Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

Windows 7 and SSDs, Part 3 (Security Best Practices)

PadlockSolid State Disks (SSDs) offer great performance enhancements, especially when you follow the guidelines in Part 1 and Part 2 of this series. From an information security point of view, however, these devices are nightmare in terms of data confidentiality.

Recent studies from the University of California in San Diego (UCSD) show securely wiping SSDs still result in 4% to 75% of data previously stored on the device being recoverable. You can read the results of the studies in the "Reliably Erasing Data From Flash-Based Solid State Drives" document.

Basically, every known method for securely erasing data on a traditional hard disk fails in achieving the same result on a flash-based Solid State Disk. These methods include:

  • Overwriting data a certain amount of times with all 0s or all 1s
  • Overwriting data a certain amount of times with a specific pattern of 0s and 1s
  • Degaussing the whole device

Note:
Also, securely erasing removable flash drives is an even greater challenge, according to the researchers of UCSD.

For organizations with secure data management, requiring confidential data to be removed from drives, before they leave the organization, implementing SSDs results in a serious headache at the end of the lifecycle of these devices.

  

Do I need data security?

As an Active Directory administrator, I would feel the information on any domain-joined computer to be confidential, because the data can be used in numerous ways. Gaining access to Outlook Web Access or DirectAccess, or rejoining a computer presumed dead to the domain, poses serious challenges. Detection is only the first problem.

As a home enthusiast (quite an understatement) I’m also not very keen on giving someone else my data (when I sell my laptop or SSD) while I thought I had erased it securely. Also, with a reputation as IT Pro, I wouldn’t want anyone receiving one of my handed-down drives to be able to trace it back to me.

     

Best Practice: Use BitLocker Drive Encryption

Bitlocker Drive EncryptionThe reason no tool exists today to securely erase data, is because on a SSD, in order to be addressed as an ATA device with plain file systems, data isn’t altered on the spot ("overwritten") but actually written to a new block. The "old data" is retained and lingers on, until the space is reused. Thus, the trick is to store the data in a secure way from the start. That way, out-of-date blocks don’t contain lingering insecure data.

Some Solid State Disks offer a built-in solution to the problem: These drives store the data encrypted natively. However, the data is offered unencrypted to the system through the integrated electronics and firmware. This offers little protection.

BitLocker Drive Encryption is a perfect way to store data in a secure way. Since the encryption is tied to the Operating System on the drive (it needs to be running to have access to the unencrypted data) and to either a Trusted Platform Module (TPM) chip with or without a PIN, or a startup key, this not only offers security for data in rest, but also a method to quickly revoke unencrypted access to the data.

With its master key functionality, recovery information storage in Active Directory and Group Policies to enforce settings in a granular way, BitLocker Drive Encryption has a couple of tricks up its sleeve in contrast to other encryption methods.

  

Optionally: Use BitLocker-to-Go

Since removable flash media also don’t fit the normal procedures of secure data management at the end of their lifecycles, you might want to consider encrypting the contents of these devices.

BitLocker-to-Go has the same tricks up its sleeve as BitLocker Drive Encryption, but does not rely on the availability of a TPM chip. Also, BitLocker Drive Encryption is not required to be able to use BitLocker-to-Go.

One caveat, however, is that removable drives configured with BitLocker-to-Go cannot be used as Startup Keys for BitLocker Drive Encryption. Once you insert a removable flash drive in a Windows installation with BitLocker-to-Go enforcements and encrypt it, it can’t be accessed by the Windows boot runtime anymore. Separating flash media can also be tricky, since I guess you don’t want users to run around with laptops and USB drives, labeled "BitLocker Startup Key" in the same bag…

    

Concluding

Using Solid State Disks (SSDs) offers great performance boosts, but also requires new procedures for secure data management. We can no longer rely on the old ways to securely erase data at the end of the lifecycle of our disks and need to think ahead. By encrypting the drive with well-manageable encryption software, assures data confidentiality now and in the future.

Further reading

Flash-based solid-state drives nearly impossible to erase  
SSD Security: Erase Solid State Drives Data   
Delete Data On SSD Permanently   
Leave No Trace: How to Completely Erase Your Hard Drives, SSDs and Thumb Drives  
How to securely delete files stored on a SSD    
How to configure BitLocker in a MDT 2010 deployment   
Windows BitLocker Drive Encryption Step-by-Step Guide

Posted: Sunday, April 17, 2011 10:17 AM by Sander Berkouwer

Comments

DevAdmin » Blog Archive » Configurazione del sistema su un disco SSD said:

Nel post Considerazioni sull’utilizzo degli SSD avevo indicato come a partire da Windows 7/Windows Server 2008 R2 sono state introdotte una serie funzionalità pensate specificatamente per ottimizzare il sistema quando è installato su un SSD.

Come avevo riportato nel post Support and Q&A for Solid-State Drives viene indicato che sono state state apportate le seguenti ottimizzazioni:

  • Supporto al TRIM
  • Disabilitazione della deframmentazione sui drive sistema SSD
  • Disabilitazione di Superfetch, ReadyBoost, ReadyDrive, boot prefetching e application launch prefetching sui drive sistema SSD
  • Creazione delle partizioni in modo da essere allineate con l’SSD per avere le performance migliori (a riguardo si veda Disk Alignment on Windows 7 for normal disks and SSDs)

In generale come spiegato nel post se durante l’installazione il sistema rileva un disco SSD configura quanto riportato in ogni è possibile verificare che le varie ottimizzazioni siano state eseguite.

