Free Essay


In: Other Topics

Submitted By xxscorpius73
Words 1463
Pages 6
BitLocker Drive Encryption Overview

73 out of 98 rated this helpful - Rate this topic
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Vista
BitLocker Drive Encryption is a data protection feature available Windows Server 2008 R2 and in some editions of Windows 7. Having BitLocker integrated with the operating system addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and it does not provide the pre-startup system integrity verification offered by BitLocker with a TPM.
In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
System integrity verification
BitLocker can use a TPM to verify the integrity of early boot components and boot configuration data. This helps ensure that BitLocker makes the encrypted drive accessible only if those components have not been tampered with and the encrypted drive is located in the original computer.
BitLocker helps ensure the integrity of the startup process by taking the following actions:
Provide a method to check that early boot file integrity has been maintained, and help ensure that there has been no adversarial modification of those files, such as with boot sector viruses or rootkits.

Enhance protection to mitigate offline software-based attacks. Any alternative software that might start the system does not have access to the decryption keys for the Windows operating system drive.

Lock the system when it is tampered with. If any monitored files have been tampered with, the system does not start. This alerts the user to the tampering, because the system fails to start as usual. In the event that system lockout occurs, BitLocker offers a simple recovery process.

Hardware, firmware, and software requirements
To use BitLocker, a computer must satisfy certain requirements:
For BitLocker to use the system integrity check provided by a TPM, the computer must have a TPM version 1.2. If your computer does not have a TPM, enabling BitLocker will require you to save a startup key on a removable device such as a USB flash drive.

A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS. The BIOS establishes a chain of trust for pre-operating system startup and must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require a TCG-compliant BIOS.

The system BIOS (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. For more information about USB, see the USB Mass Storage Bulk-Only and the Mass Storage UFI Command specifications on the USB Web site (

The hard disk must be partitioned with at least two drives:

The operating system drive (or boot drive) contains the operating system and its support files; it must be formatted with the NTFS file system.

The system drive contains the files that are needed to load Windows after the BIOS has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the NTFS file system. The system drive should be at least 1.5 gigabytes (GBs).

Installation and initialization
BitLocker is installed automatically as part of the operating system installation. However, BitLocker is not enabled until it is turned on by using the BitLocker setup wizard, which can be accessed from either the Control Panel or by right-clicking the drive in Windows Explorer.
At any time after installation and initial operating system setup, the system administrator can use the BitLocker setup wizard to initialize BitLocker. There are two steps in the initialization process:
On computers that have a TPM, initialize the TPM by using the TPM Initialization Wizard, the BitLocker Drive Encryption item in Control Panel, or by running a script designed to initialize it.

Set up BitLocker. Access the BitLocker setup wizard from the Control Panel, which guides you through setup and presents advanced authentication options.

