Published: April 04, 2007
Until just a few years ago, laptop computers were still relatively rare in most organizations. Laptops were typically issued only to workers who traveled extensively and to executives. Today, laptops are more powerful than ever, but they are also ubiquitous. They are no longer assigned to a select few—they even outnumber desktop computers in some organizations. And as their storage capacity increases, they become increasingly valuable repositories for all types of sensitive data.
The tremendous increase in the number of laptops has been accompanied by a corresponding increase in the number of lost or stolen laptops. Laptop security is a serious problem for most midsize to large organizations. A recent study by the Ponemon Institute, "Confidential Data at Risk," states that "eighty-one percent of 484 survey respondents report that their organizations have experienced one or more lost or missing laptop computers containing sensitive or confidential business information in the past 12-month period." Although the replacement costs are significant, the direct and indirect costs of a security breach when a stolen laptop has important or sensitive data stored on the hard disk drive can be significantly greater.
Some kinds of information are protected by federal or national laws, some by state, provincial, or regional laws, and some by industry regulations. The number of laws, jurisdictions, and sensitivity classifications is growing as the number of laptops increases. Loss of a laptop computer could expose an organization to significant fines and civil liability, depending on the amount of effort that was expended on preemptive security measures. And the direct and indirect costs after a security breach can include difficulty in retaining customers and the loss of credibility and reputation.
Microsoft provides tools to address security concerns for laptop computers. Properly encrypted data on a laptop can make it much harder for sensitive data to be retrieved if the laptop is lost or stolen. By using Microsoft® BitLocker™ Drive Encryption (BitLocker) and the Encrypting File System (EFS) appropriately, sensitive data can be protected from a wide range of common attack vectors.
This guide, the Microsoft Data Encryption Toolkit for Mobile PCs Security Analysis, provides specific details about the levels of security that can be achieved using BitLocker and EFS. The Enterprise and Ultimate editions of Windows Vista™ support the full range of security features described in this guide, and a significant and useful subset is available in Microsoft Windows® XP. Several levels of protection are available, depending on the features and configurations applied. In the most secure configurations, a malevolent attacker would require an extraordinary amount of resources to decrypt the data on a hard disk drive.
The Security Analysis will help you understand how features in Windows Vista and Windows XP help mitigate or reduce specific security risks in your organization. This guide will help you to:
The security features discussed in this guide were developed using industry-accepted technologies. For example, the Microsoft implementation of the cryptographic algorithms used for BitLocker and EFS are certified according to the US Federal Government Federal Information Processing Standard (FIPS) 140-1, and the implemented algorithms are all mature. This adherence to industry-accepted technologies is important because some state and national data privacy laws provide exemptions or mitigating factors for organizations that can show they have made good-faith efforts to follow best practices for data security.
Who Should Read This Guide?
This guide is intended for security specialists who are responsible for policy and technology decisions or recommendations for dozens to thousands of client computers, especially laptops. The technology and related threats are not generally applicable to a home user or home network. You should read this guide if your responsibilities include:
The information contained in this guide is advanced and detailed, and is not intended as a primer on security, encryption, file systems, or other fundamental topics of security and system administration.
This section provides overviews of the chapters in this guide.
Chapter 1: Risk Discussion introduces the security threats that can be addressed by BitLocker and EFS. It also includes a discussion of the scenarios used throughout the rest of the Security Analysis to provide a more concrete framework for discussing risks and benefits.
Chapter 2: BitLocker Drive Encryption focuses on the BitLocker Drive Encryption technology introduced in Windows Vista. It discusses how you can use BitLocker to help mitigate specific security threats described in Chapter 1, and includes configuration samples that you can use as starting points to develop a robust BitLocker implementation in your organization.
Chapter 3: Encrypting File System describes how EFS works and how you can use it to help mitigate specific threats in your environment.
Chapter 4: BitLocker and EFS Together shows you how to combine BitLocker and EFS to mitigate threats more effectively than either technology by itself.
Chapter 5: Choosing the Right Solution provides discussions and tools to help security specialists choose the appropriate combination of features and configuration items for their particular organizations.
This guidance uses the style conventions that are described in the following table.
In addition to this Security Analysis, the Data Encryption Toolkit for Mobile PCs includes other documents and tools that you may find useful:
Many valuable resources are available to help decision makers achieve a broader context or a deeper understanding of security issues in Microsoft Windows networks. A great starting place is the Security Guidance page on Microsoft TechNet.
Specific advice for addressing the security requirements of domain management can be found in the Best Practice Guide for Securing Windows Server Active Directory Installations.
Support and Feedback
The Solution Accelerators – Security and Compliance (SASC) team would appreciate your thoughts about this and other Solution Accelerators. Please contribute comments and feedback to email@example.com. We look forward to hearing from you.
Solution Accelerators provide prescriptive guidance and automation for cross-product integration. They present proven tools and content so you can plan, build, deploy, and operate information technology with confidence. To view the extensive range of Solution Accelerators and for additional information, visit the Solution Accelerators page on Microsoft TechNet.
The Solution Accelerators - Security and Compliance team (SA-SC) would like to acknowledge and thank the team that produced the Data Encryption Toolkit for Mobile PCs Security Analysis. The following people were either directly responsible or made a substantial contribution to the writing, development, and testing of this solution.
Mike Smith-Lonergan - Microsoft
David Mowers - Securitay, Inc.
Bill Canning - Microsoft
Paul Flynn - 3Sharp, LLC
Tommy Phillips - Butternut Software
Paul Robichaux - 3Sharp, LLC
Steve Wacker - Wadeware LLC
Vijay Bharadwaj - Microsoft
Tom Daemen - Microsoft
Mike Danseglio - Microsoft
Kurt Dillard - Microsoft
Jeff Hatfield - Wireless Ink Inc.
Erik Holt - Microsoft
Russell Humphries - Microsoft
David Kennedy - Microsoft
Douglas MacIver - Microsoft
Greg Petersen - Avanade Inc.
Ben Wilson - ASG Group
Alain Meeus - Microsoft
Jim Stuart - Microsoft
Karina Larson - Microsoft
Gaurav Singh Bora - Microsoft
Sumit Ajitkumar Parikh - Infosys Technologies Ltd.
Swaminathan Viswanathan - Infosys Technologies Ltd.
Swapna Rangachari Jagannathan - Infosys Technologies Ltd.
Neethu Thomas - Infosys Technologies Ltd.