Data Center

5 Tips for Securing Your Users When Adopting BitLocker

While BitLocker To Go can help protect data in transit, make sure to establish security rules of the road specifically for your agency's users.

Mitch Tulloch

Mitch Tulloch is a Microsoft Most Valuable Professional and lead author of the Windows 7 Resource Kit from Microsoft Press. You can follow him on Twitter at @MitchTulloch or friend him on Facebook at http://www.facebook.com/mitchtulloch.

Privacy and security come front and center for IT every time an agency’s workers have to take confidential information offsite to work from home or while on the road.

For Windows Vista, Microsoft introduced BitLocker Drive Encryption, which reduces the risk that sensitive information will be compromised should a user’s notebook be lost or stolen. In Windows 7, Microsoft extends this feature with BitLocker To Go, which lets users encrypt USB flash drives and other USB removable storage devices to safeguard confidential information stored on the devices during transit.

Here are five best practices IT departments may want to consider before allowing the use of BitLocker To Go by users.

One: Educate Your Users

Granted, agencies have security policies and policies for meeting the federal mandate for encrypting all data in transit. But it’s also wise to have a written security policy that explains BitLocker To Go and how to use it properly.

Be specific. Make sure users are aware that they should access BitLocker-protected flash drives only from computers they trust. If their computer is compromised and they open a file on a protected flash drive from that computer, the file is also considered compromised.

Two: Encrypt Before Use.

Ensure that users encrypt their flash drives before they copy any sensitive information onto these devices. Better yet, preconfigure the drives before enterprise distribution.

Flash drives consist of erasable memory segments that support a limited number of rewrite cycles. To lengthen their usable life, device makers use a process called wear-leveling, which distributes rewrites across the entire drive. But some wear-leveling algorithms can expose data previously stored as plain text. If you encrypt drives before use, there won’t be any plain text to begin with.

Three: Use Group Policy.

Windows 7 provides half a dozen Group Policy settings for managing different aspects of BitLocker on removable storage devices. Administrators should familiarize themselves with these and then configure appropriately for the specific user environment.

For example, if the agency doesn’t want users to access data stored on encrypted drives from earlier versions of Windows, such as Vista or XP, then enable that policy in the Group Policy pane.

Four: Create a Recovery Policy.

An administrator needs to be able to recover data stored on a protected drive if the user forgets the password or loses his or her smart card. To do this, the administrator needs a recovery policy.

Some best practices include requiring BitLocker to generate both a recovery password and a recovery key; preventing users from specifying recovery options themselves when they enable BitLocker; storing recovery information in Active Directory; and preventing users from encrypting drives until recovery information has been saved in Active Directory.

Five: Take Care with Smart Cards.

Smart cards offer a great way for performing authentications, but the IT team must think through enabling their use for encrypting removable drives — the reason being that the public key and certificate thumbprint are stored in unencrypted form within the metadata on the drive, and this metadata itself is stored on an FAT32 volume that BitLocker To Go creates.

This volume is hidden on Windows 7 but visible on earlier Windows versions. Someone who steals the device could use it to determine an agency’s certificate authority. By itself this may not mean much, but it’s a step toward the breach.