th 30 st 31 May 2007 Chateau

th 30 st, 31 May – 2007 Chateau Laurier Ottawa

Protecting Data Using Microsoft Technologies Kurt Dillard kurt. dillard@microsoft. com US Federal District Microsoft

Agenda Why Encrypt? Encrypting File System Rights Management Services Bit. Locker Drive Encryption Scenarios: Stolen PCs, Data Leaks, etc… Wrap-up & Questions

Why Are We Talking About This? “When should I use ______? ” EFS RMS S/MIME Bit. Locker CAPICOM “What is the right encryption to use? ” “Give me a strategic direction!”

Where is your Data Stored? SQL

What Technologies Can Be Used? Access Control Lists (ACLs) Encrypting File System (EFS) Rights Management Services (RMS) Role-based Access Bit. Locker Drive Encryption Application encryption

ACLs Classic approach Configured using: Windows Explorer, cacls. exe, xcacls. exe Group Policy/Secedit Good: protect against online/remote attackers Bad: protecting against local Admins Ugly: protecting against offline attacks

Roles-based access (RBAC) AD Idealized approach Must combine with other tech ACLs Encryption Rights Management App-specific authorization (e. g. SQL, Exchange) Issues: Every Windows app has a different approach Still no better against offline attacks

Microsoft Windows Encrypting File System The Encrypting File System (EFS) provides encryption for all of a user’s files and folders and is offered in both, Windows XP Professional desktop operating System and Windows 2003 server operating system

Microsoft Windows Encrypting File System Ideal for protecting sensitive data and documents from unauthorized access Can be managed with existing tools, such as Active Directory Group Policies Features for recovering data due to lost encryption keys are built-in Uses the FIPS 140 compliant algorithms included with Windows 2000 & later

Microsoft Windows Encrypting File System Bad: Doesn’t protect against user error Ugly: Doesn’t protect across multiple systems Whitepaper: Encrypting File System in Windows XP and Windows Server 2003 http: //www. microsoft. com/technet/prodtechnol/winxppro/ deploy/cryptfs. mspx

EFS: How it Works

Keys to EFS Bliss… EFS – it’s all about secure recovery Only three things you have to do: 1. 2. 3. All users logon to an AD domain Define EFS DRA keys & certs via Group Policy Backup the user’s private key from their certificate store NOTE: none of this requires a PKI is one of the biggest blockers of EFS deployment

EFS myths “Reboot into local Admin, you get full access” Change Windows 2000 default configuration via group policy “EFS only uses NT passwords, so LM hash = instant hack” EFS is only as strong as the user’s password, but there’s no ‘instant hack’ if deployed properly “Users can turn it off, so no data is guaranteed encrypted” Require encryption via group policy Don’t give users admin “EFS kills performance” On modern systems the impact is negligible once the initial encryption is complete

Microsoft Windows Rights Management Services (RMS) for Windows Server 2003 is information protection technology that works with RMS-enabled applications to help safeguard digital information from unauthorized use - both online & offline, inside and outside of the firewall

Microsoft Windows Rights Management Service (RMS) is ideal for protecting shared data and helps enforce organizational policies on content by encrypting individual files and emails Data is protected regardless of where it goes: users can email files, copy them onto thumb drives, Smartphone, or write them to CD ROM and the data will continue to be encrypted Data is even protected while transiting network Can be managed with existing tools, such as Active Directory Group Policies Features for recovering data due to lost encryption keys are built-in Uses the FIPS 140 compliant algorithms included with Windows

Microsoft Windows Rights Management Services Bad: Protecting against brilliant users Ugly: Protecting against traitorous admins

RMS expiration In Laptop scenario, RMS unique contribution = Expiration “On every access” – not usable for laptops “Every days” is better for laptop users “Expires after ” is best for laptop users Leveraging RMS Templates will increase use of this mitigation

Add users with Read and Change permissions Add advanced permissions Verify aliases & DLs via AD

Add/remove additional users Set expiration date Enable print, copy permissions Contact for permission requests Enable viewing via RMA

