Gunco.net - View Single Post

**hcpookie** · 01-01-2011, 02:37 PM

What's the question? Offline protection for DAR (Data At Rest)? That's one of the big things I do for my customers, and as the onsite MSFT employee I tend to be looked to as the resident expert.

Offline systems can completely function with no connection to the Internet if you perform a phone-based activation. Just call in and the activation can be completed with no web connection. No worries there. There are CAC-based activation solutions that are available only to the DOD customers that have a certain support agreement with Microsoft. But nothing available on a "personal" level. So the phone-based activation is pretty much the best solution for a completely disconnected system. Or better yet, just connect long enough to activate, then presto you are done with the online connection.

DAR needs several considerations. You can use the built-in EFS (Encrypting File System) which is certificate-based, so you don't have to deal with pass phrases. Certificate authentication is the de facto standard for data protection. There are some considerations as you must do it correctly. Do it wrong and all these so-called "exploits" can be used to access the data. The MSFT BBP (Best Business Practice) guides describe how to do it, so you can at least have the how-to data deployment. But I'm starting to ramble.

BitLocker, another built-in tool, can protect a laptop, USB drive, etc. by whole system encryption. Again, several considerations as you must have a TPM in the BIOS (essentially a smartcard built into the motherboard). The most secure deployment of BitLocker utilizes TPM + PIN, meaning you must interact with the system at boot to get into it. The "exploits" that are on the Internet are directed against systems that do not utilize TPM + PIN, rather TPM-only implementations. Very interesting to see the exploits in action (I think on the Cambridge .edu website) which underscore the need to have a properly implemented deployment. Again, I'm starting to blather....

Bottom line - EFS can protect data on a per-folder basis. BitLocker can protect an entire disk (intended for laptops etc). Properly implemented, both will provide a very robust data protection solution. I can talk all over the details if you need them, but the information is available on the MSFT website

And before the ABM people (Anything But Microsoft) start dissing the solutions, keep in mind that a proper implemention will not suffer the effects of these so-called "exploits".

01-01-2011, 02:37 PM	#10 (permalink)
hcpookie Happy Camper Join Date: Feb 2004 Location: Williamsburg, VA Posts: 7,496 iTrader: 3 / 100%	What's the question? Offline protection for DAR (Data At Rest)? That's one of the big things I do for my customers, and as the onsite MSFT employee I tend to be looked to as the resident expert. Offline systems can completely function with no connection to the Internet if you perform a phone-based activation. Just call in and the activation can be completed with no web connection. No worries there. There are CAC-based activation solutions that are available only to the DOD customers that have a certain support agreement with Microsoft. But nothing available on a "personal" level. So the phone-based activation is pretty much the best solution for a completely disconnected system. Or better yet, just connect long enough to activate, then presto you are done with the online connection. DAR needs several considerations. You can use the built-in EFS (Encrypting File System) which is certificate-based, so you don't have to deal with pass phrases. Certificate authentication is the de facto standard for data protection. There are some considerations as you must do it correctly. Do it wrong and all these so-called "exploits" can be used to access the data. The MSFT BBP (Best Business Practice) guides describe how to do it, so you can at least have the how-to data deployment. But I'm starting to ramble. BitLocker, another built-in tool, can protect a laptop, USB drive, etc. by whole system encryption. Again, several considerations as you must have a TPM in the BIOS (essentially a smartcard built into the motherboard). The most secure deployment of BitLocker utilizes TPM + PIN, meaning you must interact with the system at boot to get into it. The "exploits" that are on the Internet are directed against systems that do not utilize TPM + PIN, rather TPM-only implementations. Very interesting to see the exploits in action (I think on the Cambridge .edu website) which underscore the need to have a properly implemented deployment. Again, I'm starting to blather.... Bottom line - EFS can protect data on a per-folder basis. BitLocker can protect an entire disk (intended for laptops etc). Properly implemented, both will provide a very robust data protection solution. I can talk all over the details if you need them, but the information is available on the MSFT website And before the ABM people (Anything But Microsoft) start dissing the solutions, keep in mind that a proper implemention will not suffer the effects of these so-called "exploits". __________________ Gunco Member #10 To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. Finally arrived - [Only registered and activated users can see links. ] The "original" Boltcutter Rivet Squeezers: [Only registered and activated users can see links. ] [Only registered and activated users can see links. ] Project Pink - the Pink and Blue AK-74: [Only registered and activated users can see links. ] [Only registered and activated users can see links. ]