Microsoft Exam MD:100 Windows 10 Certification Guide
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Implementing encryption

There are two types of encryption technologies available for Windows 10 devices: BitLocker and Encrypting File System (EFS). Both tools are available for use on all Windows 10 editions, except for Windows 10 Home. While both technologies offer robust methods of encryption, you need to understand how to implement each technique.

EFS has been available since Windows 2000, but very few organizations implement this type of encryption. Most organizations that require encryption choose to use BitLocker Drive Encryption. The difference between EFS and BitLocker is that EFS encrypts at the folder and file level, while BitLocker encrypts complete hard disks and removable drives.

First, we will understand BitLocker.

Implementing BitLocker

BitLocker allow you to encrypt an entire hard disk, which can be the Windows 10 OS drive, a data drive, or a removable drive. During the encryption process, BitLocker configures the drive that contains the OS so that you have a system partition and an OS partition. BitLocker helps to ensure that data stored on a computer remains encrypted, even if someone tampers with the machine while the OS is not running.

BitLocker offers a tightly integrated Windows 10 solution to help tackle the problem of data theft or data leakage from devices that have been lost, compromised, or improperly decommissioned. Data on these types of computers may become vulnerable to unauthorized access when a hacker either runs a software attack tool against it or transfers the hard disk of the computer to a different computer.

By enhancing Windows file and system protection, BitLocker helps to prevent unauthorized access to data. BitLocker also helps make data unavailable as you decommission or recycle computers that are secured by BitLocker.

Windows 10 now offers a newer encryption algorithm, XTS-AES, for BitLocker. Organizations concerned with brute-force attacks being used on their devices, given physical access is possible, they may want to consider migrating their BitLocker default encryption to XTS-AES. This option can be configured using Group Policy. Microsoft recommends that customers enable this level of encryption on newly provisioned devices.

BitLocker performs two functions that provide both offline data protection and system integrity verification:

  • It encrypts all data that is stored on the Windows OS volume (and configured data volumes). BitLocker provides security for Microsoft applications and non-Microsoft applications, which provides benefits for the applications automatically when they are installed on the encrypted volume.
  • It is configured, by default, to use a Trusted Platform Module (TPM) chip to help ensure the integrity of early startup components. It does this by ensuring that no modifications have been made to the first boot file's integrity. Once the TPM has verified that there are no changes, it releases the decryption key to the Windows OS Loader.

    When TPM detects changes, it locks any volumes that are secured by BitLocker. They remain protected, even if somebody tampers with the machine when the OS is not running.

    Important Note

    The Windows 10 installation process partitions the computer's hard disk to enable the use of BitLocker.

As we mentioned earlier, BitLocker uses the TPM chip to verify the integrity of the startup process by doing the following:

  • It provides us with a way to check that the first boot file's integrity has been maintained and helps ensure that no adverse changes have been made to those files, such as viruses in the boot sector or rootkits.
  • It improves protection in order to mitigate software-based attacks (offline). It makes sure any alternative software that could start the system does not have access to the decryption keys for the volume of the Windows OS.
  • When the machine is tampered with, it locks the user out. Even if anyone has tampered with the monitored files, the system does not start. This alerts the user of tampering occurring because the system doesn't start like it usually does. BitLocker offers a simple recovery process when a system lockout occurs.

In conjunction with the TPM chip, BitLocker verifies the integrity of early startup components. This helps to prevent additional offline attacks, such as attempts to insert malicious code into these components. This functionality is necessary because the components from the earliest part of the startup process must be available in an unencrypted format so that the computer can start.

Important Note

You might need to enable the TPM functionality in your computer's basic input/output system (BIOS).

If an attacker can gain access to the components of the initialization process, they can modify the code in those components and gain access to the computer, even if the data on the disk is encrypted. Once the intruder has access to confidential information such as BitLocker keys or user passwords, they can bypass BitLocker and other security measures on Windows.

BitLocker does not require a TPM chip. However, only a computer with a TPM chip can provide the additional security of pre-startup system integrity verification. To check whether a computer has a TPM v1.2 chip, perform the following steps:

  1. Open the Control Panel.
  2. Click System and Security.
  3. Click BitLocker Drive Encryption.
  4. In the lower-left corner, click TPM Administration:
    Figure 7.8 - The Bitlocker Drive Encryption window

    Figure 7.8 - The BitLocker Drive Encryption window

  5. The Trusted Platform Module Management on the Local Computer console will open:
Figure 7.9 - The TPM Management on the Local Computer console

Figure 7.9 - The TPM Management on the Local Computer console

In the previous screenshot, we can see the TPM Management console. In this console, you will see that the machine is a TPM chip that has been installed and is ready for use. On the right-hand side of the console, you can choose some actions, such as clearing the TPM chip.

If the computer does not have the Trusted Platform Module v1.2 chip, a message stating Compatible TPM cannot be found will be displayed.

Important Note

If the computer does not have a TPM v1.2 chip, you can still use BitLocker to encrypt the Windows OS volume. However, this implementation does not include a TPM and requires the user to insert a USB startup key to start the computer or resume it from hibernation. It also does not provide the pre-startup system integrity verification that BitLocker offers when working with a TPM.

Besides BitLocker, you can also use the Encrypting File System. BitLocker and EFS are built into Windows 10. Most organizations use BitLocker, but you also need to know how EFS works. You'll learn how to use it in the next section.

Implementing Encrypting File System

The built-in Encrypting File System is a powerful method that's used to restrict access to files within an NTFS environment. As we mentioned earlier, very few organizations implement file and folder encryption. In the organizations where EFS is applied, it's necessary to ensure that users and members of the IT departments acknowledge that EFS is a secure method of protecting files.

Only the origin account (other than the Administrator account) that's used for encryption has the option of decrypting the file.

Users can encrypt the files and folders they have created on an NTFS hard disk by right-clicking the file and selecting Properties from the context menu that appears.

In the Advanced Attributes dialog box, as shown in the following screenshot, select the option to Encrypt contents to secure data:

Figure 7.10 - The Advanced Attributes dialog box

Figure 7.10 - The Advanced Attributes dialog box

Encryption should not be used without prior planning and establishing some precautions to secure the encryption keys that are used. EFS protects data from unauthorized access, and it is advantageous as a last line of defense from attacks.

EFS uses the Windows Public Key Infrastructure (PKI) and a fast encryption algorithm to protect files. The private and public keys generated during encryption ensure that only the user that encrypted the file can decrypt the file. Encrypted data can only be decrypted if the user's certificate, which is used for encryption, is available on the computer.

Some key points that you need to know about EFS are as follows:

  • Encryption and decryption of files and folders happens behind the scenes and is not visible to users.
  • When you close files, encryption occurs; when you open files, decryption occurs.
  • EFS is only available on NTFS formatted volumes.
  • EFS keys are assigned to a specific user and not to a computer.
  • An EFS protected file can be moved or copied by the file owner.
  • If you move the file to an EFS drive that's not supported, such as FAT32, then the file will be decrypted.
  • Encrypted files and folders show a padlock icon over each file or folder.
  • EFS uses the Advanced Encryption Standard (AES).
  • EFS is only available on Windows 10 Pro, Enterprise, and Education.

In this section, you learned how to implement BitLocker and Encrypted File System. As we've mentioned several times, BitLocker is used in more organizations than EFS.

BitLocker will encrypt the whole hard disk or only the data on the hard disk. EFS is used to encrypt single files and folders. Both encryption methods use the most robust encryption that is available nowadays.

In the next section, you will learn how to use AppLocker to lock down applications and prevent users from running unauthorized software.

上一章目录下一章