DriveLock and Windows 7

(1)

CenterTools Software GmbH

DriveLock and Windows 7

(2)

2

Copyright

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user.

CenterTools and DriveLock and others are either registered trademarks or trademarks of CenterTools GmbH or its subsidiaries in the United States and/or other countries.

(3)

Introduction

Microsoft Window 7 represents a big advance in the Windows family of operating systems. Many of the new features in Windows 7 will help organizations with the tasks of administering and securing their network environments. However, some of new security features in Windows 7 only provide basic protection and are difficult to administer. When evaluating Windows 7, most organizations will find that Windows 7 alone does not provide the protection they need. For effective data encryption, device control and application control, organizations will still need to depend on third-party solutions, such as CenterTools DriveLock. This whitepaper compares the limited protection that is included in Windows 7 with the comprehensive protection mechanisms of DriveLock. This includes the following functionality:

 Full Disk Encryption (BitLocker)

 Device control

 Removable media encryption (BitLocker To Go)

 Application control (AppLocker)

 Antivirus / Antimalware

 Security Management

Full Disk Encryption

BitLocker is the Full Disk Encryption feature that is included with certain versions of Windows Vista and Windows 7. When configured correctly, BitLocker provides strong and effective protection for confidential data on internal hard drives. However, deployment is only feasible if all computers meet certain system requirements. Windows provides no central monitoring capabilities for BitLocker, and the sharing of pre-boot credentials among all users of a protected computer can significantly lower the security of data on shared computers.

The following table describes the most important differences between BitLocker and DriveLock Full Disk Encryption.

Windows 7 DriveLock

Hardware requirements For effective use of BitLocker the computer must contain a Trusted Platform Module (TPM) chip. While BitLocker can be used without a TPM chip, such configurations are not recommended by Microsoft, are difficult to use and are less secure.

DriveLock requires no special hardware for Full Disk Encryption.

Supported client operating systems

Only included with certain expensive editions of Windows Vista and Windows 7.

Supported on all editions of Windows XP, Windows Vista and Windows 7.

Smart card and token support

Smartcard and token authentication is not available during the pre-boot phase.

(4)

4

Hardware changes With BitLocker and a TPM chip, Windows 7 interrupts the boot process when certain hardware changes are detected. This may even include removing a laptop computer from a docking station. An administrator must manually reconfigure TPM settings to re-enable the normal boot process.

DriveLock can alert users to certain hardware changes that may indicate compromised security. If the hardware change was legitimate, administrators can centrally disable these warnings and update the configuration to the current state of the hardware.

Pre-boot security The disk encryption key is stored on a TPM chip and protected using a PIN that is specific to the computer. A user must enter the PIN before the disk can be accessed. Users who use multiple BitLocker-protected computers must remember several PINs. Any person who knows the PIN, including former employees, can access the computer indefinitely.

DriveLock supports up to 200 distinct users on each computer for pre-boot authentication. Users only need to remember their Windows credentials to authenticate. When employees leave the organization, pre-boot accounts can be removed to prevent further access to protected computers.

Single sign-on to Windows.

Windows 7 requires users to authenticate twice, first during the pre-boot phase and then again at the Windows logon prompt.

DriveLock enables single sign-on. Users authenticate during the pre-boot phase using their Windows credentials and are then automatically logged on to Windows using the same credentials.

Emergency logon When a user has lost access to the computer, temporary access can be granted using a 40-character key until an administrator changes the PIN for the TPM. Any person who knows this key will be able to access the computer indefinitely.

Using a challenge/response mechanism, an administrator can provide one-time logon credentials to a user who forgot a password. Once the user changes his or her password, regular logon procedures can be used again.

Dealing with corrupted disks

Many types of disk corruption can result in data that is permanently inaccessible or that requires lengthy and difficult procedures to decrypt the disk and restore access. Recovery is not possible if certain elements of the disk structure can no longer be read.

(5)

Windows 7 DriveLock Central administration Administrators can centrally

configure some basic BitLocker settings using Group Policy. Configuring exceptions for some computers can be very difficult. Even if BitLocker is centrally administered, a local administrator must still manually configure the TPM for each computer and initiate the disk encryption.

DriveLock settings can be easily centrally configured using Group Policy. At the same time, it is very easy to create exceptions for some computers. Disk encryption can be initiated from a central location without requiring local access to the computer.

Central storage of recovery keys

An upgrade of the Active Directory operational mode and schema extensions may be required to store recovery keys in Active Directory. Helpdesk personnel must use domain administration tools to retrieve these keys.

Recovery keys can be stored in the DriveLock Enterprise Service and retrieved using intuitive helpdesk tools. No changes to Active Directory are required.

Monitoring Windows contains no tools for efficiently monitoring the status of encrypted drives across the network.

The DriveLock Control Center provides visibility for the encryption status across the enterprise.

Remote Wipe Windows provides no mechanism for remotely wiping a computer.

