- Bitlocker To Go – Cool Stuff
-
I guess you know my view to protection of USB-ports. I get often asked how you can protect your user’s from using USB-sticks. There are ways – especially in Vista – but don’t do it. Your users most probably have a good business reason, why they would want to use USB-sticks and by not letting them, they will most probably find another way to transport your sensitive information.
Rather give them the tools to do their business in a secure and safe way. Protect sensitive information with technology like Active Directory Rights Management Services – then you do not have to worry anymore where your data resides. Additionally you might still be worried about the loss of thumb drives as this happens so often. This might be the background why I get so many questions on Bitlocker To Go. Let’s just briefly look at the user experience when using this technology.
I just plugged in a normal USB stick into my Windows 7 box. I then right-click on the USB drive in “My Computer” and get the following menu:
![200907_01[1]](http://blogs.technet.com/blogfiles/rhalbheer/WindowsLiveWriter/BitlockerToGoCoolStuff_103E0/200907_01%5B1%5D_thumb.png "200907_01[1]")
So, let’s try to click on Turn on BitLocker… and give it a try:
![200907_02[2]](http://blogs.technet.com/blogfiles/rhalbheer/WindowsLiveWriter/BitlockerToGoCoolStuff_103E0/200907_02%5B2%5D_thumb.png "200907_02[2]")
This answers one of the questions I often get:How does Bitlocker To Go authenticate the user. As you can see, there are two options:
- You can use a password to protect it – or even better a passphrase. This will be the option you use, if you want to share the USB-key or if you are not sure what kind of machine you will have to unlock it as you do not know whether there is a smartcard reader (or you know that there is no smartcard reader on the target machine).
- If you want to make sure you have strong authentication and only you get access, use smartcard!
And then – no, not yet. The drive will not be encrypted yet. As you know from “normal” Bitlocker, there is no encryption without backup keys:
![200907_03[1]](http://blogs.technet.com/blogfiles/rhalbheer/WindowsLiveWriter/BitlockerToGoCoolStuff_103E0/200907_03%5B1%5D_thumb.png "200907_03[1]")
After having a backup of the key, you are ready to go and to encrypt the USB stick:
![200907_04[1]](http://blogs.technet.com/blogfiles/rhalbheer/WindowsLiveWriter/BitlockerToGoCoolStuff_103E0/200907_04%5B1%5D_thumb.png "200907_04[1]")
So far so good: Pretty easy! But what happens, if I plug this stick in to another machine? This is what I did and this happened:
![200907_05[1]](http://blogs.technet.com/blogfiles/rhalbheer/WindowsLiveWriter/BitlockerToGoCoolStuff_103E0/200907_05%5B1%5D_thumb.png "200907_05[1]")
So, I am prompted for the password, I enter it and the device is unlocked. However, if I forgot my password, this happens:
![200907_06[1]](http://blogs.technet.com/blogfiles/rhalbheer/WindowsLiveWriter/BitlockerToGoCoolStuff_103E0/200907_06%5B1%5D_thumb.png "200907_06[1]")
So, similar to Bitlocker on your main machine/disk you can use the recovery key to unlock it.
If you look at it, it is a pretty easy and straight forward way to encrypt a USB stick and protect it against loss by encrypting it with the same technology as your main disk.
One final question I get asked pretty often: What editions of Windows 7 support it? In Windows 7 BitLocker Executive Overview, you find the answer: BitLocker To Go can be utilized on its own, without requiring that the system partition be protected with the traditional BitLocker feature. Although you will need a premium Windows 7 SKU to enable protection of removable storage devices with BitLocker, any SKU can be utilized to unlock and use a protected device. Finally, BitLocker To Go provides read-only support for removable devices on older versions of Windows allowing you to more securely share files with users who are still running Windows Vista and Windows XP.
