Lesson 18: Configuring Security for Mobile Devices MOAC 70-687: Configuring Windows 8.1.
Securing Your Mobile Devices Lesson 18: Configuring Security for Mobile Devices 2013 John Wiley & Sons, Inc.3
Lesson 18: Configuring Security for Mobile Devices MOAC : Configuring Windows 8.1 Overview Exam Objective 5.3: Configure security for mobile devices Configure BitLocker and BitLocker To Go Configure startup key storage 2013 John Wiley & Sons, Inc. 2 Securing Your Mobile Devices Lesson 18: Configuring Security for Mobile Devices 2013 John Wiley & Sons, Inc.3 Configuring BitLocker Although Windows 7 required you to configure BitLocker after the operating system was installed, Windows 8/8.1 supports the ability to enable BitLocker before you deploy the operating system. It also introduces two new options for encrypting your disk: o Encrypt used disk space only o Encrypt the entire drive 2013 John Wiley & Sons, Inc. 4 Configuring BitLocker In Windows 8.1, you must be a member of the administrators group to configure BitLocker. Non-administrative users can change the BitLocker Personal Identification Number (PIN) or password for the operating system and fixed data volumes by default. The PIN is any 420 digit number you choose that is stored on your computer and must be entered each time you start the system. 2013 John Wiley & Sons, Inc. 5 Understanding BitLocker Requirements To use BitLocker, you need to understand: o How startup and recovery keys are used o What to do if you lose them 2013 John Wiley & Sons, Inc. 6 BitLocker Startup Key The first time you enable BitLocker on a drive, you create a startup key. The startup key is used to encrypt/decrypt the drive. It can be stored on a USB drive or on a TPM chip. An alternative to the startup key is to use a PIN. 2013 John Wiley & Sons, Inc. 7 BitLocker Recovery Key If you lose the startup key: o Move the drive to another system. o If the system is compromised, use a recovery key to gain access to the drive. The recovery key is a 48-digit number that can be stored on a USB drive, a folder on another drive, or be printed out. 2013 John Wiley & Sons, Inc. 8 Enabling BitLocker on Operating System Drives To support BitLocker Drive Encryption on the drive that contains your operating system, you need the following: o Two partitions o New Technology File System (NTFS) o TPM Compatible BIOS 2013 John Wiley & Sons, Inc. 9 Enabling BitLocker on Operating System Drives Configuring BitLocker to run a startup key and a startup PIN 2013 John Wiley & Sons, Inc.10 Turn on BitLocker and Encrypt the Operating System Drive Reviewing the BitLocker Drive Encryption control panel 2013 John Wiley & Sons, Inc.11 Turn on BitLocker and Encrypt the Operating System Drive Reviewing the status of the encryption process 2013 John Wiley & Sons, Inc.12 Turn on BitLocker and Encrypt the Operating System Drive Confirming the drive has been encrypted and reviewing additional options 2013 John Wiley & Sons, Inc.13 Configuring BitLocker to Go BitLocker to Go is BitLocker Drive Encryption on removable data drives. Once encrypted, you need to use a password or a smart card with PIN to unlock the drive. To use BitLocker to Go, insert the removable drive and open the BitLocker Drive Encryption control panel application. 2013 John Wiley & Sons, Inc. 14 Configuring BitLocker to Go Reviewing removable data drives 2013 John Wiley & Sons, Inc.15 Controlling BitLocker to Go Behavior To control BitLocker to Go behavior for Windows 8.1 computers in a domain: o Use the Group Policy Management console to create a policy. o Link it to the appropriate organizational unit (OU) in the Active Directory domain. o Edit the Removable Data Drives section of the policy. 2013 John Wiley & Sons, Inc. 16 Controlling BitLocker to Go Behavior Policy settings: o Control use of BitLocker on removable drives o Configure use of smart cards on removable data drives o Deny write access to removable drives not protected by BitLocker o Configure use of hardware-based encryption for removable data drives o Allow Access To BitLocker-Protected Removable Data Drives From Earlier Versions of Windows o Configure Use Of Passwords For Removable Data Drives o Choose How BitLocker-Protected Removable Drives Can Be Recovered 2013 John Wiley & Sons, Inc. 17 Lesson Summary BitLocker Drive Encryption and BitLocker to Go are features available in Windows 8.1 to protect your drive and volumes using encryption. BitLocker Drive Encryption can be used to encrypt used disk space only or the entire drive. BitLocker Drive Encryption can be used with fixed data drives, operating system drives, and removable drives. There are five authentication methods that can be used to provide additional protection for your encrypted drive: TPM+startup PIN+startup key, TPM+startup key, TPM+startup PIN, startup key only, and TPM only. 2013 John Wiley & Sons, Inc. 18 Lesson Summary To support BitLocker Drive Encryption on the drive that contains the operating system, you need two partitions, formatted with NTFS, a TPM compatible BIOS or BIOS firmware that supports booting from a USB flash drive. The Local Group Policy editor can be used to manage BitLocker policies on a local machine whereas the Group Policy Management console is used to create policies that are enforced across the entire organization. BitLocker to Go is BitLocker Drive Encryption for removable data drives. To unlock removable data drives, you need to use either a password or a smart card with a PIN. 2013 John Wiley & Sons, Inc. 19 Copyright 2013 John Wiley & Sons, Inc.. All rights reserved. Reproduction or translation of this work beyond that named in Section 117 of the 1976 United States Copyright Act without the express written consent of the copyright owner is unlawful. Requests for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc.. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.