Re: BitLocker

["Camacaro Latouche, Jose David" <jcamacar () IU EDU>]

I was wondering if your institution is using BitLocker?

Yes, it is.



How was your rollout process? And how is the general operations of BitLocker
going?
Keeping in mind a decentralized IT community within my institution, I will
speak about the two I know:



*       The predominant method:

The majority of Windows workstations are built via System Center
Configuration Manager before handing them to end-users. During the build
process, IT professionals go through the set of prompts, which includes
encryption options. Encrypting the OS volume with BitLocker is set to "Yes"
by default, so if IT professionals would like to NOT encrypt the OS volume,
it would have to be a deliberate decision. If all conditions are met during
OSD, the recovery key is escrowed in Active Directory Domain Services.

 

*       The decentralized method:

A few IT shops create and manage their own BitLocker GPOs.

 

Are you using TPM? (+ PIN)? (or did you consider using +PIN and didn't
implement in the end? Why?)

Since I am heavily involved on the predominant method described above, I
will speak to that one only:

TPM only. No PIN, because our SCCM's OSD process caters for a large
diversity of IT professionals, who in turn serve to an even higher diversity
of end-users (e.g. academia, research, administration, healthcare, etc.)
with their own set of IT policies and standards.

 

Do user lose their PIN all the time?

See previous answer.

 

Is the PIN useless because users put their laptop into sleep mode?

See previous answer.

 

 

We are also looking for Best Practices. Is there a "best practice"? Or it
really depends on our risk appetite?

A few personal notes and observations from my own experience (and by no
means do I treat them as "absolute truths"):

 

*       Managing power/sleep configurations is much easier than managing
end-users' PINs. And frankly, safer and greener.

 

*       Escrowing the recovery key in AD and using PTM is clean, easy and
secure.

 

*       Can you control who the end-users share the PIN with (even if they
have been instructed not to)? Most likely not.

 

*       Can you control management of recovery keys in AD? Most likely yes.

 

*       Will end-users perceive a pre-boot PIN prompt as a 2nd
authentication layer of inconvenience, more than an additional security
control for defense in depth? Perception is reality, and if it is academia
we are talking about, I'd said most likely yes.

 

*       Our default encryption choice encrypts used space only [1], which is
sufficient for new, out of the box devices. But in the encryption settings
of our OSD process, we provide an additional option for "full encryption",
which makes the OSD process take much longer, since the volume is fully
encrypted before carrying on with next steps of the OSD. We recommend this
option for IT professionals who are re-building re-purposed endpoints, where
there is knowledge or uncertainty that previous end-user had sensitive data
stored on it. Whether this constitutes an alternative to other disk wiping
methods (e.g. DBAN) or not, depends on the flexibility of your own IT
policies and guidelines.

 

*       Over the past few years, hardware has evolved with a focus on
security: newer versions of TPM, UEFI, firmware, etc. Which in turn allows
us, IT security professionals, to rely less on how safe end-users keep their
PINs, and to rely more and the layers we can actually control. I do not mean
to diminish end-users ability to be digitally safe, but statistically
speaking, it's about risk mitigation: exploiting vulnerabilities in TPM, are
way less likely than stealing a misplaced (or neglectfully shared) PIN.

 

 

I hope this helps.

 

 

Sincerely,

 

Jose Camacaro Latouche

UITS Leveraged Services

Endpoint Management

INDIANA UNIVERSITY

 

Further reading:

[1]:
https://docs.microsoft.com/en-us/windows/security/information-protection/bit
locker/bitlocker-device-encryption-overview-windows-10#used-disk-space-only-
encryption

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of St-Jean, Daniel
Sent: Friday, June 28, 2019 5:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [External] [SECURITY] BitLocker

 

This message was sent from a non-IU address. Please exercise caution when
clicking links or opening attachments from external sources.

 

I was wondering if your institution is using BitLocker?

 

How was your rollout process? And how is the general operations of BitLocker
going?

Are you using TPM? (+ PIN)? (or did you consider using +PIN and didn't
implement in the end? Why?)

Do user lose their PIN all the time?

Is the PIN useless because users put their laptop into sleep mode?

 

We are also looking for Best Practices. Is there a "best practice"? Or it
really depends on our risk appetite?

 

Thank you in advance,



Daniel St-Jean
Senior Systems Analyst

Banff Centre for Arts and Creativity
107 Tunnel Mountain Drive
Box 1020, Banff, Alberta 
Canada T1L 1H5
Tel: 403.762.6263

 <http://www.banffcentre.ca/> banffcentre.ca
 <https://www.facebook.com/BanffCentre> Facebook |
<https://twitter.com/BanffCentre> Twitter |
<https://www.instagram.com/banffcentre/> Instagram |
<https://www.linkedin.com/school/banff-centre/> LinkedIn

Banff Centre for Arts and Creativity is located on the lands of Treaty 7
territory. We acknowledge the past, present, and future generations of
Stoney Nakoda, Blackfoot, and Tsuut'ina Nations who help us steward this
land, as well as honour and celebrate this place.

This message has been sent by an employee of Banff Centre. If you have
received this communication in error or do not wish to receive electronic
communications from this individual in the future please respond by simply
typing 'unsubscribe' in the subject line and returning to the sender.
Subsequently you will not be contacted without reason.

Attachment: smime.p7s
Description: