My Notes to Myself and Others... : Vista

Vista Gets Stuck During File Copy

Erik Rozman — Sat, 24 Jan 2009 11:08:23 GMT

Ok, so this isn’t a new topic. It’s been around for quite a while but I have never
encountered it, so now that I have- it’s time for a post about it.

I have installed a new PC (Windows Vista 64bit) and connected it to my home
network using a wireless NIC (Realtek RTL8168B/8111b). The wireless router I
use is an Edimax BR-6215SRg. The same network has several other PCs connected
to it wirelessly and one PC that is wired.

When copying files to/from the new PC (HTPC) it seemed to simply freeze up. Even
though I could move the mouse pointer I couldn’t really do anything else…Now keep in
mind that this is a new PC (and it’s fully patched:SP1 and everything). Since this
is a new PC I started worrying that I have a hardware issue, yet after some research
on the Internet I found others that had similar problems due to the TCP receive window
auto-tuning issue in the new TCP/IP stack.

The advice was to simply turn off the auto-tuning feature by running the following
command:

netsh interface tcp set global autotuninglevel=disabled

I decided to give it a try, and not surprisingly it worked. Personally, I find it very odd that
due to a networking your whole OS freezes up. When dwelling deeper into the issue
it seems that the new TCP/IP stack tries to manage data flow in a more efficient way by constantly
tuning the receive window set by TCP. This window allows the receiver to define the amount
of data it will receive before the sender has to stop data if it hasn’t received acknowledgments.

In older versions of Windows, the window size was set once (not tuning) which causes data flow
to be less efficient. Once I disabled the feature, I could see that my copying speed has dropped from
4.5 to 3.7. On the other hand it no longer froze my system…

I am not sure who is at blame here, my gateway, the NICs driver or the favorite target of the last few
years:Vista…

BitLocker and Safe Mode

Erik Rozman — Sat, 15 Nov 2008 11:29:59 GMT

<Rant>

This one is kind of a gotcha that has caught me by surprise. If you use BitLocker with
a TPM that is PIN protected you can’t log into Safe Mode unless you go into recovery mode.

Personally I found this very surprising to say the least. I honestly can’t say that this sounds
logical to me, if you can provide the PIN protecting the TPM I can’t see why you shouldn’t
be able to access Safe Mode. You are not circumventing any of the protection mechanisms
you simply choose an alternate boot method AFTER you have already gained access to the
system legitimately.

…

</Rant>

Service Pack 2 season

Erik Rozman — Sat, 25 Oct 2008 11:28:58 GMT

Service Pack 2 beta(for TAP clients) has been announced for both Windows Vista and
Windows 2008:

http://blogs.technet.com/windowsserver/archive/2008/10/24/windows-server-2008-service-pack-2-beta.aspx

http://windowsvistablog.com/blogs/windowsvista/archive/2008/10/24/windows-vista-service-pack-2-beta.aspx

ARP cache timeout changed in Windows Vista and 2008

Erik Rozman — Sat, 13 Sep 2008 17:22:50 GMT

You might remember that Address Resolution Protocol (ARP) has a local cache that prevents
broadcasting for a system whose MAC address has been resolved. Older versions of
Windows used to have a timeout of 2 minutes for ARP entries (up to 10 minutes), this
has changed. Vista and 2008 has lowered this time to a random value between 15 seconds
and 45 seconds:

http://support.microsoft.com/kb/949589

DEP and ASLR in Vista circumvented?

Erik Rozman — Sat, 09 Aug 2008 09:19:34 GMT

Two researchers claim to have found a way to circumvent both Data Execution
Protection (DEP) and Address Space Layout Randomization (ASLR). These techniques
are meant to protect the way information is stored in RAM, ASLR is relatively new
and it randomizes the way that DLLs are loaded on startup dealing a sever blow
to anyone that would try to estimate which space in RAM a worm would need to overwrite
during a buffer overflow attack.

