Best Practices for BitLocker in Windows 7
Applies To: Windows 7, Windows Server 2008 R2
We recommend that you familiarize yourself with the best practices in the following areas so that you can implement them appropriately in your deployment plan:
BitLocker Group Policy settings
BitLocker operations
BitLocker Group Policy settings
There are four categories of Group Policy settings available for BitLocker Drive Encryption:
Global settings that affect all BitLocker-protected drives
Operating system drive settings
Fixed data drive settings
Removable data drive settings
The following table identifies the policy settings that we recommend for use with your BitLocker deployment. Policies should be applied to computers based on the level of protection needed, the unlock methods desired, and the recovery methods desired.
Note
This table does not include all available BitLocker Group Policy settings. See the BitLocker Group Policy Reference for a complete list of BitLocker Group Policy settings. Some settings cannot be applied to computers running Windows Vista.
| Category | Setting name | Recommended setting | ||
|---|---|---|---|---|
Global |
Choose drive encryption method and cipher strength |
Set to not configured. |
||
Global |
Prevent memory overwrite on restart |
Set to not configured. |
||
Global |
Provide the unique identifiers for your organization |
Set to enabled, and enter an identifier in the BitLocker identification field. |
||
Operating system drives |
Choose how BitLocker-protected operating system drives can be recovered |
Set to enabled, save BitLocker recovery information to Active Directory Domain Services (AD DS) for operating system drives, store recovery passwords and key packages, do not enable BitLocker until recovery information is stored to AD DS for operating system drives, and omit recovery options from the BitLocker setup wizard. For more information about storing BitLocker recovery information in AD DS, see Backing Up BitLocker and TPM Recovery Information to AD DS. |
||
Operating system drives |
Configure minimum PIN length for startup |
Set to enabled, and require a personal identification number (PIN) of at least seven numerals. |
||
Operating system drives |
Require additional authentication at startup |
Set to enabled, and require the use of a startup PIN with a Trusted Platform Module (TPM). |
||
Fixed data drives |
Choose how BitLocker-protected fixed drives can be recovered |
Set to enabled, save BitLocker recovery information to AD DS for fixed data drives, store recovery passwords and key packages, do not enable BitLocker until recovery information is stored to AD DS for fixed data drives, and omit recovery options from the BitLocker setup wizard. |
||
Fixed data drives |
Configure use of passwords for fixed data drives |
If your organization does not have a public key infrastructure (PKI), set to enabled, require password complexity, and set a minimum password length of at least 12 characters. |
||
Fixed data drives |
Configure use of smart cards on fixed data drives |
If your organization has a PKI, set to enabled, and require the use of smart cards with fixed data drives. |
||
Removable data drives |
Choose how BitLocker-protected removable drives can be recovered |
Set to enabled, save BitLocker recovery information to AD DS for removable data drives, store recovery passwords and key packages, do not enable BitLocker until recovery information is stored to AD DS for fixed data drives, and omit recovery options from the BitLocker setup wizard. |
||
Removable data drives |
Configure use of passwords for removable data drives |
Set to enabled, set a minimum password length of at least 12 characters, and require password complexity if your organization does not have a PKI or if there is a need to access BitLocker-protected drives from computers running Windows XP or Windows Vista. |
||
Removable data drives |
Configure use of smart cards on removable data drives |
Set to enabled, and require the use of smart cards with removable data drives if your organization has a PKI. |
||
Removable data drives |
Control use of BitLocker on removable drives |
Set to enabled, and allow users to apply BitLocker protection on removable drives. |
||
Removable data drives |
Deny write access to removable data drives not protected by BitLocker |
Set to enabled, and disallow write access to devices configured in another organization.
|
.gif)
Note.gif) Security Note |
|---|
| The computer name and drive label are stored unencrypted in the BitLocker metadata. If the computer name or drive labels contain personal or other identifying information, it will be exposed in plaintext on the drive. Additionally, if a smart card certificate is used with BitLocker, the public key and certificate thumbprint are stored unencrypted in the BitLocker metadata. A malicious user could use this information to locate the certification authority (CA) that was originally used to generate the certificate and could then attempt to extract personal information from the CA. |
BitLocker operations
These are general operational recommendations for organizations that are planning to use BitLocker in their environment.
| Recommended practice | Reason | ||
|---|---|---|---|
Provide end-user training before requiring BitLocker use on desktop and mobile computers. |
Using BitLocker to protect drives will require users to change how they interact with their computers. For example, if you decide to require a startup PIN and USB key to unlock the operating system drive, instruct users not to record the PIN that they use for BitLocker authentication in an easily accessed location, such as a note under the keyboard or inside a laptop case, and not to leave a USB flash drive containing the startup key connected to the computer or stored in the same location as the computer. Create policies for the use of recovery keys and inform users of the recovery process decided upon for your organization. If you plan to use password protection for BitLocker on removable drives, inform users of the password requirements in advance so that they can prepare a strategy for remembering their passwords before they configure BitLocker. |
||
Use multifactor authentication on operating system drives. |
Using multifactor authentication increases drive security. Operating system drives can be authenticated by using any of the following key protector combinations:
|
||
Store recovery information in AD DS. |
If you choose to store recovery information on an NTFS hard drive, the recovery information might be obtained by untrusted individuals who were able to gain access to the hard drive and then used to unlock the BitLocker-protected drive. By storing recovery information in AD DS, the user must be able to be authenticated by the domain as a data recovery agent to obtain the recovery information for the drive. |
||
Suspend and resume BitLocker protection immediately following recovery of an operating system drive. |
When access to an operating system drive is recovered, the recovery key is stored unencrypted on the hard disk, and the drive will be unprotected until you suspend and resume BitLocker. |
||
Disable the use of standby mode for portable computers if you are using BitLocker on operating system drives. To do this, open the Local Group Policy Editor. Under Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings, set Allow Standby States (S1-S3) When Sleeping (Plugged In) to Disabled, and then set Allow Standby States (S1-S3) When Sleeping (On Battery) to Disabled. |
BitLocker protection is in effect only when the computer is turned off or in hibernation. |
||
If there is any concern that BitLocker keys have been compromised, it is recommended that you either format the drive to remove all instances of the BitLocker metadata from the drive or that you decrypt and encrypt the entire drive again.
|
The BitLocker metadata must be removed before new BitLocker keys will be created. |
||
Encrypt drives prior to writing sensitive data to them when possible. |
Some wear-leveling algorithms used by flash-based memory drives could expose data stored in plaintext. Encrypting the drive prior to writing sensitive data to it ensures the data is never stored in plaintext. |
||
Suspend BitLocker before making any major computer configuration changes (such as changing locales, installing a language pack, modifying the boot order, or updating the BIOS), and then resume BitLocker protection after the changes are complete. |
Configuration changes that apply to the entire computer often change the boot configuration data (BCD) settings. If you are using a TPM with BitLocker, this is interpreted as a boot attack on reboot and the computer will require that the user enter the recovery password or recovery key to start the computer. Suspending and then resuming BitLocker protection resets the BCD measurement for the computer so BitLocker recovery mode is not initiated when the computer is restarted. |