Administrators can mark a computer to be wiped. At the next connection of this computer to the DriveLock Enterprise Service, all user logon data is purged and the computer is shut down. A remote wipe prevents any use of the computer, even by individuals who know a valid user name and password, except for administrators with access to a recovery certificate can use the computer.

Full Disk Encryption Scenarios Not Supported By Windows 7

The following list contains just a few examples of common Full Disk Encryption requirements that DriveLock can easily enable, but that are impossible or impractical to configure with Windows 7:

 Single sign-on using Windows credentials.

 Sharing of computers with an encrypted hard disk by multiple users, while maintaining separate credentials for each user that can be revoked when a user leaves the organization.

 One-time passwords for emergency logon.

(6)

6

Device Control

Windows 7 only provides rudimentary device control, which is difficult and tedious to administer. Rather than dynamically locking and unlocking devices for users based on a set of rules, Windows 7 restricts the installation of device drivers. This means that all required device drivers must be installed before device control is activated. Modifying rules at a later point is difficult or impossible. Also, granular rules are not available. Most rules apply broadly to certain device classes and the whitelisting of specific devices requires tedious editing of registry and Group Policy settings.

The following table compares Windows 7 device control to the more advanced removable capabilities of DriveLock.

Allow users to install only authorized devices

Requires administrators to manually create a list of allowed devices by installing them on a computer, recording hardware settings for each device, and then copying these settings into a GPO. This is not practical in an environment where multiple computer configurations are in use. Devices can only be controlled by model, but not based on device type or a specific serial number.

DriveLock can scan computers for installed devices and then allows administrators to use this data to create white list policies. Administrators normally don’t have to track down hardware identifiers of each allowed device. More important, DriveLock can allow or deny access to entire device classes or allow access to a unique device based on its serial number.

Prevent installation of prohibited devices.

Windows 7 can accomplish this, but excluding specific devices from a network is not a common scenario and is not practical. Devices that have already been installed can’t be controlled.

As with rules that allow access, DriveLock can block access by device class, device serial number and user or group. Blocking takes effect even for devices that were installed before the policy is applied. Device information about prohibited drives can be collected from the Device Scanner database, so an administrator doesn’t need to install the device on a computer and manually record the device information.

Control read and write permissions for removable media

Only allows administrators to allow or deny all access to several types of removable devices.

(7)

Windows 7 DriveLock Auditing of device

usage

Windows 7 can’t do this DriveLock’s Device Scanner, DriveLock Control Center and file shadowing capabilities satisfy the needs of most organizations for auditing device usage and collecting forensic evidence.

Temporary unlocking of devices to enable exceptions

Windows 7 can’t do this DriveLock enables online and offline unlocking of devices for a fixed period of time. This enables help desk personnel to respond in situations where legitimate access to removable devices is needed even if the currently active policy denies this access.

Device Control Scenarios Not Supported By Windows 7

The following list contains just a few examples of common device control requirements that DriveLock can easily enable, but that are impossible or impractical to configure with Windows 7:

 All users may use any USB-connected mouse or keyboard, but not removable storage devices.

 Only administrators and help desk personnel are allowed to use removable storage devices.

 No executable files may be copied from removable media to a corporate computer, except by administrators.

 All data copied to USB flash drives must be encrypted.

 Administrators need to be alerted when a user uses a removable device contrary to company policy.

 Help desk personnel must be able to let a remote user copy a file to a USB flash drive even when the current policy normally prevents this.

 Users should only be allowed to use company-issued USB flash drives.

 Users should be allowed to listen to music CDs but they may not access CDs that contain data.

Removable Media Encryption

(8)

8

encrypted device. For end-user recovery, the user needs a recovery key that can be used to access a device indefinitely, even after the user has left the company. Encrypted device use cannot be monitored for compliance purposes.

The following table compares Windows 7 BitLocker To Go to the more advanced removable media encryption capabilities of DriveLock.

Encryption of mobile data

BitLocker To Go can transparently encrypt data on USB flash drives. But there are some limitations, such as the only supported file system on the USB flash drive is FAT.

DriveLock can transparently encrypt all data copied to and from USB flash drives and other removable devices. DriveLock can also enforce that only encrypted devices can be used on a computer.

Universal access Only read access of encrypted devices is possible on a Windows XP or Vista client.

DriveLock lets users create and access encrypted devices on computers running Windows XP or higher. With DriveLock Mobile it is possible to use an encrypted USB drive also outside of a DriveLock installation e.g. at Home.

Device support Only USB media can be encrypted DriveLock can encrypt any type of removable media and includes a wizard to burn encrypted CDs and DVDs. Encrypted containers can also be created on internal hard drives. Password recovery When a user forgets the encryption

password, a designated recovery agent can access the data. If recovery information was stored in Active Directory, a 40 character password recovery key can also be retrieved and provided to the user. Any person who knows this key will be able to access the computer indefinitely.