The researchers (Mark Dowd of IBM Internet Security Systems (ISS) and Alexander
Sotirov, of VMware Inc.) will discuss the weaknesses they have found at the Black hat
briefings in Las Vegas.

Book Review – Administering Windows Vista Security ,The Big Surprises

Erik Rozman — Fri, 08 Aug 2008 20:46:24 GMT

Haven’t managed to go through a book from cover to back in a long time. Well,
the draught has been broken. I picked up “Administering Windows Vista Security
The big surprises” (known henceforth as ‘the book’) and just finished reading it
cover to back. Summing it up:One of the better technical books I read in a long time.

The book covers security issues related to Windows Vista with the correct balance of
theory and practice, while the authors (Mark Minasi, Byron Hynes and Jennifer Allen)
do a great job of keeping you interested.

The book covers the following topics (and a few additional topics):

UAC
File and Registry Virtualization
Mandatory Integrity Control (wrote about this a while back)
BitLocker (Part 1,Part 2,Part 3[I hope])

Pros

A relatively short and to the point book (255 pages)
Focused on the topic (ok,I said that already,but I was so happy to read book
that cuts down on the fluff that I had to mention it twice)
Well written,easy to read
Correct balance between theory and practice

Cons

Written a long time ago (how about a second edition?)
A few technical inaccuracies (due to the usage of pre-RTM software)

http://www.minasi.com/vistsecbook/

http://www.amazon.com/Administering-Vista-Security-Big-Surprises/dp/0470108320/sr=11-1/qid=1168300170

Moving fast on Mojave

Erik Rozman — Sat, 26 Jul 2008 15:57:05 GMT

It seems that this whole Mojave project is moving very fast. A website popped up
saying that the results will be posted next Tuesday (27th of July). As I mentioned
in my post yesterday, the expressions are going to be priceless(at least I hope):

http://www.mojaveexperiment.com/

User Account Control (UAC) timeout

Erik Rozman — Sat, 26 Jul 2008 08:05:26 GMT

About an year ago, I wrote a relatively long and detailed post about UAC. One
thing I failed to mention is what happens once an application that you have started
requires acknowledgment yet the request is ignored.

UAC has a timeout of two minutes. If no acknowledgment is received within those
two minutes, the action fails silently (same as if you would have declined).

The only thing that bugs me here is that you have no notification/logging of what
just happened. If you were away from the system while the UAC prompt appeared
you might not understand why something failed…

The empire strikes back (or project Mojave)

Erik Rozman — Fri, 25 Jul 2008 12:38:57 GMT

In the last few weeks it seems that Microsoft is on the warpath. Microsoft feels that
it has a bad image and it would like to change that. One of the major contributors to this
image is Windows Vista.

Windows Vista is perceived as a problematic OS (to say the least). Even though SP1 has
fixed some of the bad reputation that Vista received it is still perceived as a bad OS. In my
opinion this belief has no foundation, I have been using Vista for a very long time now
and I am very happy with it. Just as everything in life, Vista has a price: you need better
hardware (that is cheaper these days), ISVs had to fix application for them to run
on Vista and hardware manufacturers had to create drivers to fit the standards Vista has set.

Skeptics may say that none of the things I mentioned should happen for a consumer to be
able to enjoy Vista. In my opinion (again), this claim is absurd. I see the OS as the engine
of a system, would you mount a new super fast engine on an old airplanes body? Why not?
Oh,it would rip it apart…and whose fault would that be,the engines manufacturer or yours?

But we are diverging from what I wanted to write about in this post, which is ‘Mojave’.
based on rumors it seems that ‘Mojave’ is codename of a new OS created by Microsoft…Well
not exactly. As part of Microsoft’s attempt to fight back and tell it’s story about Vista,
Microsoft decided to meet with a group of Vista skeptics (basically people that think Vista is
bad). The group was told they will be shown a new OS codenamed Mojave and that they should
give feedback on the new product. Based on reports, 90% of the participants provided positive
feedback.

