Tuesday, December 29, 2015

Bitlocker Derp with Intercept article

A day ago The Intercept came out with an article on bitlocker that had me slowly rolling my eyes. The article in question is right here:
https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/

This article has many correct points although I was shocked that this was news to everyone after seeing a twitter storm again on backdoors against encryption. However there are inaccuracies that really should be corrected.

First incorrect statement:

"In order to generate a new disk encryption key, this time without giving a copy to Microsoft, you need decrypt your whole hard disk and then re-encrypt it, but this time in such a way that you’ll actually get asked how you want to backup your recover key."

Answer:
This statement is not correct. In short.. no.. you do not need to decrypt your entire hard disk. A few things have to be present first if Microsoft does indeed have your encryption key.
1. Are you signed in under a Microsoft account? If the answer is yes... then read step 2.

2. Is my disk encrypted? How do I know if it is encrypted?
Open a command elevated administrator command prompt window and type the following command:
manage -bde -status

As you can see the disk is encrypted with XTS-AES 128. This is Microsoft default in build 10586.

3. Check onedrive to see if my bitlocker backup key exists.
http://go.microsoft.com/fwlink/?LinkId=237614

If you see something like this. Then you will need to delete it. This is what your recovery key looks like.

**Please note this is not my bitlocker recovery key. This was done on a test virtual machine for demonstration purposes.


How to generate a new recovery key without re-encrypting your entire computer.
1. Type in the following command in a elevated administrator command prompt. This will temporarily suspend bitlocker on your pc. This does not decrypt your box. It just suspends the key protectors on your box such as a numerical password or TPM chip,

manage-bde -protectors -disable %systemdrive%

2. Next type the following. This will delete your drives current recovery password.

manage-bde -protectors -delete %systemdrive% -type RecoveryPassword

3. Add a new recovery password. This will regenerate a new one for you.

manage-bde -protectors -add %systemdrive% -RecoveryPassword

Here is a snapshot of this 3 shot flow and where you can clearly see a brand new recovery key has been generated and the old one discarded.


4. Once you store the new key somewhere else. Preferably in encrypted form away from your computer. You need to re-enable bitlocker protection with the following command.

manage-bde -protectors -enable %systemdrive%

Other thoughts:
If you have a modern computer. The worst thing you could do is use an open source product such as veracrypt to utilize full disk encryption on your machine. In order to use something like veracrypt you will have to completely decrypt your hard drive. Actually scratch that. You will have to format your OS. Dump off UEFI mode in the bios. So you will lose boot integrity and validity. Then you will have to format your hard disk partition into a non GPT format. Veracrypt doesn't support that yet.


Warning: All that will separate you from your adversary is a password in this scenario. Make it a damn good one.


I received some other twitter comments...which I won't post... that were completely out of this world. There are alot..... I mean alot of people that have little understanding of how bitlocker works and exactly what Microsoft is backing up to the cloud.

Microsoft backs up recovery keys only.....I repeat recovery keys only. There is no other encryption key that gets backed up or magically generated.

Windows AES128 Default.... change it
A word of warning on default encryption with Microsoft Windows. Microsoft defaults to AES128. On newer Windows 10 builds the default is XTS-AES-128. Everyone should be using at minimum AES256. This is very easy to change with group policy (or local group policy) assuming you have not encrypted your computer yet.

do a search for the following:
GPEDIT.MSC

Navigate to:
Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption

Go to the following policy:
"Choose drive encryption method and cipher strength". In this example I am using Windows version 1511 and later. Do the following below.




Attacking Bitlocker Encryption
Attacking encryption is best done by attacking the random number generator. While the RNG for Bitlocker could be in question you are provided with some very good protection if you are using UEFI secure boot and have a TPM chip.

If someone attempts to clone your hard drive. Without these protectors present they would immediately need to know your 48 digit recovery key.

Remember that physical access is needed in order to use a bitlocker recovery key!!!

Choose your encryption snake oil wisely.




Root

Friday, December 25, 2015

Hardening your Microsoft networks from exploitation

A few resources one would want to use for this:

Privileged Access Workstations

Securing Privileged Access Reference Material

Tracking Lateral Movement Part One - Special Groups and Specific Service Accounts

I could write a really.... really long blog about this. This reference material I posted above should get some ideas generated for you.

Don't forget. Set yourself up an isolated Security Compliance Management Box off your network.
https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

Definitely do the Windows Server 2012R2 Domain Controller Security and Member Server Security compliance from the Solution Accelerator. 

Thanks,
Root :)