When a user forgets an encryption password, helpdesk personnel who have been provided with a recovery certificate can access the data. Using a challenge/response mechanism, an administrator can also provide a one-time code to allow a user to reset the password.

Monitoring Windows 7 has no meaningful method for monitoring the use of storage devices, whether they are encrypted and what data is copied to these devices.

DriveLock includes extensive monitoring of encryption status, device use and file operations using the DriveLock Control Center.

(9)

 Full read/write access to encrypted drives and media on computers running older versions of Windows

 Encryption of writable optical media, such as CR-R and DVD-R

 One-time codes for data recovery

 Central monitoring and reporting of removable media encryption

 Enforced encryption for certain drives while allowing other drives to remain unencrypted

 Enforcing encryption for some users while allowing other users to access unencrypted media

Application Control

Application Control lets administrators control which applications users can start and prevents unauthorized applications from running on a computer. Windows 7 includes AppLocker, the much improved successor to the Software Restriction Policies that were available in earlier versions of Windows. When administrators define which applications are allowed to run on a Windows 7 computer, all other applications are automatically blocked. AppLocker can be effective for enforcing application use on highly standardized desktops that require only few applications to run. However, it is not practical to manage this feature in diverse computing environments that are typical of today’s IT environments.

The following table compares Windows 7 AppLocker to the more advanced removable media encryption capabilities of DriveLock.

System Requirements Works only with Windows 7 and requires at least one Domain Controller running Windows Server 2008 R2. An upgrade of the Active Directory operational mode and schema extensions may be required.

Works on Windows XP, windows Vista and Windows 7. There is no Active Directory or domain controller version requirement.

Defining which

applications are allowed to run or prevented from running

Administrators can specify applications based on a software publisher, the hash of a specific file or a file location. Publisher rules are very flexible and can be used to allow all signed programs, all programs from the same software publisher, multiple software versions or just one specific version of one application. Application files in the same folder can be added to a rule in a single step.

(10)

10

Rule creation All applications must be added manually to whitelists or blacklists. Even in a small network this can be a lengthy and tedious task.

DriveLock can scan a reference computer for all applications that are currently installed and automatically create a whitelist template for that allows all of these applications to run. Applications can also be added from an online database containing hashes for over a million applications.

Maintaining application rules

Most new applications need to be manually added to the rules before users can run them. Software publisher rules can be configured so they don’t need to be updated when a new version of the software is installed.

DriveLock rules that are based on software publisher certificates can also be configured to automatically allow updated versions of a program. In addition, file owner rules

automatically allow newer application to run if they were installed by an administrator or other designated user.

Granularity Each set of AppLocker rules is enforced on all computers that a Group Policy Object applies to. The policy may contain separate permissions for different users and groups.

In addition to specifying permissions for users and groups, DriveLock policies allow for much more granularity. For example, policies may apply only when a computer is connected to a certain network or during certain times of the day. Auditing and Monitoring Successful and denied blocked

attempts to start an application are recorded in the local Windows Event Log only.

The DriveLock Control Center lets administrators centrally audit application use on all client computers and create detailed reports.

Application Control Scenarios Not Supported By Windows 7

The following list contains just a few examples of common application control scenarios that DriveLock makes possible, but that are impossible or impractical to configure with Windows 7:

 Automatically whitelisting all application that are installed using designated administrators or service accounts

 Blacklist or whitelist rules based on a company-wide database of applications

 Rules based on an online database of millions of applications

 Rules based on whitelist templates that include all executable files that are part of complex applications

(11)

Antivirus / Antimalware

Windows 7 has no built-in protection against viruses and many other types of malicious software. To be protected, organizations need to purchase, install and administer a separate product.

DriveLock contains fully integrated protection against viruses and other malicious software. DriveLock Antivirus requires minimal computer resources and has industry-leading detection rates. Administration and monitoring are tightly integrated with DriveLock’s other features.

Security Management

While each of the Windows 7 features described in this whitepaper can be centrally managed using Group Policy administrators will have to become familiar with the intricacies of component. Setting up the central storage of recovery keys is difficult and involves different steps for Full Disk Encryption and removable media encryption. Microsoft’s tools for recovering these keys are unintuitive and limited. There is also no effective mechanism for central monitoring and reporting,

DriveLock uses an integrated console for configuring all settings and key recovery. This management console is intuitive and has been designed to guide administrators through most common tasks to prevent errors that could impact user productivity. The management console also contains powerful tools for troubleshooting policy enforcement. The DriveLock Control Center lets administrators create comprehensive reports on user activity and contains sophisticated drill-down functionality that enables forensic analysis.

Conclusion

Organizations that are very small or have an extremely limited hardware base may find that Windows 7 is sufficient for controlling device usage. However, CenterTools believes that Windows 7 does not address the device control and security requirements of the vast majority of companies and organizations, Furthermore, when using the features built into Windows 7, granular device control requires an inordinate amount of administrative resources. Organizations that migrate to Windows 7 will find that additional software is required to provide effective and meaningful control of mobile devices.