AD RMS: Encryption – EFS and BitLocker
Last time we reviewed file access controls to data and resources by leveraging permissions via NTFS and share restrictions.
In today’s article we will take a look at some of the other ways outside of AD RMS that administrators can limit intentional and unintentional data leakage.
As I mentioned in my overview post on Active Directory Rights Management Services, AD RMS allows administrators additional ways to protect proprietary information and sensitive data through access and usage restrictions that follow the data wherever it is accessed.
By leveraging AD RMS administrators can dramatically reduce the probability and the possibility that the data is intentionally or accidentally received by users who should not have access to the data in the first place.
As I noted before, the information in this article is subject to change with the RTM, so please keep this in mind and if you do notice any changes feel free to post them in the comments.
One of the ways to restrict access to data is to encrypt the data (lock it up) so that only the people or groups that have the permissions to access it can — everyone else is denied access.
Much in the same way that very few people have access to your home (only people with the keys to the doors of the house have allowed access) EFS offers administrators a way to set up strict access controls.
What’s different to this method over NTFS permission that we discussed in the last article is that the encryption permissions follow the file around … to an extent.
EFS adds on to the NTFS security layer by effectively scrambling the contents of that data so that it can be read only by someone who has the encryption key to decipher it. Just being an administrator of a system is not necessarily going to allow you to gain ownership of the data and the control to access it because now you’d need the key to unlock / decipher the data as well.
When a user attempts to access an encrypted file and that user does not have the key to unlock it they will receive an access denied message and they will be unable to read the file.
Because encryption is set on the object (and can be inherited) the effect of copying and moving files around can impact their encryption state.
The overall rules for encryption are as follows:
Rule # 1
When moving or copying a file within the same NTFS volume an encrypted file will not inherit the encryption state of the target folder when that folder is unencrypted. When you copy or move an encrypted file to an unencrypted folder, the file is still encrypted. If you have enabled a folder to encrypt files and you move or copy an unencrypted file to it, it will become encrypted at that point.
Rule # 2
When copying or moving a file or folder from one NTFS volume to another, an encrypted file will not inherit the encryption state of the target folder when that folder is unencrypted. When you copy or move an encrypted file to an unencrypted folder, the file is still encrypted. If you have enabled a folder to encrypt files and you move or copy an unencrypted file to it, across partitions, it will become encrypted at that point.
Rule # 3
Moving or copying a file or folder to a FAT16 or FAT32 volume – EFS supports attribute driven encryption only on the NTFS file system, so when you move or copy an encrypted NTFS file or folder to a FAT volume, (16 or 32) the encryption attribute will be lost. Because most forms of removable media do not support the NTFS file system, the same is also true.
What You Need to Know about EFS
Some key thoughts with respect to encrypting data by way of EFS:
When you need to access encrypted data and you are on a system where the key to the data is present, you can access the encrypted data by simply double clicking on it; there is no other interaction for you. The operating system decrypts the file to access it and then when it is closed it automatically encrypts it again.
You need to back up your encryption certificate and encryption key in case you need to recover these if the system crashes or there is some other error and the system needs to be rebuilt and so on. If you neglect to do this and there is an issue and no other recovery agent is available then these encrypted files are forever locked. This is especially important on standalone systems that are not attached to a domain.
When there are other users that are going to need access to files or folders that you encrypt they will need to have their own EFS certificate added to the files in order to gain access to them. Think of this like having their own key just to this file. They are not leveraging your key – your key unlocks ALL of your encrypted files; their key when added to a file that you lock with your key allows them to access that data and only that data.
Last Thoughts on EFS
EFS does not offer a complete solution for securing files that are sent across the network. EFS secured files are decrypted when they need to be sent over the wire, which can expose the file to possible interception and attacks if someone is monitoring (sniffing) the wire. In order to secure the transmission of sensitive data on an internal or external network another form of encryption would be needed such as IPSec or SSL depending on the need.
As you can see from this high level overview, there are ways to better secure the data but there are still some pretty big loop holes when it comes to storing the data, moving it around on portable drives and transmitting it over the wire.
[NOTES FROM THE FIELD] – Because this was an introductory overview of EFS there are a lot of details I glossed over. I would recommend reviewing the details of the Encrypting File System information on the Microsoft website to get more details.
Of special interest would be the Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008 section.
BitLocker / BitLocker to Go
So with our review of EFS done I’ll turn our attention to BitLocker and Bitlocker To Go.
BitLocker Drive Encryption is available on some versions of Windows Vista, Windows Server 2008 R2 and in some editions of Windows 7. When leveraged BitLocker Drive Encryption is one of the best ways to protect portable systems such as laptops from loss of data and information when the laptops themselves are lost or stolen.
Additionally, the use of Bitlocker on desktop systems is also a good consideration when you consider how much information can be lost from recycled desktop systems that have not undergone a proper hard drive wipe routine before being sold off.
[NOTES FROM THE FIELD] – Bitlocker leverages the Trusted Platform Module (TPM) version 1.2 to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
The main focus of this topic for the article is to talk about securing files and access control, so this part of what it offers is a little beyond the scope of the conversation.
For additional details on this there is the “What is a TPM” section of the BitLocker Drive Encryption Overview; it is a Vista based article but it is still applicable.
The Windows BitLocker Drive Encryption Step-by-Step Guide is another good detailed document to review.
For our conversation regarding securing files, BitLocker works well on a local drive on a laptop or a desktop as it completely prevents someone from accessing a system in its entirety unless they have a password to start up the system.
Without that password (or the recovery key if the password is lost) the entire system is unavailable.
Fairly skilled people understand that there are ways to get around regular file based security that the operating system offers by installing another version of the operating system locally or booting from a DVD or USB key to work from a lower level of disk access to get to the stored data.
When BitLocker is correctly enabled, the whole area of disk data that is locked out under the encryption is inaccessible to that person even at that low level.
With respect to BitLocker To Go this security of the data is expanded further as it can be leveraged on portable devices to lock all the data even when it is stored on FAT formatted drives keeping the data completely secured from unauthorized access.
The User – the Single Point of Failure
The problem with EFS and BitLocker to Go (most specifically) is that the single point of failure is the end user.
If the end user un-encrypts their EFS locked data or transfers it to a FAT or FAT32 drive it ends up being accessible to anyone that can get to it. If the user sends that data off to themselves in an email it can be left behind in the SENT folder and so forth allowing people that should not have access to it the possibility of getting access to it.
If the end user with the BitLocker to Go device like a USB stick needs to make edits and changes to data and temporarily copies it off the protected device to work on it (as would be the situation under a legacy operating system like Windows XP) and then forgets to delete the local copy, it is left behind unprotected and potentially available to others that should not have access to it.
Active Directory Rights Management Services (AD RMS) takes that point of failure and removes it by taking the control of the data away from the user.
But we’ll cover this in more detail in my next AD RMS article. Stay tuned!