Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Vista
From: Bob Doyle <bobdoyle () KELLOGG NORTHWESTERN EDU>
Date: Fri, 2 Feb 2007 10:18:59 -0600

It looks like MS is going to be providing a key escrow service for users of
Vista Ultimate.  If most of your clients are off domain, running Ultimate,
and you're willing to trust MS to hold your keys (that's a big if), this may
be an option for you.

More info on this feature is on the Vista Ultimate site:
http://windowsultimate.com/blogs/extras/archive/2007/01/07/bitlocker-and-efs
-enhancements.aspx

Cheers,

Bob




____________________________________________________________
Bob Doyle
bobdoyle () kellogg northwestern edu
Kellogg Information Systems
Northwestern University




-----Original Message-----
From: Gary Flynn [mailto:flynngn () JMU EDU]
Sent: Thursday, February 01, 2007 8:58 AM
Subject: Re: Vista

Mclaughlin, Kevin L (mclaugkl) wrote:

I was wondering what your approach or thoughts are surrounding:

We're still in the planning stages, but...

1.)    key management of Vista's built in Encryption capability - are
you going to try and centralize key management via Active Directory or
just let each individual hold their own keys?


EFS - Join computers wanting to use EFS to a domain so a domain
       recovery agent account is available. We're also looking
       into Microsoft CA to automate key generation and backup
       but at this point, the domain recovery agent is the
       primary strategy.

       We'll also have documentation on handling the keys
       manually with lots of warnings and caveats.

BitLocker - We're talking about joining all incoming Vista computers
             to a domain with necessary schema changes to support
             AD key storage. That schema change needs to be done
             and the Vista computer joined to a domain before
             BitLocker is enabled.

http://www.microsoft.com/downloads/details.aspx?FamilyID=3a207915-dfc3-4579-
90cd-86ac666f61d4&DisplayLang=en

The majority of our computers are not in a Microsoft domain so we
have some challenges ahead not faced by many other organizations,...
political, logistical, and technical.



a.      My concerns with individuals holding their own keys are:  what
if they get hit by a bus? What if we are asked by their Dean, the FBI or
local law enforcement to do a Forensic exam on their system?

That is why we're looking into centralized key backup/recovery
options. But encryption is not the only situation that raises
those issues. What if they lose their laptop? What if their disk
drive malfunctions making the data irretrievable? What if they
install PGP, Truecrypt, or any number of other encryption
packages on their own? What if they securely delete their
data? What if they refuse to turn over a laptop?

Backups are necessary to solve encryption and other data
recovery issues and backups raise their own security issues.

Policy surrounding encryption use is necessary but unless desktop
configuration is managed and enforced, it is still left up to
individual discretion. Education and awareness is probably key
to prevent problems caused by general ignorance of the issues.


2.)    Are you going to establish a policy or guidelines that talk about
Faculty and Staff key encryption key management responsibilities?  If so
would you mind sharing such a policy with us?

I don't know about policy but we'll certainly have a whole lot of
warnings, caveats, and recommendations included with the
documentation for using the features.

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

  By Date           By Thread  

Current thread:
  • Vista Mclaughlin, Kevin L (mclaugkl) (Feb 01)
    • <Possible follow-ups>
    • Re: Vista Gary Flynn (Feb 01)
    • Re: Vista Bob Doyle (Feb 02)
    • Re: Vista H. Morrow Long (Feb 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]