1

Microsoft's implementation of BitLocker for hard drive encryption/protection and integrity supports multiple ways to boot into the system. I will list 3:

  • TPM chip (those that support it) without Pre-Boot PIN,
  • TPM chip with the PIN, and lastly
  • Network unlock (basically no PIN but the second authentication is grabbing a key over the network).

In my understanding, there are trade offs with each of these.

  • No PIN = less security but it’s not a hassle to the user to type it in every time.
  • PIN = more security but more hassle.
  • Network unlock = more security and usability but requires management and infrastructure.

We are deciding which one to go with at my company. Management wants to remove the PIN because users are complaining that they have to type a PIN and then be presented to the login screen. I have informed management that requiring a pre-boot PIN stops the OS from loading the BitLocker encryption keys into memory before a valid PIN is entered (halts the boot process). If the PIN is removed, they will be vulnerable to side channel attacks. MS recommends the PIN for this reason. Network unlock turned them off because it requires infrastructure.

I said that if the hosts are not storing sensitive or confidential data and are backed up, removing the PIN is rather low risk because it requires a more advanced attacker (usually) and it's probably not worth it (yes, generalities are bad).

I have two questions.

  1. Is risk a good way to approach this situation?
  2. Does my reasoning make sense? I.e. No sensitive data, backed up, other controls, etc then OK to remove the PIN

Lastly I don't have much to stand on, our company is worried about compliance and encrypting hard drives meets that, even if you remove the PIN.

SeeYouInDisneyland
  • 1,428
  • 9
  • 20
pm1391
  • 1,427
  • 2
  • 7
  • 19
  • Are you talking about laptops which will leave company premises or desktops which will stay in company premises? – SeeYouInDisneyland Mar 03 '19 at 13:58
  • 1
    These will be on premises, laptops and desktops. Laptops sometimes are brought home. We have many locations nationwide and many sites in Active Directory. – pm1391 Mar 03 '19 at 14:05

1 Answers1

2

Is risk a good way to approach this situation?

Yes, a risk based approach is always a good idea. :)

Does my reasoning make sense? I.e. No sensitive data, backed up, other controls, etc then OK to remove the PIN

Generally, using PINs vs not using PINs depends on your threat model and a few other factors/considerations.

Consider the external factors like the location and portability of the specific devices in question, as well as the physical security level of your company premises.

Laptops which will leave company premises have a different threat model than stationary desktops.

  1. Laptops: once the device leaves company premises, it's basically out of your reach in case something happens to it. If it's stolen, it's gone and the thief can do pretty much anything with it. This is where pre-boot PINs come into play. They would prevent an attacker from even booting the device, severely limiting his attack surface.
  2. Desktops: if your office premises are at least somehow secured (video surveillance, night guards, alarm systems, access control etc.) your desktops are much less at risk of being targeted by attackers. An attacker would first have to break into your office to access your clients. In that case, I'd say that pre-boot PINs are not that necessary because of the limited attack vectors. Just make sure to actually secure the desktops to their desks so no attacker can just walk away with some towers in their hands.

In short: laptops = higher risk = PIN necessary, desktops = lower risk = PIN not necessary (but advised).

All that being said, I think that enforcing your "No sensitive data on non-PIN clients" will be way harder to enforce and impelent than to educate your users and raise security awareness.

You already have a bad start, because users are actively complaining about security measures. This indicates that security awareness is not high enough in your company, especially when your users already have management on their side. If your users detest BitLocker PINs that much, chances are high that they will use very insecure PINs in case they are forced to continue using them, e.g. 123456 or 0101010101.

Find out why the users are complaining about PIN+Logon password and educate them and management on the benefits of pre-boot PINs on laptops, just make sure to leave the technical side out of the discussion - management and users won't understand your techno-babble. E.g. "If it's stolen, attackers cannot harm the company. And if the company is not harmed, your jobs are not at stake. You can do your part by keeping the company safe/secure", or something along those lines.

Since your company is compliance-driven, a clear policy for home office/laptop usage should have pre-boot PINs as a mandatory requirement in them from a risk perspective. If it's part of a policy, compliance will have to enforce it.

If your management still won't budge, remember that risk acceptance is also a valid risk treatment method (if it is documented in writing! With a risk owner, e.g. the manager in question, who will take the responsibility once something goes wrong.)

SeeYouInDisneyland
  • 1,428
  • 9
  • 20
  • 1
    This is awesome. Much appreciated. Security awareness is not as high as it should be and I will take that approach. And I agree, enforcing non-sensitive data on hosts might be tough. – pm1391 Mar 03 '19 at 15:12