10 Bitlocker Best Practices

BitLocker is a full-disk encryption feature included with Windows Vista and later. It is designed to protect data by providing encryption for entire volumes.

BitLocker uses a Trusted Platform Module (TPM) to help protect the encryption keys used to encrypt the data on the drive. The TPM is a hardware component that is built into many newer computers by the computer manufacturers.

In this article, we will discuss 10 best practices for using BitLocker.

1. Use BitLocker Drive Encryption

When you encrypt a drive with BitLocker, all of the data on that drive is encrypted. This includes not only the files and folders, but also the free space on the drive. That means if someone were to get access to the drive, they would not be able to read any of the data on it.

The other benefit of using BitLocker Drive Encryption is that it helps protect your data from being modified or deleted without your permission. Even if someone had access to the drive, they would not be able to make any changes to the data unless they had the encryption key.

BitLocker Drive Encryption is an important best practice because it helps keep your data safe and secure.

2. Enable TPM and PIN or USB Key for Authentication

TPM is a security chip that’s built into many newer computers. It stores cryptographic information and can be used to verify the boot process.

PIN or USB Key authentication adds an extra layer of security by requiring the user to enter a PIN or insert a USB key in order to unlock the computer. This prevents someone from simply powering on the computer and accessing the data.

Enabling both TPM and PIN or USB Key authentication will ensure that your data is as secure as possible.

3. Require a Startup Key on Removable Drives

If you don’t require a startup key on removable drives, then an attacker could easily bypass bitlocker and gain access to your data. By requiring a startup key, you make it much more difficult for an attacker to access your data.

To require a startup key on removable drives, open the Bitlocker Management console and select the drive you want to protect. Then click on “Require a startup key on removable drives” and select “Enabled”.

4. Do Not Store Recovery Passwords in AD DS

If an attacker gains access to a computer that is encrypted with Bitlocker, they can attempt to brute force the password. If the recovery password is stored in AD DS, and the attacker has compromised Active Directory, they now have the ability to decrypt the drive.

The best practice is to store the recovery password in a safe location, such as a physical safe, and not in Active Directory.

5. Configure Group Policy to Back Up Your Keys

If you lose your bitlocker key, you will not be able to access your data. This is why it’s critical to have a backup of your keys, so that if you do lose them, you can still regain access to your data.

The best way to ensure that you always have a backup of your keys is to configure group policy to automatically back them up. This way, even if you forget to manually back up your keys, they will still be backed up and you will be able to retrieve them if you need to.

6. Disable the Ability to Save the Recovery Password to AD DS

When the recovery password is stored in AD DS, it’s possible for an attacker to gain access to the password if they have compromised the domain. This would allow them to decrypt the data on the drives protected by bitlocker.

To disable this feature, open the Local Group Policy Editor and go to Computer Configuration -> Administrative Templates -> Windows Components -> Bitlocker Drive Encryption -> Operating System Drives. Then, set the “Turn On Bitlocker Backup to Active Directory Domain Services” setting to “Disabled”.

7. Implement NTFS Permissions on Removable Storage Devices

When Bitlocker is used to encrypt a removable storage device, such as a USB drive, the encryption key is stored on the drive itself. This means that if the drive is lost or stolen, the data it contains is at risk of being compromised.

NTFS permissions can be used to restrict access to the encryption key, so even if the drive is lost or stolen, the data it contains will remain safe. This is an important best practice to implement because it helps to ensure the security of your data.

8. Monitor BitLocker Status with MBAM

The first reason is that it allows you to ensure compliance with your organization’s security policies. For example, you can use MBAM to monitor whether or not BitLocker is enabled on all devices in your organization.

The second reason is that MBAM provides valuable insights into the health of BitLocker-protected devices in your environment. For example, you can use MBAM to identify which devices are at risk of data loss due to encryption key issues.

Lastly, MBAM can help you troubleshoot BitLocker-related problems. For example, if you suspect that a device is not encrypting properly, you can use MBAM to check the status of BitLocker on that device and see if there are any errors.

9. Use Windows Defender Credential Guard

Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. This protects secrets against a wide range of attacks, including pass-the-hash and other credential theft techniques, many types of malware that aim to harvest credentials from memory, and human operators who have legitimate access to the operating system but should not have access to secrets.

Credential Guard also helps organizations meet compliance requirements, such as those for the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA).

To use Credential Guard, you need:

* A 64-bit processor with Intel VT-x or AMD-V virtualization extensions and Second Level Address Translation (SLAT)
* TPM 2.0
* UEFI Secure Boot

If your computer doesn’t meet these requirements, you can still use BitLocker Drive Encryption without Credential Guard.

10. Use Secure Boot

Secure Boot is a feature of UEFI that helps to ensure that your computer only boots using bootloaders that are signed by a trusted source. This can help to prevent rootkits and other malware from infecting your system, as they would not be able to run without a valid signature.

To enable Secure Boot on Windows 10, you will need to go into the BIOS or UEFI settings for your computer. The exact location of these settings will vary depending on your manufacturer, but they should be under the “Security” or “Boot” options. Once you have found the Secure Boot setting, you will need to enable it and then save your changes.

If you are using Bitlocker with TPM, you will also need to ensure that the TPM is initialised and configured correctly in order for Secure Boot to work properly.