Re: Have you used bitlocker?
- From: "phasmid123" <phasmid123@xxxxxxxxx>
- Date: 28 Dec 2006 16:56:11 -0800
Alun,
Thanks for your insight. For bitlocker's PIN option, you can only use
numbers or you can use characters as well?
JK
Alun Jones [MS-MVP - Windows Security] wrote:
"phasmid123" <phasmid123@xxxxxxxxx> wrote in message
news:1165607781.485899.204480@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Is it true that bitlocker only protects the hard drive when it's
OFFLINE? Consider the scenarios:
That is the point of full-drive encryption schemes. When the drive is
offline, it cannot be brought back online without a key, or set of keys.
Until it is brought back online with the right keys, the data on the drive
is essentially random.
1) I have a TPM capable laptop running bitlocker. The laptop is NOT
joined to a domain and boots automatically to my default account
without asking for user logon and password. Let's say this laptop is
stolen, the thief can boot it up normally (just like what I do) and
transfer the file to another location, correct?
It depends. If you configure the laptop in the default manner - TPM being
the only protection of the Bitlocker key - then, yes, you are right, the
thief has everything that he needs to boot your system and copy data out.
2) I have a TPM capable laptop running bitlocker. It is not joined to
the domain but Windows prompts me to enter a local account name and
password before completing the boot process. If I lose this laptop, the
thief cannot obtain any data unless the logon and password is known,
correct?
Not correct. He does not need your logon and password. He needs to run
code on your laptop. He can run code either by using your logon and
password, or by exploiting any flaws that might exist in your operating
system, attacking it through any of the external ports - network, serial,
parallel, USB, CD-ROM, Infra-Red, WiFi driver, etc, etc. Are you certain
that your OS has no such flaws? I'm not, even for Vista.
What I'm trying to say is, are you only protected by your Windows
password with bitlocker? If that your Windows passwd is compromised
then the encryption is useless?
You are protected by whatever you use to secure your keys - so set BitLocker
up to use TPM + PIN or TPM + USB, and don't write the PIN down on a sticky
note on the laptop case, and don't leave the USB key in the laptop.
You are protected by your Windows password - but since your laptop is
offline and can't contact the domain controller, the account is not locked,
and the password can be guessed as many times as the thief cares to try.
You are protected by the security of the code in the Windows Operating
System - but as soon as a wormable exploit arrives, that protection is void.
You are protected by the strength of the encryption algorithm, and the lack
of any flaws in it. Mathematics always gets better, though.
By not strongly recommending (and ideally, choosing as default) the options
in BitLocker that require external keying material (PIN or USB token), I
think Microsoft have done their users a significant dis-service. By
insisting that BitLocker + TPM prevents offline attacks, they are
comfortably ignoring the point that once a machine is stolen, it can be
brought back online, and the thief can attack the system at his leisure
through every hole on the outside of your machine (and perhaps a few on the
inside).
Alun.
~~~~
.
- Follow-Ups:
- Re: Have you used bitlocker?
- From: Alun Jones
- Re: Have you used bitlocker?
- References:
- Have you used bitlocker?
- From: phasmid123
- Have you used bitlocker?
- Prev by Date: Account Locked out but Not Logs to Check
- Next by Date: Re: Account Locked out but Not Logs to Check
- Previous by thread: Re: Have you used bitlocker?
- Next by thread: Re: Have you used bitlocker?
- Index(es):
Relevant Pages
|
