Educause Security Discussion mailing list archives
Re: Vista
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Fri, 2 Feb 2007 12:41:52 -0500
Reading the information about the secure Microsoft website service provided to store keys for retrieval of Bitlocker and EFS files it is apparent that (possibly because the crypto mechanisms for both are shared or linked to both) this 'digital locker' (key escrow) also appears related to Microsoft DRM (Digital Rights Management) in Vista (keys and codes for the activation/authorization for various software programs and feature enhancements can be kept online for a user or PC at this site as well). http://windowsmarketplace.com/content.aspx?ctId=302 - H. Morrow Long, CISSP, CISM, CEH University Information Security Officer Director -- Information Security Office Yale University, ITS On Feb 2, 2007, at 11:18 AM, Bob Doyle wrote:
It looks like MS is going to be providing a key escrow service for users of Vista Ultimate. If most of your clients are off domain, running Ultimate, and you're willing to trust MS to hold your keys (that's a big if), this may be an option for you. More info on this feature is on the Vista Ultimate site: http://windowsultimate.com/blogs/extras/archive/2007/01/07/ bitlocker-and-efs -enhancements.aspx Cheers, Bob ____________________________________________________________ Bob Doyle bobdoyle () kellogg northwestern edu Kellogg Information Systems Northwestern University -----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Thursday, February 01, 2007 8:58 AM Subject: Re: Vista Mclaughlin, Kevin L (mclaugkl) wrote:I was wondering what your approach or thoughts are surrounding:We're still in the planning stages, but...1.) key management of Vista's built in Encryption capability - are you going to try and centralize key management via Active Directory or just let each individual hold their own keys?EFS - Join computers wanting to use EFS to a domain so a domain recovery agent account is available. We're also looking into Microsoft CA to automate key generation and backup but at this point, the domain recovery agent is the primary strategy. We'll also have documentation on handling the keys manually with lots of warnings and caveats. BitLocker - We're talking about joining all incoming Vista computers to a domain with necessary schema changes to support AD key storage. That schema change needs to be done and the Vista computer joined to a domain before BitLocker is enabled. http://www.microsoft.com/downloads/details.aspx?FamilyID=3a207915- dfc3-4579- 90cd-86ac666f61d4&DisplayLang=en The majority of our computers are not in a Microsoft domain so we have some challenges ahead not faced by many other organizations,... political, logistical, and technical.a. My concerns with individuals holding their own keys are: what if they get hit by a bus? What if we are asked by their Dean, the FBI or local law enforcement to do a Forensic exam on their system?That is why we're looking into centralized key backup/recovery options. But encryption is not the only situation that raises those issues. What if they lose their laptop? What if their disk drive malfunctions making the data irretrievable? What if they install PGP, Truecrypt, or any number of other encryption packages on their own? What if they securely delete their data? What if they refuse to turn over a laptop? Backups are necessary to solve encryption and other data recovery issues and backups raise their own security issues. Policy surrounding encryption use is necessary but unless desktop configuration is managed and enforced, it is still left up to individual discretion. Education and awareness is probably key to prevent problems caused by general ignorance of the issues.2.) Are you going to establish a policy or guidelines that talk about Faculty and Staff key encryption key management responsibilities? If so would you mind sharing such a policy with us?I don't know about policy but we'll certainly have a whole lot of warnings, caveats, and recommendations included with the documentation for using the features. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security