Tactical Advice

Put Your Drives on Lockdown

By using BitLocker Drive Encryption, you can protect your data on systems running Windows Vista.
This story appears in the March 2007 issue of BizTech Magazine.

No doubt you’ve seen the headlines about lost and stolen notebook computers compromising the personal and confidential information of millions of people. Some of these breaches resulted from poor network security and business policies, but unencrypted data often was also to blame.

If a disk drive is encrypted, the extent of the damage done when a portable computer is lost or stolen is the cost of replacing the system. Instead, businesses often spend millions recovering from these incidents and suffer damage to their reputations from the exposure of sensitive data.

A feature of the new Microsoft Windows Vista allows full-disk encryption. BitLocker works with the Trusted Platform Module, a chip used to provide additional security functionality that’s permanently attached to a system’s motherboard. Tying the encryption key to the hardware and the validation process of TPM means hackers cannot modify or bypass the encryption — a problem with other encryption tools Microsoft has offered.

Less Exposed

Previous Windows versions have included data encryption features, such as Encrypted File System (EFS), but the tools protected only files and folders. An attacker could boot another OS, such as the Knoppix Linux distribution, to access and crack a system’s password store. Once the system authenticates a hacker, EFS cannot provide protection.

Other Windows encryption tools have relied on the user to decide what should or should not be encrypted. Even if a systems administrator creates a special encrypted folder on a drive specifically to hold confidential or sensitive data, there’s no way to be sure that users put all appropriate data in the folder. In the event of a notebook theft, the company would still be unable to guarantee that private or personally identifiable information was not exposed. But encrypting the entire drive removes the guesswork.

65% The rise last year in average financial losses from notebook computer thefts.

— 2006 CSI/FBI Computer Crime & Security Survey

BitLocker has four main components: Microsoft TPM driver, Windows Management Instrumentation (WMI) provider, TPM Base Services Application Programming Interface (TBS API) and BitLocker Drive Encryption. The TPM driver lets Windows interact with the TPM chip on a system, and the WMI provider supports BitLocker management and scripting. The TBS API provides a means for applications to use the TPM, while BitLocker encrypts and decrypts the data.

BitLocker doesn’t rely on proprietary encryption; instead it uses the 128-bit Advanced Encryption Standard algorithm. Microsoft chose AES because the speed of encryption and decryption makes the process fairly transparent to users, its ability to scale will allow use with future hard-drive sizes, and the methods for creating and maintaining keys are user-friendly. Plus, hackers cannot boot another OS to get at data because the drive is encrypted. According to Microsoft, TPM protects a drive from running on anything but the original OS.

Before you can encrypt your drive using BitLocker, you need to have two separate volumes. One will be a small partition for the Active Volume. This drive will remain unencrypted and contain the files necessary to start the computer. Ideally, the drive should be configured so that no data can be written to it. The larger volume will contain Windows OS files and data. Except for the boot sector and volume metadata, this drive will be completely encrypted by BitLocker.

CEO Takeaway
There are third-party products for full-disk encryption, such as Pointsec and the open-source TrueCrypt. But if you are deploying Microsoft Windows Vista, you can use BitLocker, its built-in disk encryption feature, to:

• prevent hackers from getting into data stored on hard drives;
• manage encryption settings via Active Directory and Group Policy Objects;
• use command-line scripting, which makes it an ideal choice for protecting data on Windows networks.
Tony Bradley, a Microsoft MVP (Most Valuable Professional) in Windows Security, is a computer security consultant with
BT INS in Houston, Texas, and author of Essential Computer Security.
Sign up for our e-newsletter


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.