BitLocker Attack Response Strategies
适用于:
✅ Windows 11, ✅ Windows 10, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅ Windows Server 2016
Main text content
启动前的保护
安全策略
攻击对策
攻击者对策
相关文章
Windows uses technologies such as Trusted Platform Module (TPM), Secure Boot, and Measured Boot to help protect BitLocker encryption keys from attacks. BitLocker is part of a strategic approach to protecting data from offline attacks through encryption technology. Data on a lost or stolen computer is vulnerable to attack. Unauthorized access could exist, for example, by running software attack tools against the computer or transferring the computer's hard drive to another computer.
BitLocker helps mitigate unauthorized access to lost or stolen data on your computer before booting an authorized operating system. This mitigation is accomplished by:
在计算机上加密卷。 例如,可以为操作系统卷(固定驱动器上的卷)打开 BitLocker。 或可移动数据驱动器 (,如 U 盘、SD 卡等) 打开操作系统卷的 BitLocker 会加密卷上的所有系统文件,包括分页文件和休眠文件。 唯一的例外是系统分区,其中包括 Windows 启动管理器和在密钥解封后解密操作系统卷所需的最小启动附件。
确保早期启动组件和启动配置数据的完整性。 在 TPM 版本为 1.2 或更高版本的设备上,BitLocker 使用 TPM 的增强安全功能,仅当计算机的 BIOS 固件代码和配置、原始启动序列、启动组件和 BCD 配置均未更改且加密磁盘位于原始计算机中时,才能访问数据。 在使用 TPM PCR[7] 的系统上,允许对认为安全的 BCD 设置更改来提高可用性。
The next section details how Windows protects against various attacks on BitLocker encryption keys in Windows 11, Windows 10, Windows 8.1, and Windows 8.
For more information about how to enable the best overall security configuration for your device starting in Windows 10 version 1803, see Standards for highly secure Windows devices.
Pre-start protection
Before Windows can boot, it must rely on security features implemented as part of the device hardware and firmware, including TPM and Secure Boot. Fortunately, many modern computers have TPM and Secure Boot.
Trusted Platform Module
TPM) (Trusted Platform Module) is a microchip designed to provide basic security-related functions, mainly related to encryption keys. On some platforms, the TPM can also be implemented as part of the secure firmware. BitLocker will The key is bound to the TPM to ensure that the computer has not been tampered with while the system is offline. For more information about the TPM, see Trusted Platform Module.
UEFI and Secure Boot
Unified Extensible Firmware Interface (UEFI) is a programmable boot environment used to initialize devices and launch the boot loader of the operating system.
The UEFI specification defines a firmware-enforced authentication process called Secure Boot. Secure Boot prevents untrusted firmware and bootloaders (signed or unsigned) from booting on the system.
By default, BitLocker utilizes the TPM PCR[7] metric to provide integrity protection for Secure Boot. Unauthorized EFI firmware, EFI boot applications, or boot loaders cannot run and obtain BitLocker keys.
BitLocker and reset attacks
To protect against malicious reset attacks, BitLocker uses TCG reset attack mitigation (also known as the MOR bit (Memory Overwrite Request)) before extracting the key into memory.
Remark
This does not protect against physical attacks where an attacker opens a case and attacks the hardware.
security strategy
The following sections describe pre-boot authentication and DMA policies that provide additional protection for BitLocker.
Pre-boot authentication
BitLocker's preboot authentication is a policy setting that requires user input (such as a PIN and/or startup key) to be authenticated before making the contents of the system drive accessible. The Group Policy setting is "Require additional authentication at startup" and the corresponding setting in the BitLocker CSP is SystemDrivesRequireStartupAuthentication.
BitLocker only accesses the encryption key and stores it in memory after completing pre-boot authentication. If Windows cannot access the encryption key, the device cannot read or edit files on the system drive. The only option to bypass pre-boot authentication is to enter the recovery key.
Preboot authentication is designed to prevent encryption keys from being loaded into system memory without requiring a trusted user to provide additional authentication factors (such as a PIN or boot key). This feature helps mitigate DMA and memory re-management attacks.
