Hi,

 Our community nurses at my workplace have Lenovo ThinkPad 2 tablets (with Windows 8 Pro) that they take with them when visiting patients at home.

 I set up Bitlocker on them, but I wanted to add an extra password prompt at the pre boot stage for extra security. Unfortunately, the tablets werent designed to have the virtual keyboard at the pre boot stage. When Lenovo made a BIOS update available, I downloaded it and the tablets were able to have the virtual keyboard at the pre boot stage and it appeared to be working. Four of the eight nurses came back to me saying that although they put the correct password in, Bitlocker didnt accept it and kept asking for the recovery key, which I had to keep putting in. In the end, I got sick of the same problem happening so I took the extra password off and set it up for the hard drive to be encrypted, but to unlock when the user puts their usual password in at the login stage.

 

Im not sure if this was a problem with Bitlocker or maybe the new virtual keyboard isnt working properly. Ive set Bitlocker up correctly in the gpedit and TPM settings.

I'm worried that if a tablet was lost and there were confidential info on there, someone might be able to get to it. Would you say it is enough encryption to just have the hard drive encrypted, and automatically decrypt when entering their password or is this not good practise? How easy is it for anyone to hack into the tablet at the login stage in Windows 8 if they don't know the password?

Thanks for your help.

 

Kind regards,

 

Gary

P.S. Sorry if this is posted in the wrong category - I'm new to these forums

Hi Gary,

The Bitlocker is designed to protect the PCs data from offline attacks.For an offline environment,it is almost impossible to attack the drive protected by Bitlocker.

As for the online environment,Microsoft offered the pre-boot authentication using a PIN or a USB flash drive as a key.
For a Windows 8 machine, the Unified Extensible Firmware Interface (UEFI) Secure Boot and Windows Trusted Boot startup process ensures operating system integrity, allowing Windows to start automatically while minimizing the risk of malicious startup tools and rootkits. It makes the Bitlocker more safety.

"How easy is it for anyone to hack into the tablet at the login stage in Windows 8 if they don't know the password? "
It will depend on the password`s complexity you have configured. If you have configured the password with number,letter,symbol and it is quite long. I am afraid it is almost impossible to attack the machine.

Here are links for reference of Bitlocker:

BitLocker Drive Encryption Overview
http://windows.microsoft.com/en-hk/windows-vista/bitlocker-drive-encryption-overview
Protect BitLocker from Pre-Boot Attacks
https://technet.microsoft.com/en-us/library/dn632180.aspx?f=255&MSPPError=-2147217396
Types of Attacks for Volume Encryption Keys
https://technet.microsoft.com/en-us/library/dn632182.aspx

Best regards

Hi,

Sorry for the late reply. Almost impossible should be good enough. Thanks a lot for the reassurance and advice - I appreciate it as I was worried whether they were scure enough. I'll pass the info on.

Thanks again.

Kind regards,

Gary

I would like to go a little beyond that answer.

Firstly, I guess your problem with the password might be a problem with the keyboard layout. To determine that, please answer: what keyboard language do you use, is it en-US? If not, there you have it. Bitlocker only supports the en-us keyboard layout ("qwerty") at the preboot encryption password authorization.

Secondly: without password or PIN protector, the encryption is only "guarded" by the TPM. Now is that good or not? if someone can boot the system without preboot authentication, there are other attack vectors that specialists can exploit. The normal thief will have no idea how to.

if you like to know more, please make yourself familiar with the terms "bitlocker DMA attack". Also make sure to enable the firewall at least for the non-domain profile, that will mitigate another attack vector, the network attack.