Roger
- File Classification Infrastructure: More content
-
At the Analyst Event last week I was asked more than once about the File Classification Infrastructure. As it was something I never looked into the details, I started from the blog post I wrote mid May File Classification Infrastructure in Windows Server 2008 R2 and just wanted to collect some information about it. If you are interested, there are a few really good posts/sites in this respect:
They are all from the same blog
Roger
- End-to-End Trust: The Internet – a safer place to work, play, learn and do business
-
I often have the opportunity to keynote events on security. I rarely want to talk about products but much more about the way I see the development around security on the Internet.
The reason why I do this presentation the way you see below is, that threats change and criminals evolved (and will still evolve) new ways of stealing money and valuable data. Therefore trust in the Internet continues to come under attack. It is kind of the classic tale of good versus evil – just this time the future of the Internet and business infrastructure are at stake. From my point of view, the industry is faced with a challenge- - either secure the Internet and gain user’s trust, or lose control to the bad guys and see the value of one of man’s greatest inventions dwindle.
We recorded a presentation which will give you insight into next generation security and Trustworthy Computing’s vision for creating an Internet and Infrastructure Platform we can trust – from end to end!
The video is a little bit more than 20 minutes. If you want the direct link, it is here: http://video.msn.com/video.aspx?mkt=en-us&vid=98967da4-50cd-42cd-8f3c-db0f1cac8ed8
Enjoy and tell me what you think of it. Does it make sense to you?
Roger
- EMEA TwC Analyst Summit
-
We are just kicking off the EMEA TwC Analyst Summit, which is running for the next two days. The first time we are using technologies like Twitter live from the event and we encourage the Analysts to do the same. Therefore, you might follow what is going on there on different channels but mainly:
Roger
- Test Microsoft Security Essentials
-
I am running Microsoft Security Essentials (called “Morro”) since quite a while on my Mediacenter and I am definitely convinced of it. So, go ahead and test it: http://www.microsoft.com/security_essentials/resources.aspx – it will be our free Anti-Malware solution
Roger
- Live-Tweet from Analyst Event
-
Wednesday and Thursday we are running an event for selected analysts in London. As you might know, I am tweeting via http://www.twitter.com/rhalbheer and I will try to do some live tweeting from the event during the event – never did this but I will try. In addition, there are some analysts we know that they use Twitter as well and we will ask them to do the same. If you want to know how it will work out, search for the keyword #TWCSummit
Looking forward to meeting you on Twitter
Roger
- Microsoft awarded for Security
-
This is probably one of the best news I read since a long time. I often said, that I am convinced that we are in a lot of areas around security leading the industry. The complexity of building multi-purpose software in a secure way started to be addressed by us back when we introduced the Security Development Lifecycle which we make available publically on the web.
Today, Microsoft was recognized in the SD Times 100: 2009, an annual list from Software Development Times that acknowledges companies for being industry leaders in software development. Microsoft was awarded (as well as in other categories), alongside the likes of Coverity and Fortify a top spot in secure development. This is the first time since SD Times started publishing its “Top 100” list that Microsoft has been recognized in this category.
You can read this story here: DOWNLOAD ISSUE 6/15/2009 NOW! from page 21 onwards
Roger
- SafeSearch in Bing
-
One more proof that we listen to you: We made certain changes to Bing in order rot help you to protect from sexual explicit content. Please read the corresponding blog post Safe Search Update.
Even though this is very good news, it does not change my view that education of parents and children is at the foundation of the safe use of the Internet: Bing and the Video Preview (and Family Safety Settings)
Roger
- Download Internet Explorer 8 and help hungry people
-
We started a program called “Browser for the Better” where we donate 8 meals to Feeding America per download of Internet Explorer 8 (until August 8th).
So, go out and download Internet Explorer 8 from the site above
Roger
- Welcome to reality: Apple Acknowledges OS X Malware
-
A few years ago, we ran a huge event in Switzerland: We offered people in Switzerland to come to us (we were for a whole week at the airport in Zurich) with their PC and we check it for malware, patch it etc. We did this with a lot of partners and had live TV coverage at primetime in Swiss TV. A huge success and a lot of people came! However, we wanted to do it in partnership with Apple – well, I am not sure whether “partnership” would have been the right term: We offered them the Internet access, the network, the room, etc. They would just have had to bring the people.