On a computer with a compatible TPM, there are four ways to unlock a BitLocker-protected operating system drive:
仅限 TPM。 使用仅限 TPM 的验证不需要与用户进行任何交互即可解锁并提供对驱动器的访问权限。 如果 TPM 验证成功,则用户登录体验与标准登录相同。 如果 TPM 丢失或更改,或者 BitLocker 检测到 BIOS 或 UEFI 代码或配置、关键操作系统启动文件或启动配置的更改,则 BitLocker 将进入恢复模式,并且用户必须输入恢复密码才能重新获得对数据的访问权限。 此选项对于登录更方便,但比其他需要其他身份验证因素的选项安全性较差。
具有启动密钥的 TPM。 除了仅 TPM 提供的保护外,部分加密密钥还存储在 U 盘上,称为启动密钥。 如果没有启动密钥,则无法访问加密卷上的数据。
具有 PIN 的 TPM。 除了 TPM 提供的保护外,BitLocker 还要求用户输入 PIN。 如果不输入 PIN,则无法访问加密卷上的数据。 TPM 还具有 防打击保护 ,旨在防止尝试确定 PIN 的暴力攻击。
具有启动密钥和 PIN 的 TPM。 除了仅限 TPM 提供的核心组件保护外,部分加密密钥存储在 U 盘上,并且需要 PIN 才能向 TPM 验证用户身份。 此配置提供多重身份验证,因此,如果 USB 密钥丢失或被盗,则不能用于访问驱动器,因为还需要正确的 PIN。
In the following group policy example, TPM + PIN is required to unlock the operating system drive:
Pre-boot authentication settings in Group Policy.
Preboot authentication using a PIN mitigates attack vectors using eDrive-bootable devices because an exposed eDrive bus could allow an attacker to capture BitLocker encryption keys during boot. Pre-boot authentication using a PIN also mitigates DMA port attacks during the time frame between BitLocker unlocking the drive and Windows booting, allowing Windows to set any port-related policies that have been configured.
On the other hand, pre-launch authentication prompts may be inconvenient for users. Additionally, users who forget their PIN or lose their activation key will be denied access to their data until they can contact the organization's support team to obtain a recovery key. Pre-boot authentication also makes updating unattended desktops and remote management servers more difficult because a PIN is required when the computer restarts or resumes from hibernation.
To resolve these issues, you can deploy BitLocker Network Unlocking. Network Unlock allows systems within the physical enterprise security perimeter that meet hardware requirements and enable BitLocker using TPM+PIN to boot into Windows without user intervention. It requires a direct Ethernet connection to the enterprise Windows Deployment Services (WDS) server.
Protect Thunderbolt and other DMA ports
There are several different options for protecting DMA ports, such as Thunderbolt™3. Starting with Windows 10 version 1803, new Intel-based devices enable kernel protection through the Thunderbolt™ 3 port by default to protect against DMA attacks. This kernel DMA protection only works on new systems starting with Windows 10 version 1803, as it requires changes to the system firmware and/or BIOS.
If the device has kernel DMA protection enabled, you can use the System Information desktop application MSINFO32.exe to check:
Kernel DMA protection.
If Kernel DMA protection is not enabled, perform the following steps to protect Thunderbolt™ 3-enabled ports:
需要密码进行 BIOS 更改
必须在 BIOS 设置中将 Intel Thunderbolt Security 设置为“用户授权”。 请参阅 Intel Thunderbolt™ 3 和 Microsoft Windows® 10 操作系统上的安全性文档
可以通过从 Windows 10 版本 1607 或 Windows 11) 开始部署策略 (来增加额外的 DMA 安全性:
MDM: DataProtection/AllowDirectMemoryAccess 策略
组策略:锁定此计算机时禁用新的 DMA 设备 (默认情况下未配置此设置。)
For Thunderbolt v1 and v2 (DisplayPort connector), see the Thunderbolt Mitigation section in Blocking SBP-2 Drivers and Thunderbolt Controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker. For SBP-2 and 1394 (also known as Firewire), see the SBP-2 Mitigation section in Blocking SBP-2 Drivers and Thunderbolt Controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker.
Attack Countermeasures
This section describes countermeasures against specific types of attacks.
