Overview

  • Article

Published: April 04, 2007

Until just a few years ago, laptop computers were still relatively rare in most organizations. Laptops were typically issued only to workers who traveled extensively and to executives. Today, laptops are more powerful than ever, but they are also ubiquitous. They are no longer assigned to a select few—they even outnumber desktop computers in some organizations. And as their storage capacity increases, they become increasingly valuable repositories for all types of sensitive data.

The tremendous increase in the number of laptops has been accompanied by a corresponding increase in the number of lost or stolen laptops. Laptop security is a serious problem for most midsize to large organizations. A recent study by the Ponemon Institute, "Confidential Data at Risk," states that "eighty-one percent of 484 survey respondents report that their organizations have experienced one or more lost or missing laptop computers containing sensitive or confidential business information in the past 12-month period." Although the replacement costs are significant, the direct and indirect costs of a security breach when a stolen laptop has important or sensitive data stored on the hard disk drive can be significantly greater.

Some kinds of information are protected by federal or national laws, some by state, provincial, or regional laws, and some by industry regulations. The number of laws, jurisdictions, and sensitivity classifications is growing as the number of laptops increases. Loss of a laptop computer could expose an organization to significant fines and civil liability, depending on the amount of effort that was expended on preemptive security measures. And the direct and indirect costs after a security breach can include difficulty in retaining customers and the loss of credibility and reputation.

Microsoft provides tools to address security concerns for laptop computers. Properly encrypted data on a laptop can make it much harder for sensitive data to be retrieved if the laptop is lost or stolen. By using Microsoft® BitLocker™ Drive Encryption (BitLocker) and the Encrypting File System (EFS) appropriately, sensitive data can be protected from a wide range of common attack vectors.

This guide, the Microsoft Data Encryption Toolkit for Mobile PCs Security Analysis, provides specific details about the levels of security that can be achieved using BitLocker and EFS. The Enterprise and Ultimate editions of Windows Vista™ support the full range of security features described in this guide, and a significant and useful subset is available in Microsoft Windows® XP. Several levels of protection are available, depending on the features and configurations applied. In the most secure configurations, a malevolent attacker would require an extraordinary amount of resources to decrypt the data on a hard disk drive.

The Security Analysis will help you understand how features in Windows Vista and Windows XP help mitigate or reduce specific security risks in your organization. This guide will help you to:

  • Identify common threat vectors and risks in your environment.
  • Understand how to mitigate specific risks and threats by using BitLocker and EFS, individually and in combination.
  • Prepare to mitigate security threats that are not addressed by BitLocker or EFS.
  • Understand selected security features and technology available in Windows Vista.

The security features discussed in this guide were developed using industry-accepted technologies. For example, the Microsoft implementation of the cryptographic algorithms used for BitLocker and EFS are certified according to the US Federal Government Federal Information Processing Standard (FIPS) 140-1, and the implemented algorithms are all mature. This adherence to industry-accepted technologies is important because some state and national data privacy laws provide exemptions or mitigating factors for organizations that can show they have made good-faith efforts to follow best practices for data security.

Who Should Read This Guide?

This guide is intended for security specialists who are responsible for policy and technology decisions or recommendations for dozens to thousands of client computers, especially laptops. The technology and related threats are not generally applicable to a home user or home network. You should read this guide if your responsibilities include:

  • Making decisions about or recommending security policy and technology.
  • Implementing server or client security policy.
  • Evaluating security technology.
  • Integrating security policy with other computer management policies or technologies.

The information contained in this guide is advanced and detailed, and is not intended as a primer on security, encryption, file systems, or other fundamental topics of security and system administration.

Chapter Contents

This section provides overviews of the chapters in this guide.

Chapter 1: Risk Discussion introduces the security threats that can be addressed by BitLocker and EFS. It also includes a discussion of the scenarios used throughout the rest of the Security Analysis to provide a more concrete framework for discussing risks and benefits.

Chapter 2: BitLocker Drive Encryption focuses on the BitLocker Drive Encryption technology introduced in Windows Vista. It discusses how you can use BitLocker to help mitigate specific security threats described in Chapter 1, and includes configuration samples that you can use as starting points to develop a robust BitLocker implementation in your organization.