At this stage they were told that Mojave is actually Windows Vista…

The whole experiment was filmed, I hope that it will be revealed,seeing the expressions
will be priceless…and as always,perception is everything.

Click here for additional coverage.

Shutting down from the sidebar

Erik Rozman — Wed, 23 Apr 2008 09:52:25 GMT

To me, the sidebar was an odd feature of Vista. It reminded of the old Office
toolbar(which I never used), yet as time passes it is starting to grow on me
mainly to the useful gadgets people build for it.

One such useful gadget is the Control System gadget that allows you to
shut down(including all iterations:standby,hibernate etc.) your system from
the sidebar:

Download it here.

BitLocker and WinPE

Erik Rozman — Sun, 20 Apr 2008 14:46:15 GMT

Continuing the BitLocker related posts, I wanted to reveal a tip I intend to discuss
in the third part of my BitLocker post series: accessing BitLocker encrypted volumes
by using WinPE.

If something went terribly wrong with your Windows installation you are in a bad
situation since not only can you not load Windows but since you can't load Windows
you can't access you data (since it is protected by BitLocker that is a feature of
Windows).

You may attempt to access your data by loading WinPE, yet obviously since the
data is encrypted you will see the drives blank...interesting bind.

Have no fear though, your data is safe and if you have your recovery key or password
handy you will have access at no time. First of all you need to make sure that you
have the scripting package install on your WinPE,once this is done you will use the
BitLocker command line interface to access the data:

cscript manage-bde.wsf -unlock <drive letter> -recoverykey <path to BEK file>

cscript manage-bde.wsf -unlock <drive letter> -recoverypassword <48 digit password>

Note that the drive letter you may be looking for might be different then you one
that you assume it is. The S: drive will most likely take the letter C: and the rest will use
consecutive letters.

BitLocker - Implementation (Part 2 of 3)

Erik Rozman — Sat, 19 Apr 2008 12:48:13 GMT

It has been a while since I wrote the first part, much longer then I planned but as
the saying goes: Man plans,God smiles...

In the first part of the series I have described what is Bitlocker and how it works,
now it's time to get your hands dirty and implement it. As with any process, planning/preparing
will increases the chances of success and in the case of Bitlocker it doesn't really
matter wether you plan to implement it on one system or one thousand systems some
planning is necessary.

Planning/preparing the process

The preparations for Bitlocker implementation concentrate on two major areas:

Choosing the the protector- in my previous post I have pointed out that there are
two types of protectors (I wouldn't count the recovery key/password as standard protectors).
Before you begin the process you should choose the protector you plan to use.
The decision is dependent on what your system(s) supports.
Facilitating recovery- If your protector is lost or damaged you should be ready to provide
a recovery process, if you can't you will be stuck with a very large and useless brick...
Recovery can be provided by either saving the text file (which stores the 48 character
recovery key) or storing the same information in Active Directory. An additional option is to
carry an additional key with you.

I will describe all options and their use later in this post.

Starting the process - Creating a new boot volume

The process for creating a new boot volume can be executed manually or with a tool provided by Microsoft
(found in Vista Ultimate). The description and methods of obtaining the tool can be found at:
http://support.microsoft.com/kb/930063

Start the 'Bitlocker Drive Preparation Tool'
Accept the license
Note the warnings described by the wizard. The last one is especially important, do not store any data
on the newly created partition as it will not be encrypted. Press 'Continue'.
At this stage the wizard starts the actual work by shrinking drive C, creating a new volume (S: unless already
in use in which case it will use the next available letter-Thanks Eli!), copying the necessary files and turning it
into the active drive.
At this stage you will be requested to restart the system.

Starting the process - Configuring the local GPO

Unless you are in an enterprise environment you need to configure your local GPO settings to enable the usage
of BitLocker and to customize it.