The Swiss team seemed to me to have wanted to join in but the ww management decided that they do not want to do that “as Apple does not have a security problem”.
And then we had this funny event: Apple Recommends Running Multiple AV Engines and a day after Apple pulled the advisory Article was Bogus: Do Mac Users not need Anti-Virus Protection?
Honestly, the whole discussion is ridiculous as Cybercrime is a fact of life and so is malware. As soon as Apple users become a profitable target on some scale, they will be attacked. Everybody who thinks differently puts their head in the sand.
And now finally Apple arrived in today’s world: Apple Acknowledges OS X Malware and on their website they write:
The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100 percent immune from every threat, antivirus software may offer additional protection.
I think that this is a big and a very good move! I would now welcome Apple to join the industry communities like SafeCode to work jointly on getting products more secure or initiatives like 2CENTRE to train law enforcement. I am a big supporter of industry/government collaboration but when it comes to Law Enforcement, there are often not too many companies at the table.
Security to me is not only products and processes. It is about partnerships!
Roger
- XBox Project Natal
-
I got some questions on my blog post that you should not by a Wii at the moment. The key question was about whether this is just a teaser. Well, look at the demos they did at E3. You find them here: http://www.xbox.com/en-US/live/projectnatal/
Roger
- Bing and the Video Preview (and Family Safety Settings)
-
You might have seen recent posts on Bing getting under attack because of the video preview feature, which works (obviously) for “normal” videos as well as for porn…
To be clear upfront: I am the daddy of two great sons at the age of 7 and 10, so at least the 10-year-old starts to get interested in such things.
Let’s start with the feature discussion first. I went to Bing’s video search engine and searched for a term which definitely will return porn content (I did not dare to do it on my Microsoft notebook – I did it on my private PC 
). This is what happens:
![2009,06%20-%20Safe%20Search[1]](http://www.halbheer.info/security/Lists/Photos/2009,06%20Bing%20Safe%20Search/2009,06%20-%20Safe%20Search.png "2009,06%20-%20Safe%20Search[1]")
If I then click on “change” above, I see the default settings (which are preventing access to sexual explicit sites):
And, when I then want to change it to “off”, I get the following warning:
![2009,06%20-%20Safe%20Search%203[1]](http://www.halbheer.info/security/Lists/Photos/2009,06%20Bing%20Safe%20Search/2009,06%20-%20Safe%20Search%203.png "2009,06%20-%20Safe%20Search%203[1]")
So far the facts as they are today. Now come the emotions and the discussions about what is good and what is bad. So, looking at my son, there are two scenarios we separate in our family:
- He wants to search content for his homework and stumbles upon sexual or any other inappropriate content: If he is protected then, that’s fine and this definitely helps. Bing covers this perfectly as he does not even think of turning the search filter off – in this scenario
.
- He wants to search sexual content: Well, there is a good chance that he will turn the filter off and ignore the warning. Let’s think about this for a moment: If we would hide it in the “options” or wherever, don’t you think it would just take an additional day at school to learn where he has to switch it off (if he even has to go to school to find that out)? To me it is just a false sense of safety if you think that you can protect your kid by hiding the option somewhere. I am convinced that we have to accept the fact that our kids are growing up in the digital age and (even with me) in certain areas know more about the technology than us.
So, I am definitely convinced that turning all the possible filters on will drive my kids to the neighbor's house to look at the same inappropriate pictures as the policies there might be less restrictive. Just to leave me in a wrong sense of safety and without any control about what is going on with my kids – which would be really, really bad.