Chapter 3: Encrypting File System describes how EFS works and how you can use it to help mitigate specific threats in your environment.

Chapter 4: BitLocker and EFS Together shows you how to combine BitLocker and EFS to mitigate threats more effectively than either technology by itself.

Chapter 5: Choosing the Right Solution provides discussions and tools to help security specialists choose the appropriate combination of features and configuration items for their particular organizations.

Style Conventions

This guidance uses the style conventions that are described in the following table.

Element Meaning

Bold font

Signifies characters typed exactly as shown, including commands, switches, and file names. User interface elements also appear in bold.

Italic font

Titles of books and other substantial publications appear in italics.

<Italic>

Placeholders set in italics and within angle brackets – <file name> – represent variables.

 
Monospace font

Depicts code and script samples.

Note

Alerts the reader to supplementary information.

Important

Alerts the reader to essential supplementary information.

More Information

In addition to this Security Analysis, the Data Encryption Toolkit for Mobile PCs includes other documents and tools that you may find useful:

  • The Planning and Implementation Guide describes how to plan for and implement BitLocker and EFS to protect your mobile PCs.
  • The Microsoft Encrypting File System Assistant tool (EFS Assistant) helps you automate the process of finding and encrypting sensitive files on computers that run Windows XP and Windows Vista.
  • The EFS Assistant Administrator's Guide explains how administrators can deploy and manage the EFS Assistant on domain-joined computers to provide consistent protection across business units or an entire enterprise.

Many valuable resources are available to help decision makers achieve a broader context or a deeper understanding of security issues in Microsoft Windows networks. A great starting place is the Security Guidance page on Microsoft TechNet.

Specific advice for addressing the security requirements of domain management can be found in the Best Practice Guide for Securing Windows Server Active Directory Installations.

Support and Feedback

The Solution Accelerators – Security and Compliance (SASC) team would appreciate your thoughts about this and other Solution Accelerators. Please contribute comments and feedback to secwish@microsoft.com. We look forward to hearing from you.

Solution Accelerators provide prescriptive guidance and automation for cross-product integration. They present proven tools and content so you can plan, build, deploy, and operate information technology with confidence. To view the extensive range of Solution Accelerators and for additional information, visit the Solution Accelerators page on Microsoft TechNet.

Acknowledgments

The Solution Accelerators - Security and Compliance team (SA-SC) would like to acknowledge and thank the team that produced the Data Encryption Toolkit for Mobile PCs Security Analysis. The following people were either directly responsible or made a substantial contribution to the writing, development, and testing of this solution.

Development Leads

Mike Smith-Lonergan - Microsoft

David Mowers - Securitay, Inc.

Program Manager

Bill Canning - Microsoft

Content Developers

Paul Flynn - 3Sharp, LLC

Tommy Phillips - Butternut Software

Paul Robichaux - 3Sharp, LLC

Editor

Steve Wacker - Wadeware LLC

Reviewers

Vijay Bharadwaj - Microsoft

Tom Daemen - Microsoft

Mike Danseglio - Microsoft

Kurt Dillard - Microsoft

Jeff Hatfield - Wireless Ink Inc.

Erik Holt - Microsoft

Russell Humphries - Microsoft

David Kennedy - Microsoft

Douglas MacIver - Microsoft

Josh Phillips

Greg Petersen - Avanade Inc.

Ben Wilson - ASG Group

Product Managers

Alain Meeus - Microsoft

Jim Stuart - Microsoft

Release Manager

Karina Larson - Microsoft

Testers

Gaurav Singh Bora - Microsoft

Sumit Ajitkumar Parikh - Infosys Technologies Ltd.

Swaminathan Viswanathan - Infosys Technologies Ltd.

Swapna Rangachari Jagannathan - Infosys Technologies Ltd.

Neethu Thomas - Infosys Technologies Ltd.

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.
Download

Get the Data Encryption Toolkit for Mobile PCs
Update Notifications

Sign up to learn about updates and new releases
Feedback

Send us your comments or suggestions