Start>Run>gpedit.msc [acknowledge the UAC prompt]
Go to: Computer Configuration>Administrative Templates>Windows Components>BitLocker Drive Encryption
Even though it may seem a bit daunting (and not to mention that each of the options has significant impact on the
way BitLocker is implemented) the options are relatively straight forward:
1. Turn on BitLocker backup to Active Directory Domain Services- As the name implies, this option
  controls wether a backup to AD should be made, wether it is mandatory and what should be backed
  up (48 digit key and/or key packages-that will enable the creation of keys later on).
2. Control Panel Setup:Configure recovery folder- allows you to set the default path provided by the
  wizard when saving the recovery password.
3. Control Panel Setup:Configure recovery options- enables you to specify the recovery key type. Note
  that since Bitlocker must have a recovery method if you disallow both key types (48 and 256) then AD
  recovery must be enabled (if not a policy error occurs).
4. Control Panel Setup:Enable advanced startup options-Now this one is important. To enable Bitlocker
  this setting must be enabled as it determines which protector will be used and how:
  1. Allow BitLocker without a compatible TPM - if your system does not have a supported TPM (1.2).
  2. If the computer does have a TPM then you can set the mechanism needed to access the information
    stored on the TPM (either a PIN code or a key, you can't have both).
5. Configure Encryption Method - self explanatory
6. Prevent memory overwrite on restart- If enabled, it will overwrite memory before restarting. This
  destroys the key stored in RAM to access encrypted material or in other words increases safety at the
  cost of performance.
7. Configure TPM platform validation profile- one major advantage of using a system with TPM is
  the added security a Trusted Platform Module provides. This added security comes in the form of
  verification of boot time parameters, if those parameters changed the TPM will not allow access to the
  encryption keys and the system will enter recovery mode.

Starting the process - Enabling BitLocker

Up to this point no encryption mechanisms have been enabled. Your system has been changed, yet the changes did
not enable or apply any encryption to the system,so lets get to it:

Once the settings have been configured we can finally start the encryption process. This is done by starting the
BitLocker Drive Encryption tool.
Choose 'Turn On BitLocker'. The screenshots have been taken from a system that has a compatible
TPM. If your system doesn't have one, the steps will be a bit different but the concept will be the same.
If you haven't turned the TPM on yet you will receive a warning message about it- Vista turns it on but it still
needs some interaction from you- Shutdown the system and turn it on.
After restarting, on the system I used (Lenovo X61) I received a message requesting me to acknowledge the
request to turn the TPM on.
After acknowledging the request, I logged into the system and I could finally start the encryption process.
Ownership of the TPM is taken.
At this stage (if you configured the system to use a PIN to protect the TPM) you will be asked for that PIN.
If you chose to use a key you will be asked to use a removable storage device to store the key.
As you may remember, BitLocker needs a recovery mechanism. This is where you configure it.
Note that you can create additional keys later one but you need to create at least one at this stage
to continue.
Once the recovery key is saved, the encryption can start...well almost. After creating the recovery
key I would advise that you make sure that it is tested by marking the checkbox for 'Run BitLocker
System Check'. This will restart your system and the recovery key you created will be tested.
If the test fails, encryption will not commence.
After the system starts up, you finally get to the promised land...or encryption.

A few Observations about the process

The encryption process can be paused and continued at a later stage by different users of the same system.
The process will continue over restarts form the point it left off, and the decryption key will be required after
every restart and hibernation.
During the encryption process, the free space on the volume being encrypted drops dramatically to approximately
6 GB. This happens due to the way BitLocker balances between security and performance while encrypting a volume. Free
space on a hard drive is rarely empty, when you delete data on a volume you do not destroy the data, you simply
hide it from plain view. In other words, free disk space may still hold valuable data and it too needs to be encrypted
or destroyed. When deciding on a method (encrypting or destroying the data) encrypting the data stored in free space
seems to be a waste of time and performance so the logical solution is destroying the data. This is achieved by creating
a huge file (called the wipe file) that covers all free space, except 6GB (to avoid full disk messages) which are encrypted.
The process bar (percentage) doesn't seem to reflect the time left-so don't base your time calculations on it. It seems to
start out at a slower pace and the pick up.