RMS at Microsoft Example of RMS Templates Corporate RMS templates available from the Permission menu of Outlook, Word, Power. Point, and Excel Do Not Reply All Recipients can View, Reply, Save, Edit, and Forward but can not Reply All Microsoft Confidential Only Microsoft employees can access the message. Allows for View, Reply All, Save, Edit, and Forward Microsoft Confidential Read Only Microsoft employees can access the message. Allows for View, Reply All Microsoft FTE Confidential Only Microsoft full-time employees can access the message. Allows for View, Reply All, Save, Edit, and Forward Microsoft FTE Confidential Read Only Microsoft full-time employees can access the message. Allows for View, Reply, and Reply All.

RMS Technology Partners Liquid Machines – www. liquidmachines. com Enables RMS for Office XP & 2000 Adds support for PDF, Visio and many other file formats Enables RMS for Blackberries Giga. Trust – www. gigatrust. com Enables RMS for Office XP & 2000 Adds support for many more file types (PDF, WPD, JPG, TXT, HTML, etc) Enables RMS for Blackberries Titus - www. titus. com Provide RMS consulting and training services

Windows Vista Bit. Locker Windows Vista Enterprise features a number of enhancements that help protect sensitive data, including Windows Bit. Locker™ Drive Encryption to better protect data on lost, stolen or decommissioned PCs, expanded Windows Rights Management Services that help organizations control who has access to sensitive data, and improvements to the Encrypting File System

Windows Vista Bit. Locker Windows Bit. Locker™ Drive Encryption is hardware-enabled data protection that helps protect data on a PC when the machine is in unauthorized hands. By encrypting the entire Windows volume, it prevents unauthorized users from accessing data by breaking Windows file and system protections or attempting the offline viewing of information on the secured drive Bit. Locker configuration policies can be managed through Active Directory Group Policies and is designed to leverage the Trusted Platform Module (TPM)

Windows Vista Bit. Locker Caveats Computers protected with Bit. Locker could become inaccessible if users loose their USB storage device or if they forget their Bit. Locker password Whitepaper: Microsoft Windows Vista Security Advancements http: //download. microsoft. com/download/c/2/9/ c 2935 f 83 -1 a 10 -4 e 4 a-a 137 -c 1 db 829637 f 5/Windows. Vista. Security. WP. doc

Bit. Locker Drive Encryption OEMs having challenges (BIOS) Customers don’t have wide deployment (TPM) USB, PIN aren’t magic bullets A little bit like SYSKEY However, centrally recoverable Only protects system volume EFS needed for additional partitions

Bit. Locker™ Drive Encryption Designed specifically to prevent malicious users from breaking Windows file and system protections Provides data protection on Windows systems, even when the system is in unauthorized hands or is running a different or exploiting Operating System A Trusted Platform Module (TPM) or USB flash drive is used for key storage Bit. Locker

Trusted Platform Module Smartcard-like module on system motherboard Helps protect secrets Performs cryptographic functions Can create, store and manage keys Performs digital signature operations Holds Platform Measurements (hashes) Anchors chain of trust for keys and credentials Protects itself against attacks TPM 1. 2 spec: www. trustedcomputinggroup. org

Bit. Locker™ Only protects until Winlogon Weakest password lets you in Admin Service accounts Backup accounts Bottom Line: DON'T wait for Bit. Locker before encrypting laptops

Comparing Technologies Feature EFS RMS Bit. Locker S/MIME ACLs Differentiates permissions by consumer No Yes No No Yes Prevents unauthorized access Yes Yes Yes Encrypts protected content Yes Yes No Offers content expiration No Yes No No No Offers use license expiration No Yes No No No Controls content access to reading, forwarding, saving, modifying, or printing by consumer No Yes No No Yes ** Yes No Extends protection beyond initial publication location * Since Windows XP it has been possible to manually grant other users the ability to decrypt individual files protected with EFS, but its not an intuitive procedure • ** Only protects against only attacks

Scenarios Essential: Loss or theft of mobile PC Aka “left in taxi” Important: Reduced data leaks Aka “Oops, I sent it to The Register (and /. , MSNBC, CNN… Removable media Aka USB/thumb/jump/flash drives, CDs

Loss or Theft of a PC: Where’s the Data? Clients Documents Where do your users keep their documents? User Profile Outlook, Sharepoint, Desktop, Temp per-machine data Search index, file cache Servers File Shares Collaboration store (e. g. Sharepoint) RDBMS (e. g. SQL) Mail (e. g. Exchange) SAN Enterprise backup Where ISN’T Data stored?