When a local administrator initializes BitLocker, the administrator should also create a recovery password or a recovery key. Without a recovery key or recovery password, all data on the encrypted drive may be inaccessible and unrecoverable if there is a problem with the BitLocker-protected drive. noteNote BitLocker and TPM initialization must be performed by a member of the local Administrators group on the computer.
For detailed information about configuring and deploying BitLocker, see the Windows BitLocker Drive Encryption Step-by-Step Guide (
Enterprise implementation
BitLocker can use an enterprise's existing Active Directory Domain Services (AD DS) infrastructure to remotely store recovery keys. BitLocker provides a wizard for setup and management, as well as extensibility and manageability through a Windows Management Instrumentation (WMI) interface with scripting support. BitLocker also has a recovery console integrated into the early boot process to enable the user or helpdesk personnel to regain access to a locked computer.
For more information about writing scripts for BitLocker, see Win32_EncryptableVolume (
Computer decommissioning and recycling
Many personal computers today are reused by people other than the computer's initial owner or user. In enterprise scenarios, computers may be redeployed to other departments, or they might be recycled as part of a standard computer hardware refresh cycle.
On unencrypted drives, data may remain readable even after the drive has been formatted. Enterprises often make use of multiple overwrites or physical destruction to reduce the risk of exposing data on decommissioned drives.
BitLocker can help create a simple, cost-effective decommissioning process. By leaving data encrypted by BitLocker and then removing the keys, an enterprise can permanently reduce the risk of exposing this data. It becomes nearly impossible to access BitLocker-encrypted data after removing all BitLocker keys because this would require cracking 128-bit or 256-bit AES encryption.
BitLocker security considerations
BitLocker cannot protect a computer against all possible attacks. For example, if malicious users, or programs such as viruses or rootkits, have access to the computer before it is lost or stolen, they might be able to introduce weaknesses through which they can later access encrypted data. And BitLocker protection can be compromised if the USB startup key is left in the computer, or if the PIN or Windows logon password are not kept secret.
The TPM-only authentication mode is easiest to deploy, manage, and use. It might also be more appropriate for computers that are unattended or must restart while unattended. However, the TPM-only mode offers the least amount of data protection. If parts of your organization have data that is considered highly sensitive on mobile computers, consider deploying BitLocker with multifactor authentication on those computers.
For more information about BitLocker security considerations, see Data Encryption Toolkit for Mobile PCs (
Implementing BitLocker on servers
For servers in a shared or potentially non-secure environment, such as a branch office location, BitLocker can be used to encrypt the operating system drive and additional data drives on the same server.
By default, BitLocker is not installed with Windows Server 2008 R2. Add BitLocker from the Windows Server 2008 R2 Server Manager page. You must restart after installing BitLocker on a server. Using WMI, you can enable BitLocker remotely.
BitLocker is supported on Extensible Firmware Interface (EFI) servers that use a 64-bit processor architecture.

Similar Documents

Free Essay


...Stories in this Series Security software Business security , Encryption , file management, encryption How to Use BitLocker to Encrypt Your Hard Drive By Eric Geier, PCWorld Oct 26, 2011 7:00 PM e-mail print Even without knowing your Windows password, intruders can easily gain access to files and passwords stored by Windows and other programs on your computer. They can do this by booting into their own operating system (Windows or Linux) from a special disc or USB flash drive. After doing so, they can access your hard drives just as you can when you're logged into Windows. The only way to protect your data completely is by using encryption. You can encrypt select files, but to protect your system files and saved passwords, you must encrypt your entire hard drive. This operation takes more time and effort than encrypting select files does, but it offers more security--and it's great for laptops and netbooks that can easily go missing. If your computer is running the Ultimate or Enterprise edition of Windows 7 or Vista, you can use Microsoft’s included BitLocker feature to encrypt your entire drive. BitLocker offers protection for all of your personal files and documents, as well as for all of the system files and cached or saved passwords on your drive. Though Microsoft includes BitLocker with these two editions of Windows, the feature isn’t enabled by default. To activate it, you must manually enable it in the 'System and......

Words: 1352 - Pages: 6

Free Essay

The Administration of Bitlocker

...Administration of BitLocker Robert Collazo Rasmussen College The Administration of BitLocker Describe and detail the system requirements and the various modes of BitLocker. Well because BitLocker stores its own encryption and decryption key in a hardware device that is separate from your hard disk, you must have one of the following, a computer with Trusted Platform Module (TPM), which is a special microchip in some newer computers that supports advanced security features. If your computer was manufactured with TPM version 1.2 or higher, BitLocker will store its key in the TPM. Also a removable USB memory device, such as a USB flashes drive. If your computer doesn’t have TPM version 1.2 or higher, BitLocker will store its key on the flash drive. To turn on BitLocker Drive Encryption, your computer’s hard disk must have at least two partitions. One partition must include the drive Windows is installed on. This is the drive that BitLocker will encrypt. The other partition is the active partition, which must remain unencrypted so that the computer can be started. Once you've encrypted the drive Windows is installed on, you can also encrypt additional data drives on the same computer. Be formatted with the NTFS file system. Have a BIOS that is compatible with TPM and supports USB devices during computer startup. If this is not the case, you will need to update the BIOS before using BitLocker. Define the three authentication mechanisms that can be used to implement......