Managing BitLocker

Once BitLocker is applied there is not much to do, it's simply there.Nevertheless, there are a few additional tasks that
you should be aware of and both are reachable by starting the 'BitLocker Drive Encryption Tool':

Save additional copies of the Recovery key
Reset the TPM PIN
Encrypt additional volumes- once the first volume (typically C:) is encrypted, additional volumes (except S:)
can be encrypted.
Turn off BitLocker- You may want to turn off BitLocker for two main reasons:
1. Remove BitLocker from the system - This can be done by choosing 'Turn Off Bitlocker'
  and then 'Decrypt the drive'. This is a lengthy process as the drive needs to be fully decrypted.
2. Disable Bitlocker for driver installations and BIOS updates - In some cases you might be instructed to
  help in facilitating BIOS updates or driver installations by disabling BitLocker. When you disable BitLocker
  you do not remove the encryption, you simply put it on hold...the key needed to decrypt the data is freely
  available to the OS.

Managing BitLocker - Recovery

Recovery mode can be triggered by several factors:

If you use TPM and the boot environment has been tampered with (automatically)
You lost your TPM PIN or key (manually)
On a TPM protected system, the system board needs to be replaced
On a TPM protected system, the disk is moved to a different system

If recovery mode is triggered you will need to use either the recovery key you have created or the recovery
password that is stored with the recovery key you created. Basically they are both protectors in different
forms, one provides the key by a file saved on removable storage while the other provides the key by
entering a 48 digit long password. Both can be used by you if you have access to the removable storage
while the password can be used by a helpdesk representative helping you remotely.

Lets take a closer look at these protectors:

BEK (Backup Encryption Key?) file - This is an unreadable (to human eyes) file that stores the key needed
by BitLocker to decrypt the volume in question.
TXT (Text) file - Holds the 48 digit password which is the key to the volume.

To use these recovery options, you should choose recovery mode (or reach it automatically) when your system
by pressing ESC

Note that once you reach recovery you are requested to provide the key (note the file name in the screenshot). If
you do not have the key with you you can press Enter which will provide you with the user interface needed to
enter the 48 digit password:

Note that after booting through recovery mode you can continue working normally. As I mentioned in the first post
of this series, recovery mode is not different from a standard boot mode. Recovery mode simply uses different
protectors to provide the decryption.

Even though you can continue working normally using recovery mode to boot every time you should recreate your
original method of booting the system,either by creating a new key (on a removable storage device) or on your
TPM(which may be a bit more complicated then it seems,more about this in part three).

2nd part conclusions

In this part of the series I tried to describe the hands on process of configuring BitLocker and using it, we are not
done though. In part three, I plan to show you how to use the command line interface to control BitLocker
and a few additional tips and tricks.

As usual,any feedback/corrections are welcome.

Windows NT Backup - Restore Utility (Vista & Win2k8)

Erik Rozman — Sat, 29 Mar 2008 20:09:32 GMT

The fact that NT Backup is nowhere to be found on Vista and Windows 2008 disappointed me.
Given, NT Backup wasn't the tool of choice for backing up systems but I always had the comfort
of knowing that it's there in the background and that if I needed a quick and dirty solution
it would help me out...

There are several solutions for this problem,one of them is to copy over a few files and have
NT Backup up and running again (not sure if this doesn't violate the EULA though). A nagging
question though is what happens if you ran a backup on Win2k3 or XP and you want to restore
it on Win2K8 or Vista...Well here is the solution, Microsoft released a restore utility that
will work on Win2k8 and Vista:

Windows NT Backup - Restore Utility Download

You can download either the x86 or the 64 bit version. Once downloaded make sure to start the
Removable Storage Management service and then install the file.