Loss or Theft of PC Threat: Attackers with time, tools, well-documented attack techniques Goal: reduce (NOT eliminate) the risk of data exposure Good EFS Better Minimize the stored data Combine EFS + RMS Best Bit. Locker + EFS + RMS Don't bother with ACLs, RBAC

Loss or Theft of PC EFS Mitigates offline attacks except against user account Prevents online attacks (on encrypted files) Threats focus on user’s password Bit. Locker with TPM or USB (Vista) Prevents offline attacks (replace passwords, copy hashes, change system files) Threats focus on user logons Ideal: Bit. Locker with TPM + EFS with Smart Card (Vista) Attacker with notebook + Smart Card needs PIN (not password) After “x” bad tries, Smart Card locked FOREVER RMS (XP, Vista) Similar offline protection as EFS Except only supported file formats (Office, HTML)

What about stolen Desktops, Servers? First things first: laptops Laptops are usually less physically secure Get that part of house in order Next: PCs not behind locked doors PCs in front office Branch servers in the break room Similar mitigations apply, plus: Could disable cached logons Could enforce “on every access” with RMS

Loss or Theft of PC Reality check: Windows XP today Attack focus: user passwords, cleartext data Tactics: Better passphrases Encrypt significant sets of data EFS for Documents, email, desktop, TIF, server caches Smartcard logon Residual risk: pagefile fragments, hiberfile, cached logon verifiers

Reduced data leaks Threat: Authorized users with legit access giving data to others Goal: Mitigate the risk of leaks Good ACLs, Role-based Access Better DRM, Application encryption Don't bother with system encryption

Reduced data leaks 1. ACL shared files on servers with RBAC groups Prevents users from granting each other permissions 2. Leverage RMS Reduces the amount of unprotected files 3. Ideal: Enforce RMS protection according to business rules (RMS partners) Bonus: encryption on physical media Bonus: removable media policy (Vista)

Removable media Threat: Authorized users with legit access copying “secure” data to removable media, then losing it Goal: mitigate the loss of unprotected data Good Block access to removable devices RMS Better Block writes to removable devices Encrypt removable devices

Removable media XP removable media policy Vista removable media policy EFS on flash media

Prepare for Tomorrow Prepare and assess All of these encryption technologies take advantage of Microsoft’s directory service because they can be managed through Group Policy There’s no need to deploy additional management infrastructure As with other features that can be controlled through group policies, organizations can decide to either centralize or decentralize policy management based on their IT landscape and resources

What Can You Do Today Implement EFS or RMS through the use of Windows XP Professional with Service Pack 2 on the desktop or Windows 2003 Server Implement a multi-layer approach to significantly decrease risk and potential exposure Today - Utilize both, EFS and RMS, simultaneously Tomorrow – The most power combination will combine EFS, RMS, and Bit. Locker to protect the data across a wide range of attack scenarios Utilize other features built into our platform such as S-MIME; IPSec for both on-the-wire encryption and isolation of systems; and TLS/SSL

Windows Mobile uses FIPS 140 compliant algorithms (http: //csrc. nist. gov/cryptval/140 -1/1401 val 2005. htm#560) Windows Mobile policies can be managed using SMS 2003, 3 rd parties have developed additional technologies to help secure and manage Windows-based mobile devices. Third party solutions for encrypting data or for RMS integration are available, see: http: //www. microsoft. com/windowsmobile/resources/providers/search. asp A detailed whitepaper on securing Windows Mobile is available internally

Security is Not Just Technology is only a part of the solution Poor end-user behavior and ambiguous policies are a dangerous combination User education is a critical part of the solution

© 2006 - 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.