BitLocker – To PIN or not to PIN

Data breaches from stolen or lost laptops are in the news far too often. And you know it happens even more often off the news. MicroSolved’s recommendation for field laptops that may contain databases with sensitive and personal information is to encrypt the data or entire volume. Using the BitLocker feature on Windows is one such solution.

Bitlocker is a Windows encryption feature that can encrypt fixed or removable hard disks at the volume level, that means the entire volume is encrypted. As opposed to encrypting individual files or folders using EFS (Encrypting File System), an NTFS file system-level encryption feature.

With BitLocker encryption enabled, if a laptop is stolen, an attacker cannot remove the hard disk and attach it to another computer and access the data. Or, an attacker cannot boot the stolen laptop with a LiveCD/LiveUSB and mount the internal laptop drive and access the data. All files on the drive, system and data files, are all encrypted.

However, BitLocker has several modes, and one feature is to enable or disable the pre-boot PIN. With the PIN enabled, at boot up, there is a prompt for a PIN before the Windows operating system is even loaded.

Without the PIN, the laptop can be booted up, the Windows operating system can be loaded and the system will start up to the Windows logon screen. If the laptop is either connected to a wired Ethernet connection or if it is setup to automatically connect to a previously connected wireless access point, the laptop will connect to the network.

This is where the risk comes in. If the operating system or any of its running services has any vulnerabilities, there is the risk for a compromise through the network. Any running service that may not be patched runs the risk. An IIS, RDP, FTP, SMB, or SQL service that may be running. Even if there may not be any unpatched vulnerabilities, a normal running service presents the risk for compromise. For example, with a stolen laptop, an attacker has complete physical access and time to perform a brute-force method attack on a running SMB or RDP service. Without a lockout policy, it is only a matter of time before the authentication credentials can be discovered.

Yes, BitLocker provides a secure protection for data if a laptop is stolen. However, consider the convenience for the user vs. the additional protection the pre-boot PIN provides. With the PIN-enabled, an authorized user needs to enter the PIN for every boot. Users may balk at entering TWO authentication prompts, the PIN and the Windows logon. However, that PIN prevents the operating system from automatically starting up services that can be accessed through its network connections.

If you have any questions, or need help with this issue, please contact MicroSolved at info@microsolved.com.

Resources =
https://www.top-password.com/blog/configure-windows-10-to-prompt-for-bitlocker-pin-during-startup/
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures
https://www.windowscentral.com/how-use-bitlocker-encryption-windows-10