RSAT for Vista SP1

Erik Rozman — Fri, 28 Mar 2008 11:05:07 GMT

Microsoft® Remote Server Administration Tools enables IT administrators to
remotely manage roles and features in Windows Server® 2008 from a computer
running Windows Vista® with Service Pack 1 (SP1).

Download

Windows Vista SP1 available (since Tuesday)

Erik Rozman — Fri, 21 Mar 2008 08:24:25 GMT

Yes I know,a bit late and no I don't want to get a haircut(you know who you are).

So after these cryptic messages do I have something new to tell you about this release?
Not really,except that finally all those holding out until SP1 can finally install Vista and
that SP1 comes packed with a few new cool features (e.g. the ability to apply Bitlocker
encryption to all volumes including flash based ones...).

In addition to that you may also want take a look at the list of incompatible drivers that
may block the SP from being installed:
http://support.microsoft.com/?kbid=948343

So if you have the time and you finally want to become SP1ed take the plunge!!

MacBook Air with Vista

Erik Rozman — Fri, 21 Mar 2008 08:03:30 GMT

It was bound to happen. I even thought of doing it but obviously someone
managed to beat me to it. For the full review (by X-bit labs)of how it preformed take a look at:

http://www.xbitlabs.com/articles/mobile/display/apple-macbook-air.html

Bitlocker - The Theory (Part 1 of 3)

Erik Rozman — Sat, 23 Feb 2008 20:26:05 GMT

I will start with a disclaimer. I know, not a good way to start a post...
I intend to write a series of posts about Bitlocker, starting with the theory and turning
that theory into practical implementation. I am writing these posts based on my own personal
research and knowledge. I have no connection to the people that wrote Bitlocker so I may
make mistakes here...If I do,please send me a message or leave a comment pointing out
the mistakes and I will make sure to fix them.

I decided to write these posts since I couldn't find any documentation about how Bitlocker
is supposed to work, how it's implemented and how it behaves in different scenarios. The
majority of articles I found, provided good background information some usage tips and
that's it... Now it's my turn to give it a shot.

What is Bitlocker

Bitlocker is a technology released with Windows Vista(Enterprise and Ultimate) that enables the
users to encrypt the contents of a volume. Bitlocker's role, in the pre-SP1 era, is to protect the
the system volume of a system by encrypting it. Since the encryption is at the volume level
the information is protected from a parallel installation attack.

The need for an encryption technology that protects a volume grew from the advent of mobile
computing and the threats of data theft (stealing a laptop is easier then stealing a desktop and
threats to a laptop are significantly higher considering that you use it in public places).

Bitlocker provides protection, yet you must remember that all encryption mechanisms can be
decrypted (otherwise we would be in a real bind) thus Bitlocker will slow down a potential data
thief not stop him.

You may be asking yourself at this stage what is the big deal here? Bitlocker is not the first
encryption technology to be released for Windows. Previous encryption mechanisms include the
Encrypting File System(EFS). How is Bitlocker different?

Bitlocker vs EFS

Bitlocker encrypts volumes (as one unit),EFS encrypts files and directories
Bitlocker encrypts system files,EFS can not encrypt system files
Bitlocker uses symmetric encryption while EFS uses asymmetric encryption
Bitlocker does not protect your data while a system is turned on, EFS does

Looking at this comparison, I hope that it is obvious to you that Bitlocker and
EFS are not adversaries or substitutes. Bitlocker and EFS are two technologies that can provide a
layered defense against data theft. That is if they are used correctly and together(hence the layered).

Since this post does not deal with data protection but with a specific part of it,namely
Bitlocker, lets continue by trying to understand what Bitlocker can do for you and what it can't.