Words: 808 - Pages: 4

Free Essay


...BitLocker To Go – USB Flash Drive encryption – User Guide Introduction BitLocker To Go is a new feature of Windows 7 which allows encryption of easily misplaced portable storage devices such as USB Flash Drives and external hard drives. Encryption is a way to enhance the security of a message or file by scrambling the contents so that it can be read only by someone who has the right encryption key (password) to unscramble it. Encryption is used when you want a strong level of protection for your information. With the increase in the use of very small, large capacity USB flash drives the potential for sensitive data to be lost or stolen has become more of a concern. BitLocker allows you to encrypt a USB flash drive/external hard drive and restrict access with a password. Without the password, the USB drive is inaccessible. When you connect a BitLocker encrypted USB drive to a Windows 7 computer you will be prompted for a password, after entering the password correctly you can read and write to the drive as normal. Turning on BitLocker To Go on a USB Flash drive on Windows 7 • First open up My Computer and Right-click on the flash drive you want to encrypt and select Turn on BitLocker. • BitLocker will then initialise the drive. A window will be displayed as follows: • After BitLocker initializes the flash drive you will be asked to choose how you want to unlock the drive. Select the first option: Use a password to unlock the drive. As detailed......

Words: 1141 - Pages: 5

Free Essay


...Server 2003. (Windows XP Home doesn't include EFS.) EFS enables transparent encryption and decryption of files by using advanced, standard cryptographic algorithms. Any individual or program that doesn't possess the appropriate cryptographic key cannot read the encrypted data. Encrypted files can be protected even from those who gain physical possession of the computer that the files reside on. Even persons who are authorized to access the computer and its file system cannot view the data. While other defensive strategies should be used, and encryption isn't the correct countermeasure for every threat, encryption is a powerful addition to any defensive strategy. EFS are the built-in file encryption tool for Windows file systems. 9. BitLocker Drive Encryption is an FDE solution from Microsoft. It is included with the Ultimate and Enterprise editions of Windows Vista and Windows...

Words: 627 - Pages: 3

Premium Essay


...56 Lab #3 | Configure BitLocker and Windows Encryption LAB #3 – ASSESSMENT WORKSHEET Configure BitLocker and Windows Encryption Course Name and Number: IS3340 Windows Security Student Name: Daniel Longo Instructor Name: Dakrouni Lab Due Date: 10/4/2013 Overview In this lab, you used the Microsoft® Encrypting File System (EFS) to encrypt files and folders on a Windows Server 2008 machine. You documented the success or failure of your encryption efforts. You also installed Microsoft® BitLocker Drive Encryption, a data protection feature that is used to resist data theft and the risk of exposure from lost, stolen, or decommissioned computers. You encrypted a data drive on the server and created a recovery key. Lab Assessment Questions & Answers 1. Within a Microsoft® Windows 2008 server R2 environment, who has access rights to the EFS features and functions in the server? 2. What are some best practices you can implement when encrypting BitLocker drives and the use of BitLocker recovery passwords? 38542_Lab03_Pass2.indd 56 3/2/13 10:01 AM Assessment Worksheet 3. What was the recover key created by BitLocker in this lab? 57 4. BitLocker secured drives. How would you grant additional users access rights to your EFS encrypted folders and data files? 5. What are the main differences between EFS and BitLocker? 6. The customer privacy data policy in your company’s data classification standard requires encryption......

