DS for fixed data drives, and omit recovery options from the BitLocker setup wizard.

Removable data drives

Configure use of passwords for removable data drives

Set to enabled, set a minimum password length of at least 12 characters, and require password complexity if your organization does not have a PKI or if there is a need to access BitLocker-protected drives from computers running Windows XP or Windows Vista.

Removable data drives

Configure use of smart cards on removable data drives

Set to enabled, and require the use of smart cards with removable data drives if your organization has a PKI.

Removable data drives

Control use of BitLocker on removable drives

Set to enabled, and allow users to apply BitLocker protection on removable drives.

Removable data drives

Deny write access to removable data drives not protected by BitLocker

Set to enabled, and disallow write access to devices configured in another organization.

noteNote
This policy cannot be enabled if your organization uses recovery keys or startup keys. Recovery keys and startup keys must be stored on unencrypted USB drives.

securitySecurity Note
The computer name and drive label are stored unencrypted in the BitLocker metadata. If the computer name or drive labels contain personal or other identifying information, it will be exposed in plaintext on the drive. Additionally, if a smart card certificate is used with BitLocker, the public key and certificate thumbprint are stored unencrypted in the BitLocker metadata. A malicious user could use this information to locate the certification authority (CA) that was originally used to generate the certificate and could then attempt to extract personal information from the CA.

BitLocker operations

These are general operational recommendations for organizations that are planning to use BitLocker in their environment.

 

Recommended practice Reason

Provide end-user training before requiring BitLocker use on desktop and mobile computers.

Using BitLocker to protect drives will require users to change how they interact with their computers. For example, if you decide to require a startup PIN and USB key to unlock the operating system drive, instruct users not to record the PIN that they use for BitLocker authentication in an easily accessed location, such as a note under the keyboard or inside a laptop case, and not to leave a USB flash drive containing the startup key connected to the computer or stored in the same location as the computer. Create policies for the use of recovery keys and inform users of the recovery process decided upon for your organization. If you plan to use password protection for BitLocker on removable drives, inform users of the password requirements in advance so that they can prepare a strategy for remembering their passwords before they configure BitLocker.

Use multifactor authentication on operating system drives.

Using multifactor authentication increases drive security. Operating system drives can be authenticated by using any of the following key protector combinations:

  • TPM (version 1.2) and PIN

  • TPM and startup key stored on a USB flash drive

  • TPM, startup key, and PIN

Store recovery information in AD DS.

If you choose to store recovery information on an NTFS hard drive, the recovery information might be obtained by untrusted individuals who were able to gain access to the hard drive and then used to unlock the BitLocker-protected drive. By storing recovery information in AD DS, the user must be able to be authenticated by the domain as a data recovery agent to obtain the recovery information for the drive.

Suspend and resume BitLocker protection immediately following recovery of an operating system drive.

When access to an operating system drive is recovered, the recovery key is stored unencrypted on the hard disk, and the drive will be unprotected until you suspend and resume BitLocker.

Disable the use of standby mode for portable computers if you are using BitLocker on operating system drives. To do this, open the Local Group Policy Editor. Under Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings, set Allow Standby States (S1-S3) When Sleeping (Plugged In) to Disabled, and then set Allow Standby States (S1-S3) When Sleeping (On Battery) to Disabled.

BitLocker protection is in effect only when the computer is turned off or in hibernation.

If there is any concern that BitLocker keys have been compromised, it is recommended that you either format the drive to remove all instances of the BitLocker metadata from the drive or that you decrypt and encrypt the entire drive again.

noteNote
Deleting the partition by using the Virtual Disk service does not invalidate the BitLocker metadata.

The BitLocker metadata must be removed before new BitLocker keys will be created.

Encrypt drives prior to writing sensitive data to them when possible.

Some wear-leveling algorithms used by flash-based memory drives could expose data stored in plaintext. Encrypting the drive prior to writing sensitive data to it ensures the data is never stored in plaintext.

Suspend BitLocker before making any major computer configuration changes (such as changing locales, installing a language pack, modifying the boot order, or updating the BIOS), and then resume BitLocker protection after the changes are complete.

Configuration changes that apply to the entire computer often change the boot configuration data (BCD) settings. If you are using a TPM with BitLocker, this is interpreted as a boot attack on reboot and the computer will require that the user enter the recovery password or recovery key to start the computer. Suspending and then resuming BitLocker protection resets the BCD measurement for the computer so BitLocker recovery mode is not initiated when the computer is restarted.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.