What Bitlocker can do

Bitlocker can do the following things:

It makes it relatively very difficult to access data on a stolen disk or computer
It can encrypt the entire contents of a volume, including OS files, paging files, hibernation files
and temporary files
Post SP1 it can also encrypt additional volumes not only the system volume
Allows you to deploy and remove itself without destroying the data on the volume

What Bitlocker can't do

Bitlocker will not do the following things:

It does not protect the system from a network attack
It does not protect the data while a system is on (read-has electricity, including standby)

How does Bitlocker work - Booting an encrypted OS

Ok,now that we have the formalities out of the way, lets try to understand how does Bitlocker achieve
what it does. Once enabled Bitlocker starts an encryption process that obscures the data on the volume
it is applied to. The first volume that must be encrypted is the system volume and thus arises the problem
of the chicken and the egg:
If Bitlocker is a mechanism used by the OS to encrypt data, to be able to decrypt(access) the data
the OS has to be loaded (or at least part of it) but since we encrypt its volume it can not load because
it is encrypted...

To solve this problem, an additional volume has to be created(which should not store user data).This volume will not
be encrypted and will provide enough OS code to decrypt the system volume.Since in this part of the post
we are only discussing theory, take this as a given, an additional volume is created-the system boots from there
decrypts the encrypted volumes and allows the rest of the OS to boot.

How does Bitlocker work - Encrypting a Volume

Bitlocker encrypts a volume using a symmetric algorithm (Advanced Encryption Standard (AES) algorithm with
128-bit keys). The key length is controllable and their size can be increase to 256-bit yet that may cause performance
degradation.

The encryption process begins, and a key is created- this key is called the Full Volume Encryption Key (FVEK). The
FVEK is used to encrypt and decrypt the data. The FVEK is stored on the volume as part of the volumes metadata.
But wait-if the symmetric key that is used to encrypt/decrypt the data is stored on the volume it is meant to
protect what prevents a thief from picking it up and decrypting it...this sounds like locking a door and leaving the key
in the lock,from the outside...

To be honest, the door analogy is quite close to what happens with one small but major difference, instead of leaving
the key in the door, the key is placed inside a locked box that is welded to the door. In other words the FVEK, is
encrypted by an additional key called the Volume Master Key (VMK).

How does Bitlocker work - Decrypting a Volume

To decrypt a volume, you need to take the process used to encrypt it and reverse it (due to the use of symmetric
algorithm used): the OS boots, identifies the usage of Bitlocker, requests the VMK and uses it to access the FVEK
which in turn provides access to the encrypted data.

How does Bitlocker work - protecting the VMK (The Protectors!)

As you can see once you have access to the VMK, the game is over. Due to it's importance the VMK has to be
closely guarded. The measures used to protect the VMK are called 'protectors'. The role of the protectors is to prevent
unauthorized access to the VMK and it is assumed that if you have access to a protector you are authorized to use it
(this is a huge assumption but as the saying goes:"Who will guard the guards?").

There are several protectors that can be used to store the VMK:

Trusted Platform Module - A secure storage built into the system board that will store the VMK and release
it for use only if an additional authenticator(such as a PIN) is provided and no major changes to the system
have been identified.
External media - This may be a disk on key upon which the startup key is stored.
Recovery key - A manual process of entering 48 numbers to release the VMK.

More about the protectors in the second part of the Bitlocker series posts that will deal with implementation.

How does Bitlocker work - Why two keys?

There is one major reason for this-in the case of moving a hard drive to a different system or losing a protector
there is no need to re-encrypt the volume (a lengthy process). It is simply enough to re-key the FVEK by creating
a new VMK. In theory this is true, yet I have not found a way to do this.

Conclusion of part one

Bitlocker is part of a layered strategy to protect data from theft. The aim of this post was to lay down
foundations that will help with the implementation of Bitlocker. You should now be able to understand
the role of Bitlocker and it's abilities and shortcomings.

The second part of the series will describe the methods to implement Bitlocker.

Frozen RAM and Bitlocker (can it be defeated?)