Words: 279 - Pages: 2

Premium Essay

Win 7

...from the Windows 7 computer? 1. Del   | | 2. rem 3. Local GPE 4. Credentials manager 5. Correct Answer: 4. Question 3: What is a plug-and-play device? 1. A device, which can be plugged to a computer from outside 2. A device, which does not need any drivers 3. A device, for which the driver gets installed automatically   | | 4. A device, which can play multimedia files upon plugging 5. Correct Answer: 3. Question 4: Your manager asks you to configure all the desktop computers running Windows 7 Enterprise on the company network to be configured in a way that the computers require a 12 character long password for using BitLocker to go on the USB disk drives. Which policy will help you configure the computer in the required way? 1. Control Use of BitLocker On removable Drives 2. allow access to BitLocker-protected removable Data Drives From earlier Versions of Windows    | | 3. Configure Use Of passwords For removable Data Drives 4. Configure Use Of Smart Cards On removable Data Drives 5. Correct Answer: 3. Question 5: What is Teredo? 1. Teredo is a tunneling protocol used for allowing IPv4 traffic to be encapsulated inside IPv6 packets 2. Teredo is a tunneling protocol used for allowing...

Words: 1818 - Pages: 8

Premium Essay

Ugrade Email

...backed-up files and system images to a network location instead of limiting you to local hard drives and removable media. Without actually having the programs running you will use an average 40% of 4GB of memory if you use the user interface enchantments. Microsoft requirement are: 1 gigahertz (GHz) or faster 32-bit (x86) or 64-bit (x64) processor 1 gigabyte (GB) RAM (32-bit) or 2 GB RAM (64-bit) 16 GB available hard disk space (32-bit) or 20 GB (64-bit) DirectX 9 graphics device with WDDM 1.0 or higher driver BitLocker helps keep everything from documents to passwords safer by encrypting the entire drive that Windows and your data reside on. Once BitLocker is turned on any file you save on that drive is encrypted automatically this requires Trusted Platform Module (TPM) 1.2. BitLocker To-Go, a new feature of Windows 7, gives the lockdown treatment to easily misplaced portable storage devices like USB flash drives and external hard drives. BitLocker To-Go requires a USB flash drive. (Optional feature) Some programs might require a graphics card compatible with DirectX 10 or higher for optimal performance. There may be additional requirements for use with certain features: Internet...

Words: 520 - Pages: 3

Premium Essay

Preparing a Company-Wide Migration to Windows 8

...Assignment 1: Preparing a Company-Wide Migration to Windows 8 George Kelly Professor Raymond Schafer Administering Desktop Clients June 11, 2015 I would like to take this time to thank Chief Financial Officer and the Chief Information Officer for taking some time in their busy operation schedule to listen to my report. This report was created to address the concerns they have with the possibility of migrating from Windows 7 to the Windows 8 operating system for their company. This proposed change will affect the entire company and how it operates on a day to day basis. The Company Crescent Manufacturing is known as a luxury leader in the world of crafted home furnishings. The company is comprised of three different locations. First there is the Texas division that has 250 employees and this is structured as the corporate headquarters. Secondly, there is the location in Maryland with has 175 employees and this location is comprised of an operation component, a small IT department and the company’s human resources department. Lastly is the division that is located in Nebraska with 25 employees and this location is primarily a manufacturing plant that is staffed by production line employees, a line supervisor and a plant manager. Each of the individual location has specific needs that vary from the others and this report will cover how to handle those needs and how they will affect the company as a...

Words: 2546 - Pages: 11

Premium Essay

Gui vs Console Programming important because Security Unauthorized Network Access or Hacking Unauthorized access is one of the major threats as far as Internet safety is concerned. Network security consists of the provisions made in an underlying computer network infrastructure, to protect the network and the network-accessible resources from unauthorized access. Windows Firewall is on by default in Windows 7, so you don't need to set it up—plus they have made it more flexible and easier to use. You may want to block all incoming connections. At the workstations, this might be overkill. Whatever level of protection you choose for your profiles, you'll be able to switch between them with ease. An easy way of protecting files from theft or hackers is Bitlocker for windows 7 Bitlocker protects your programs and passwords by encrypting the entire drive that windows and your data resides on. Another way is having parental control on your desktops to help keep viruses and Trojans off your pc. Also Using Microsoft Security Essentials helps guard against viruses, spyware, and other malicious software it provides real-time for your workstation p c’s it is also free and easy to use. Plus it won’t interrupt you work because it’s a quit program. Which brings us to windows defender witch is your first line of defense against spyware and other unwanted software. And in Windows 7, it's easier to use, with simpler notifications, more scanning options, and less impact on your computer's...

