I recently watched a TechEd video that aimed at showing how to create a hack-proof copy of Windows 8.1.  one of the standouts that I can't seem to confirm anywhere was this:

"Gamechanger! In Windows 7 it was recommencd to use two-factor auth like PIN . . . With Windows 8.1 + certified devices we can build a secure BL without two-factor auth for the first time!"

And then he says . . .

"TPM_only is the recommendation for most companies"

Can someone confirm this for me?  Or point me to a source that can.  The BL FAQ doesn't say this. It refers to TPM+PIN has the best practice. 

THANKS

Hi Jason.

Please give us the link to that video.

I think I am deep inside this matter but never before I heard that win8.x changes the game in this respect. Quoting myself from https://social.technet.microsoft.com/Forums/windows/en-US/d0a40ade-85e3-4a1d-894c-311267640180/bitlocker-do-i-need-a-pin?forum=w7itprosecurity#8ad810a8-09c7-4db8-b246-285c503443e1

"The PIN is for preboot authentication. If you don't set a PIN, there are exactly three additional attack types for the scenario when someone steals your computer:

1) network attack against known or future vulnerabilities - this should be no problem since by default there should be no ports open (
firewall active without exceptions) on normal laptops
2) cold boot attack: see for yourself, it's pretty much James Bond style https://www.youtube.com/watch?v=JDaicPIgn9U (serious video done by researchers of princeton university)
3) firewire or other "DMA-Hack" - can be fought by simply deactivating the interfaces in the BIOS. And since the TPM watches the BIOS, an attacker cannot reactivate those interfaces

->Conclusion: With 1 and 3 being dealt with, only attack 2 is a real additional threat if you don't use a PIN. You need to decide for yourself if that's something you would worry about.
My opinion: if you think that there could be people after the data that are more than just simple thieves, then definitely use a PIN."

• Edited by Ronald Schilf Tuesday, January 20, 2015 8:57 AM
• Proposed as answer by DiWuNewfolder Wednesday, January 21, 2015 2:13 AM

Ah, thinking about it once more, I think i know what this is about: with win8.x, we have a new feature called netunlock: devices (given they have appropriate hardware and given a 2012 DC) can unlock automatically when connetcted to the domain network. They receive the key pre-boot from the domain controller using certain UEFI-Bios functions.

It's not network unlock- I don't think.  The vid is "Building a BulletProof Windows BitLocker"  It's quite a boast this guy argues he can do it WITHOUT a PIN and TPM.  He addresses how to deal with specific attacks as well such as Cold Boot. 

Here's the link:

http://channel9.msdn.com/events/TechEd/Europe/2014/WIN-B319

Thanks for the response.  I would really like to get MS to weigh in here.  Is this guy a heretic or what?

Ok, I watched the whole thing. The game changer is the following: with win8, you have support for secure boot, so coldboot attacks without removing the memory are harder if even possible. With win8.1, MS tried also to implement a setting that would make DMA attacks impossible, but that setting didn't make it to the RTM version. It will be seen in windows 10: DMA attacks will not be possible pre-logon, nor at the logon screen.

So if you want the whole story ("what is still possible with tpm-only on 8.1"), I suggest to download the flowchart from http://adminize.us7.list-manage.com/subscribe?u=e13c84c9564fa4b2cb6afcb15&id=318e3d92bc

• Edited by Ronald Schilf Tuesday, January 20, 2015 11:03 PM
• Marked as answer by ronjayates5 Friday, January 30, 2015 2:38 AM

Hi ronjayates5,

we wonder if you have clarified the matter why our recommended practice for BitLocker configuration
on an operating system drive is still to implement BitLocker on a computer with a TPM version 1.2 or 2.0 and a Trusted Computing Group compliant BIOS or EFI firmware implementation, with a PIN.

As what Ronald Schilf mentioned, by requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.

Advantages about TPM

Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.

More information about BitLocker for Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2:

http://technet.microsoft.com/en-us/library/hh831507.aspx#BKMK_Root

Regards

Thanks Richard - this helps.  I was unable to locate the flow chart.  As brilliant as Samil is, he doesn't have an ordinary search option= or maybe I'm just an idiot.  Nonetheless, that answers my question for now.  I'll be paying attention when W10 releases.  Thanks

Jason,

the promised flowchart was on his blog news "back then" - we cannot access it now, sorry. Maybe send him a mail.

There's also a download for a BL hardening GPO - import does not work... that guru doesn't seem to know that export import only orks on the same domain... You will have to use a trick to import it - if you need it, just say.