Bootkit and rootkit
An actual attacker might attempt to install a boot kit or rootkit-like software portion into the boot chain in an attempt to steal BitLocker keys. The TPM should observe this installation through PCR measurements and not release the BitLocker key.
Remark
By default, BitLocker protects against this attack.
If the settings exposed by the BIOS may weaken the security promise of BitLocker, it is recommended to use the BIOS password for defense in depth. Intel Boot Guard and AMD Hardware Verified Boot support a more robust secure boot implementation that provides additional resilience against malware and physical attacks. Intel Boot Guard and AMD Hardware Verified Boot are part of the platform boot verification standard for highly secure Windows devices.
Brute force attack on PIN
Requires TPM + PIN for hammer protection.
DMA attack
See Securing Thunderbolt and other DMA ports earlier in this article.
Paging files, crash dumps, and Hyperfil.sys attacks
When BitLocker is enabled on an OS drive, these files are protected on the encrypted volume by default. It also blocks automatic or manual attempts to move the paging file.
memory remanence
Enable Secure Boot and force a password prompt to change BIOS settings. For customers who need protection against these advanced attacks, configure TPM+PIN protectors, disable backup power management, and shut down or hibernate the device before it leaves the control of an authorized user.
Trick BitLocker into passing keys to a malicious operating system
An attacker could modify the boot manager configuration database (BCD), which is stored on a non-encrypted partition, and add entry points to a malicious operating system on other partitions. During the boot process, the BitLocker code ensures that the encryption key obtained from the TPM and provided to the operating system is cryptographically authenticated as the intended recipient. Because this strong cryptographic verification exists, it is not recommended to store the hash of the disk partition table in Platform Configuration Register (PCR) 5.
An attacker could also replace the entire operating system disk while preserving the platform hardware and firmware, and then extract the protected BitLocker key blob from the metadata of the compromised OS partition. The attacker could then attempt to unblock the BitLocker key blob by calling the TPM API from an operating system under their control. This operation will not succeed because when Windows seals the BitLocker key to the TPM, it does so with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes control to any boot loader (legitimate or malicious) it always changes PCR 11 to the value 1. Because the PCR 11 value is guaranteed to be different after exiting the boot manager, an attacker cannot unlock the BitLocker key.
Attacker Countermeasures
The following sections describe mitigations for different types of attackers.
Attackers without many skills or limited physical access
Physical access may be restricted by form factors that do not expose the bus and memory. For example, there are no DMA-enabled external ports, no exposed screws to open the case, and the memory is soldered to the motherboard.
This opportunistic attacker does not use destructive methods or sophisticated forensic hardware/software.
ease:
预启动身份验证设置为仅 TPM (默认)
An attacker with skills and prolonged physical access
A targeted attack with enough time; this attacker will open cases, will solder, and will use sophisticated hardware or software.
ease:
使用 PIN 保护程序将预启动身份验证设置为 TPM, (具有复杂的字母数字 PIN [增强引脚] 来帮助 TPM 抗锤击缓解) 。
-和-
禁用待机电源管理,并在设备离开授权用户的控制之前关闭或休眠设备。 可以使用以下组策略设置此配置:
计算机配置>政策>管理模板>Windows 组件>>文件资源管理器电源选项菜单中的休眠状态
计算机配置>政策>管理模板>电源管理>睡眠设置>在睡眠 (插入) 时,允许 (S1-S3) 待机状态
计算机配置>政策>管理模板>电源管理>睡眠设置>在电池) 上 (睡眠时,允许 (S1-S3) 待机状态
important
These settings are not configured by default.
For some systems, simply bypassing the TPM may require opening the case, and may require soldering, but may be accomplished at a reasonable cost. Using a PIN protector to bypass the TPM is much more expensive and requires brute force to enforce the PIN. Using a complex enhanced PIN is almost impossible. The Group Policy settings for enhanced PIN are:
计算机配置>政策>管理模板>Windows 组件>BitLocker 驱动器加密>操作系统驱动器>允许用于启动的增强型 PIN
important
This setting is not configured by default.
For secure management workstations, Microsoft recommends using a TPM with a PIN protector, disabling backup power management, and shutting down or hibernating the device.