Verifica attivazione TRIM

E’ possibile verificare che la funzionalità TRIM sia attivata tramite il comando:

fsutil behavior query DisableDeleteNotify

che deve deve restituire 0 per indicare che il TRIM è attivato i caso contrario può essere attivato con  il comando:

fsutil behavior set DisableDeleteNotify 0

Di seguito quanto W7 esegue per default come riportato in Support and Q&A for Solid-State Drives:

“In Windows 7, if an SSD reports it supports the Trim attribute of the ATA protocol’s Data Set Management command, the NTFS file system will request the ATA driver to issue the new operation to the device when files are deleted and it is safe to erase the SSD pages backing the files. With this information, an SSD can plan to erase the relevant blocks opportunistically (and lazily) in the hope that subsequent writes will not require a blocking erase operation since erased pages are available for reuse.”

“Windows 7 requests the Trim operation for more than just file delete operations. The Trim operation is fully integrated with partition- and volume-level commands like Format and Delete, with file system commands relating to truncate and compression, and with the System Restore (aka Volume Snapshot) feature.”

Disabilitazione deframmentazione

Per disabilitare la deframmentazione schedulata è possibile procedere come segue:

  1. Eseguire il comando dfrgui
  2. Selezionare Configura pianificazione
  3. Deselezionare Esegui in base a una pianificazione (scelta consigliata)

Di seguito quanto W7 esegue per default come riportato in Support and Q&A for Solid-State Drives:

“The automatic scheduling of defragmentation will exclude partitions on devices that declare themselves as SSDs. Additionally, if the system disk has random read performance characteristics above the threshold of 8 MB/sec, then it too will be excluded. The threshold was determined by internal analysis.”

Disabilitazione Superfetch

Per disabilitare la funzionalità di Superfetch è possibile impostare a 0 il valore EnableSuperfetch nella chiave HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\PrefetchParameters quindi riavviare il computer, di seguito i valori possibili:

  • 0 = Disabled
  • 1 = Application launch prefetching enabled
  • 2 = Boot prefetching enabled
  • 3 = Application launch and boot enabled (valore default)

Per informazioni si veda EnableSuperfetch (Windows Embedded Standard 7 Service Pack 1).

In alternativa è possibile disabilitare il servizio Ottimizzazione Avvio (SysMain):

  1. Arrestare il servizio Ottimizzazione avvio (SysMain)
  2. Disabilitare il servizio (per default è impostato Automatico)

Di seguito quanto W7 esegue per default come riportato in Support and Q&A for Solid-State Drives:

“If the system disk is an SSD, and the SSD performs adequately on random reads and doesn’t have glaring performance issues with random writes or flushes, then Superfetch, boot prefetching, application launch prefetching, ReadyBoost and ReadDrive will all be disabled.”

“Initially, we had configured all of these features to be off on all SSDs, but we encountered sizable performance regressions on some systems. In root causing those regressions, we found that some first generation SSDs had severe enough random write and flush problems that ultimately lead to disk reads being blocked for long periods of time. With Superfetch and other prefetching re-enabled, performance on key scenarios was markedly improved.”

Disabilitazione ReadyBoost

Il ReadBoost è una funzionalità con cui il sistema utilizza media USB per il pagefile, utile se si ha poca Ram inoltre l’SSD ora è più veloce dei media USB.

Il ReadyBoost in Windows 7 è gestito tramite il servizio Ottimizzazione avvio (SysMain), disabilitando tale servizio si disabilita la funzionalità.

Disabilitazione Prefetching

Il Prefetching è una funzionalità con cui il sistema mette in RAM parti di eseguibili per velocizzarne l’avvio, con gli SSD non è più necessario e si libera RAM)

Per disabilitare la funzionalità di  è possibile impostare a 0 il valore EnablePrefetcher nella chiave HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
Memory Management\PrefetchParameters quindi riavviare il computer, di seguito i valori possibili:

  • 0 = Disabled
  • 1 = Application start prefetching enabled
  • 2 = Boot prefetching enabled
  • 3 = Application start and boot enabled (valore di default)

Per informazioni si veda Disable Prefetch (Windows Embedded Standard 7 Service Pack 1).

Conclusioni

In generale Windows 7/Windows Server 2008 R2 e successivi dovrebbero già essere configurati correttamente per essere eseguiti su disco SSD, ma tranquillità è possibile eseguire le seguenti operazioni:

  • Verificare che la funzionalità TRIM sia utilizzata
  • Disabilitare il servizio Ottimizzazione avvio (SysMain)

Dal momento che utilizzare un disco SSD implica configurazioni diverse è sconsigliabile eseguire la clonazione di un sistema installato su HD non SSD.

Per ulteriori informazioni si vedano anche:

[Update 01]

Si vedano anche la KB 2727880 Windows 7 & SSD: defragmentation, SuperFetch, prefetch e le seguenti KB (purtroppo al momento disponibili solo in tedesco):

  • 2727881 Windows 7 & SSD: disable hibernation
  • 2727882 Windows 7 & SSD: Disable System Restore
  • 2727883 Windows 7 & SSD: moving the paging file
# January 17, 2014 12:12 AM
Anonymous comments are disabled