Words: 259 - Pages: 2

Free Essay

Nt1110 Lab 1.1

...Computer Structure and Logic NT1110 Lab 1.1 The operating system currently in use on my laptop is Windows 7 Enterprise. The service pack that is installed on the operating system is Service Pack 1. There are many different features that are included in Windows 7 Enterprise that were not available in previous versions of Windows. For example, some of them include improving application response with BranchCache, helping users search for information with Federated Search, and managing what software is allowed to be run using AppLocker. You can also protect and manage the data on your PC with BitLocker and BitLocker To Go. DirectAccess is also provided on Windows 7 Enterprise to allow users easy access to corporate networks. (Source: My laptop has an Intel Celeron 2957U processor with a processor speed of 1.40 GHz. The amount of installed RAM in my laptop is 4.00 GB. The disk space currently available is 421 GB with the maximum of 465 GB available. The operating system could be upgraded to Windows 8. A few of the devices that are attached to my laptop include a battery, a Dell Wireless 1705 Bluetooth radio, a Toshiba ATA Hard Disk Drive, an integrated webcam, and a standard PS/2 keyboard with a Dell Touchpad. There are other devices that are used on my laptop as well, but I wanted to list some of the devices that made up the core of my laptop without delving into too......

Words: 292 - Pages: 2

Premium Essay

Procedure Guide on Restoring a System

...To recover your operating system or full server using a backup created earlier and Windows Setup disc 1. Insert the Windows Setup disc that has the same architecture of the system that you are trying to recover into the CD or DVD drive and start or restart the computer. If needed, press the required key to boot from the disc. The Install Windows Wizard should appear. 2. In Install Windows, specify language settings, and then click Next. 3. Click Repair your computer. 4. Setup searches the hard disk drives for an existing Windows installation and then displays the results in System Recovery Options. If you are recovering the operating system onto separate hardware, the list should be empty (there should be no operating system on the computer). Click Next. 5. On the System Recovery Options page, click System Image Recovery. This opens the Re-image your computer page. 6. Do one of the following, and then click Next: * Click Use the latest available system image (recommended). * Click Restore a different backup, and then do one of the following: Additional considerations * To create a backup using Windows Server Backup, you must be a member of the Backup Operators or Administrators group, or you must have been delegated the appropriate authority. The recovery of the operating system is performed by the Windows Recovery Environment using the LocalSystem user account. * The boot drivers will be enabled or installed into the recovered...

Words: 459 - Pages: 2

Free Essay

Unit 3 Assignment 1

...IS3340-WINDOWS SECURITY | Encryption and BitLocker Activity | Unit 3 Assignment 1 | | | 5/1/2014 | | 1. One of the shop floor computers that is connected to your network is commonly used by the floor manager. You want the floor manager’s files to be encrypted on that computer. Although the floor manager’s documents folder is on a central server, there are some local temporary files that could contain sensitive information and should be encrypted at all times. Which Windows encryption feature would best provide encryption for all of the floor manager’s local files while leaving other users’ files unencrypted? Folder Encryption: EFS 2. The human resource (HR) manager stores a spreadsheet with sensitive personal information on her local workstation. The spreadsheet is the only file with sensitive data and the name of the spreadsheet does not change. Which Windows encryption feature would ensure this one file is always stored on the disk in encrypted format? File Encryption: EFS 3. The chief executive officer (CEO) wants to copy confidential sales projection information from her workstation to her laptop via a universal serial bus (USB) device. What is the best option to ensure the confidential information is secure during the copying process? BitLocker To Go 4. You want to encrypt your main file server’s disk that stores confidential information for several users. Which Windows encryption feature encrypts an entire disk and is not......