From my point of view, this problem is part of the education of my kids. How do we raise them and what values are important to us. So, there are a few key tasks which are outside technology, which are the duty of parents (even though some tend to ignore this pretty often):
- The kid’s PC has to be at a location where you can see from time to time, what they are doing. To me, if my son deliberately searches for porn (which is only one click away on the porn site anyway – where he has just to agree on being 18 as well), to me it is time to address the next step of his sexual education anyway.
- Make sure that you show interest in what your kid is doing and accept the fact that he/she knows more than you. But let the kid educate yourself in such technologies. At least mine are pretty proud if there is something in this space he can show me I did not know.
- Do not “pull the plug” as this will drive your kid to the neighbor’s house.
Yes, I know that the world is evil out there and that we all have to work together to fight illegal content on the Internet. There is child porn and child abuse and a lot of people (like me) are working everyday to reduce this disgusting phenomenon. You should not get me wrong: I definitely do not want to play something like this down. But on the other hand, I am convinced that we should not feel like we can solve these problems with technology. It is our duty as parents to raise our kids in a responsible manner – this cannot be done by better search filters or parental controls. I know that there are cultural differences across the globe but at the end of the day it might change the way you educate the kids but not the ultimate goal.
To finalize this post, let me add a few links:
- Here is the link to the Bing blog talking about this: Smart Motion Preview and SafeSearch
- If you want to know more how to protect your kids, check out our site on Protect Your Family. There is technology in there but a lot of age-dependant guidance most of it is about communicating with your kids.
- On your local Microsoft site, you might find additional information, which is often done in collaboration with third-party organizations.
Now, let me add a final statement: The opinions shared in here are my personal opinions and might be challenged as such.
Roger
- Thought of buying a Wii? Think again
-
I have to admit: Not really security related but really, really, really cool. Look at this Xbox trailer: http://www.gametrailers.com/video/e3-09-project-natal/50017?type=wmv
Roger
- Bing – Check it out
-
You heard it: We went live with our new search engine called Bing on bing.com as we are convinced that you should not search – but find!
You should have a look at it especially as we got some outstanding third-party feedback.
Roger
- Securing Microsoft’s Cloud Infrastructure
-
A lot of people and companies are talking about “the Cloud” today. I guess that there are not too many companies that share the same track record of running online services as Microsoft. 1994 we launched MSN and since then we are in this business.
Microsoft Global Foundation Services (the group responsible for this infrastructure) just published a document called Securing Microsoft’s Cloud Infrastructure which is definitely worth reading. In my opinion a few items will be key when talking about a trustworthy cloud, one of them being transparency. Transparency how your data is handled, how software is written and operated, how incidents are dealt with, etc. This paper definitely helps on our side to drive in this direction although we did already a lot in this respect like making the Security Development Lifecycle available and communicating transparently about security challenges etc.
To show the importance of security for our online services as well, I would like to quote the paper:
The core driver to creating an effective security program is having a culture that is aware of and highly values security. Microsoft recognizes that such a culture must be mandated and supported by company leaders. The Microsoft leadership team has long been committed to making the proper investments and incentives to drive secure behavior. In 2002, the company formed the Trustworthy Computing initiative with Bill Gates committing Microsoft to fundamentally changing its mission and strategy in key areas. Today, Trustworthy Computing is a core corporate value at Microsoft, guiding nearly everything the company does. At the foundation of this initiative are these four pillars: Privacy, Security, Reliability, and Business Practices. For more information on Trustworthy Computing, see the Microsoft Trustworthy Computing page.
Microsoft understands that success in the rapidly changing business of online services is dependent upon the security and privacy of customers’ data and the availability and the resiliency of the services Microsoft offers. Microsoft diligently designs and tests applications and infrastructure to internationally recognized standards in order to demonstrate these capabilities and compliance with laws and with internal security and privacy policies. As a result, Microsoft customers benefit from more focused testing and monitoring, automated patch delivery, cost-saving economies of scale, and ongoing security improvements.
Here are the links to the different papers we published today:
Roger
