What Do You Want to Protect with BitLocker?
Updated: October 30, 2009
Applies To: Windows 7, Windows Server 2008 R2
In most organizations, it is not feasible or necessary to protect all drives. A more targeted approach based on possible threats, as well as legal requirements, is recommended. To plan your enterprise deployment of BitLocker, you must first understand your current environment. Conduct an informal audit to define your current policies, procedures, and hardware environment. Focus on the following areas that BitLocker might affect:
Begin by reviewing your existing corporate security policies as they relate to disk encryption software. If your organization is not currently using disk encryption software, none of these policies will exist. If you are using disk encryption software, then you might need to modify your organization's policies to address the capabilities of BitLocker.
IT department structure
Before you can understand how BitLocker affects deployment of new computers and retirement of outdated computers, you should fully understand how your IT department currently manages desktop computers and servers. Additionally, it is important to understand how your organization handles the procurement of removable drives.
BitLocker on operating system drives requires a separate system partition. This configuration is created by default when the Windows 7 or Windows Server 2008 R2 operating system is installed, but organizations should ensure that standard computer images include the system partition.
Current and future hardware considerations
Documenting the existing hardware that is deployed in your environment helps you discover how your current environment will support BitLocker. BitLocker on operating system drives is recommended with the use of a Trusted Platform Module (TPM).
What data are you required by law to protect by encryption?
For some organizations, this can be sensitive records, legal documents, or human resources information. A review of all regulations imposed on your organization should be conducted to determine your legal obligation to encrypt data. When this is complete, an inventory should be conducted to determine where this data is stored.
Are your computers and drives physically secure?
Some computers, such as desktop computers and servers, are not likely to leave a physically secure location. This can mean that BitLocker protection is less important or that a lower level of protection is appropriate. In comparison, removable drives or portable computers that often leave the secure confines of your organization should be treated differently and with a higher level of protection. For more information about determining levels or protection, see How Strong Do You Want the BitLocker Protection?.
Do some divisions or departments have more sensitive data than others?
Some organizations may want to use BitLocker for specific departments that inherently handle more sensitive data. For instance, it might make sense to require all portable computers in the Legal and Human Resources departments to be BitLocker-protected, while for the rest of the organization it is optional.
Should all data drives be protected by BitLocker?
To help ensure that proprietary data is only stored on BitLocker-protected drives, Group Policy settings can be configured to only grant write access to data drives after they are protected by BitLocker. When these policy settings are enabled, users are notified that the drive will be read-only until they encrypt it with BitLocker. Drives will continue to be read-only until encryption of the drive is 100 percent complete.
Encryption times vary based on the read/write speeds of the drive and the drive size. During encryption, drive performance will be affected. However, after the initial encryption is completed, the performance impact of BitLocker is usually not noticeable. Consider recommending that users of larger drives start encryption so that it occurs during non-working hours so the usage of their computer will not be affected.
Additional considerations for removable data drives
In many organizations, the use of removable data drives is not strictly controlled and the drives are not centrally provisioned by the IT department. Individuals can bring in personally procured drives and write data to them and then remove the data from the organization. In addition, removable data drives, such as external hard drives and USB flash drives, can easily be lost or stolen due to their portability and size. In some instances, an employee can lose a USB flash drive and not even know it is lost. BitLocker can be used in conjunction with other methods of controlling removable devices; for example, the use and distribution of enhanced storage (IEEE 1667–compliant) USB flash drives. IEEE 1667 "Standard protocol for Authentication in Host Attachments of Transient Storage Devices" is the specification published by the Institute of Electrical and Electronics Engineers (IEEE) that describes various methods for authenticating transient storage devices such as USB flash drives when they are inserted into a computer. For more information about using enhanced storage policies, see Introducing Enhanced Storage Access (http://go.microsoft.com/fwlink/?LinkId=164235).
You can also use the Group Policy setting Deny write access to removable drives not protected by BitLocker to only grant write access to BitLocker-protected drives configured within your organization. When this setting is enabled, if an individual enables BitLocker on a drive by using a computer that is not a member of your domain and then unlocks it on a computer that is a member of your domain, the drive will be opened as read-only. BitLocker determines whether or not the removable drive is a member of your organization by using a unique identifier value that is written to the drive when it is first encrypted with BitLocker. If the value written on the drive does not match the value stored by Group Policy for your organization, the drive will be unlocked as read-only. If you have other organizations that you collaborate with or that you trust, you can configure the setting with a list of identifiers that are associated with allowed organizations so that removable drives configured by that organization will be allowed to be used with full rights on computers in your organization.
|If you require the use of BitLocker on removable drives, you cannot use a removable drive to store BitLocker keys. This means that a startup key cannot be used to unlock the operating system drive nor can a recovery key be used to recover access to a BitLocker-protected drive.|
For step-by-step instructions for configuring these settings, see Scenario 5: Requiring BitLocker Protection on Data Drives (Windows 7) (http://go.microsoft.com/fwlink/?LinkID=164237).