Words: 294 - Pages: 2

Premium Essay

Identifying the Operating System

...Identifying the Operating System The operating system for my computer is Windows 7 Enterprise. It was installed with Service Pack 1. Some of the features included with Windows 7 are Direct access, Branch Cache, Federated Search, BitLocker and BitLocker To Go, AppLocker, Virtual desktop infrastructure (VDI) optimizations and Multilingual user interface. Here is a list I found on the Microsoft website stated below. * DirectAccess:  Give mobile users seamless access to corporate networks without a need to VPN. * BranchCache:  Decrease the time branch office users spend waiting to download files across the network. * Federated Search:  Find information in remote repositories, including SharePoint sites, with a simple user interface. * BitLocker and BitLocker To Go:  Help protect data on PCs and removable drives, with manageability to enforce encryption and backup of recovery keys. * AppLocker:  Specify what software is allowed to run on a user's PCs through centrally managed but flexible Group Policies. * Virtual desktop infrastructure (VDI) optimizations:  Improved user experience for VDI with multimon and microphone support, which have the ability to reuse virtual hard drive (VHD) images to boot a physical PC. * Multilingual user interface: Create a single OS image for deployment to users worldwide. My computer has the following for processor, ram, and system type, and disc space: * Processor: Intel® Celeron® 2957U @...

Words: 318 - Pages: 2

Premium Essay

Windows Ultim

...Windows7 Ultimate Improved features found in Windows 7® Ultimate include the following: desktop navigation, Quicker Finds, Internet Explorer 8, Internet TV, HomeGroup, runs Windows XPMode®, Domain Join, Backup and Restore, BitLocker®, and language of your choice. Desktop navigation consist of Silverlight, “Shake, Peek, and Snap”, New Wallpapers, Retooled Taskbar and Improved Gadgets. Quicker Finds is made possible because of the multiple storage spaces, a start menu with a search box, search everything with anything (file size, date created, tags, and names), searching conducted on external devices, and The More Results option. Internet Explorer 8 is included and features search suggestion, accelerators, and web slices. Internet TV (Television) does not require a TV tuner or programming, and includes Window’s Media, and mostly free. Window7 Ultimate has the ability to connect with two or more PC’s (personal computer) with HomeGroup; allowing sharing and password-protection. Domain Joining is also featured in Windows7 Ultimate for personal purposes at home, work, or other available networks. The Backup and Restore feature will back up all data on a scheduled time frame or by default, creating safe copies that can be stored on a network. BitLocker is a security feature that encrypts the hard drive and automatically encrypts files saved to the hard drive once activated. Windows7 Ultimate is a universal operating system that can be personalized to fit the individual’s needs,......

Words: 1245 - Pages: 5

Free Essay

Trying to Join

...1. Why is it critical to perform a a penetration test on a Web application and a Web server prior to production implementation? If proper testing is not done prior to production implementation the application and server both are open to compromise by hackers through the internet. 2. What is a cross-site scripting attack? Explain in your own words. Cross site scripting attacks focus on a user account input validation rather than application or data. 3. What is a reflective cross-site scripting attack? A reflective cross site scripting attack is when a single HTTP response is used to inject browser executable code. It is not actually placed in the application. 4. What common method of obfuscation is used in most real-world SQL attacks? They include character scrambling and masking, numeric variance and nulling, relying on an array of built-in SQL Server system functions used for string manipulation. 5. Which web application attack is more prone to extracting privacy data elements out of a database? SQL injections can be used to enter the database with administrator rights. The best way to prevent this is to use Java instead. 6. Given that Apache and Internet Information Services are the two most popular Web applications servers for Linux and WS Windows platforms, what would you do to identify known software vulnerabilities and exploits? A public domain by definition is far different than a systems PKI server. A public domain that stores......

Words: 438 - Pages: 2