Erik Rozman — Fri, 22 Feb 2008 09:25:22 GMT

This came as no surprise to me, yet when you see something theoretical being applied
it always manages to give you a jolt...especially if you consider the timing.

During the last week I was (and still am) planning a series of posts about Bitlocker.
In (very) short,Bitlocker is a Windows Vista technology that encrypts your hard drive
as a unit. To access the data you need to provide some type of a key that releases the
key used to decrypt (and encrypt) your data into RAM.

The main advantage of Bitlocker is it's ability to protect your data even if someone manages
to gain physical access to your system(by stealing it) and boots the system form a parallel
OS.

In the past I have read a research paper(still looking for it), stating that in contrary to popular
belief when you cut power to a RAM module the data it has stored is not lost. In addition to that,
the data inside RAM can be preserved by cooling the RAM modules.

Considering that your encryption/decryption keys are saved in RAM if someone gains access to
your system while it is still turned on(or shortly after you have cut power to it) they may be able
to access your encryption/decryption keys and additional sensitive information such as documents
you worked had open.

This concept has been demonstrated (to some extent in a video and a research paper) by a group of
people mainly from Princeton at their website:
http://citp.princeton.edu/memory/

In my opinion, it is extremely important to point out that Bitlocker protects your data only
if the computer is turned off or is hibernated (if your system is on, the data is not protected).

I am humbled to correct people from Princeton but it is something that I must do in this case, during the
video, the narrator mentions that in some cases Bitlocker can be attacked even if a system is turned off and
the way to discern between such cases is if a system asks for a key/pin(you are protected) or a password(you are
not protected).
The first part is very inaccurate and may cause unnecessary confusion.
There is only one way for a system to be off-there is no power running to it. Either it is shut down
or it is hibernated all the other methods do not shut a system down.

Anyway- it is still a cool concept to demonstrate...

Vista SP1 is available on TechNet Plus and MSDN

Erik Rozman — Fri, 15 Feb 2008 09:13:37 GMT

Based on a post from the TechNet Plus team SP1 for vista is available for subscribers. In addition
to that it is also available to MSDN subscribers:

Reclaiming disk space after Vista SP1 installation

Erik Rozman — Fri, 08 Feb 2008 17:23:00 GMT

After thinking about it, I came to the conclusion that this deserves a post of it's own.

The installation process of SP1 for Vista backs up all the files that it replaces
to allow you to uninstall it. If you are in dire need of free disk space you can use
an integrated tool called Vsp1clean.exe (aka SP1 File Removal Tool).

This tool will remove all the files that the installation backed up providing you with
the additional disk space at the price of not being able to uninstall the service pack.

So we will start with a copy of Windows Vista that has SP1(RTM) applied to it:

The uninstall option

To uninstall the service pack, all you have to do is to choose the package form Control Panel>
Programs and Features.

After the installation of the SP my drive C: has 6.84GB free:

Freeing up some disk space

We have made up our mind-we will never go back,never uninstall the SP and we want the disk space back!
To do this we can use a tool installed by the SP: %windir%\system32\vsp1cln.exe .

The following arguments can be used:

/o: <path to an offline Windows>
/Verbose - Didn't see a difference
/quiet - Skips the are you sure question...

This is what it looked like on my system:

After the cleanup, the free space grew to 7.6GB (approximately 800MB vacated...not bad):

Uninstall option is gone:

Conclusion

Considering hard drive sizes I see no real and immediate benefit in deleting the backed up files at the
price of losing the ability to uninstall the service pack (note that I wrote immediate). Once the dust
around your specific installation settles down (everything is working as planned) I see no reason
for you to keep on saving the files that allow rollback.

Another point to keep in mind here is that by keeping these files you give yourself a comfort zone of
a few hundred MBs in case you ever run out of disk space...

As Alun Jones pointed out in a comment to the post,users having a pre-release version of the SP installed
should be careful here,if they remove the files they will not be able to uninstall the pre-release version
(which has to be done to enable installation of the released version).