My boss just bought 2 Surface 3's for use here in a domain environment. They did not have bit locker turned on. I need to read up on how to use bit locker. I assume that I can assign a password to for bit locker. If bit locker is on, or files that are copied to an external source unencrypted? What if someone else breaks into the Surface with a logon or uses a utility to find the users password. If they find the users password and logs in, can they see the files or is their a second level of protection to prevent them for reading files.?
Bitlocker
- Thread starter puma
- Start date
OK. I just enabled bit locker on one of the new Surfaces and after rebooting, I now see the lock on drive C. So how is this secure. I copied a file off to a thumb drive. It didn't ask me for a key. I could open the file on another computer so obviously copying the file unencrypts the file. When will my client ever need the bit locker key?
Bitlocker is full drive encryption used to protect the boot sequence, if you are logged in the drive is accessible, if the system is S0iX, S4 or S5 Power State and someone attempts to use some form a tool to access the drive (removed or through another means) it will appear to have no data and or encrypted.
Imputable laws of Security:
If the bad guys has the users password it is no longer you machine...
The Bitlocker Recovery is to rescue the drive (such as repairing or re-imaging)
Since you are using these in an AD environment, you can configure ADMX Based GPOs to require a Pre-boot PIN or even a USB Key to successfully boot into a machine.
Imputable laws of Security:
If the bad guys has the users password it is no longer you machine...
The Bitlocker Recovery is to rescue the drive (such as repairing or re-imaging)
Since you are using these in an AD environment, you can configure ADMX Based GPOs to require a Pre-boot PIN or even a USB Key to successfully boot into a machine.
One or the other but not both, and verify that if you create images for the devices the keyboard and/or USB Port is accessible in Pre-boot....
I've decided to remove bitlocker. I sure I don't understand very much about bitlocker, but it doesn't make sense to me on a Surface computer where you can't remove the SSD or memory & move them to another computer. Like you said, the real defense is the login password. If someone breaches the login password, bitlocker isn't going to protect your data from being stolen. Having all your data in THAI or some other language might slow them down a bit.
Here is a clip from a Microsoft TechNet.
"TPM + PIN technically doesn’t really add security value on tablets like the Surface Pro 3 but if your security team insists that it should be used we definitely have that option for you!"
The option they talk about is being able to get to a screen keyboard during pre-boot to enter the PIN number. I believe they said this wasn't possible prior to SP3 and they only made it work for the security people that insisted on it.
Here is a clip from a Microsoft TechNet.
"TPM + PIN technically doesn’t really add security value on tablets like the Surface Pro 3 but if your security team insists that it should be used we definitely have that option for you!"
The option they talk about is being able to get to a screen keyboard during pre-boot to enter the PIN number. I believe they said this wasn't possible prior to SP3 and they only made it work for the security people that insisted on it.
I enabled bitlocker on mine, working well. No real slowdown issue.
I think it does add value in case someone smashes your sp3 open, removes the msata (I am assuming this is what is inside) and hooks it up to a reader (http://www.amazon.com/ZTC-Enclosure-Adapter-Support-ZTC-EN002/dp/B00I4701O6/ref=pd_sxp_grid_pt_0_1) , data can be copied off without your password. So I think it is very beneficial to enabling it.
I think it does add value in case someone smashes your sp3 open, removes the msata (I am assuming this is what is inside) and hooks it up to a reader (http://www.amazon.com/ZTC-Enclosure-Adapter-Support-ZTC-EN002/dp/B00I4701O6/ref=pd_sxp_grid_pt_0_1) , data can be copied off without your password. So I think it is very beneficial to enabling it.
Agreed....the lost tablet/laptop is one of the most scary thing for anyone with sensitive data on their devices....
If I'm correct though, it doesn't provide any protection if someone is able to hack your password and get into the computer. I guess I could put it on for protection for your scenario since it really doesn't impact my client who will never really even know that his Surface is bitlockered. I had been installing Truecrypt on all of our laptops until a few weeks ago when that company went belly up and they said that Truecrypt would no longer work.
If you were using Truecrypt, it is just a alternative to Bitlocker. As someone who has worked in Computer Forensics and Security, under the loss laptop/tablet scenario what typically happens is can I log into it? No, can I scratch it and sell it? No, can I rip the drive out and find some data? No...
Very few thieves will attempt a brute force attack...
Well if you mean sitting and trying to log in over and over.. sure.. but how likely is that? That someone is going to guess your password?
It is not possible to really hack the password when Bitlocker is activated, because the password files are encrypted also. Only a Keylogger should be possible, but that is always the case! There is no 100% security.
If you loose the password, you loose the files. That is always the case!
If you loose the password, you loose the files. That is always the case!
