STIG V-253259 - BitLocker DAR - Windows 11

KD Sec-n-Tech Secure

Introduction:

Welcome to this episode focused on securing Windows 11 information systems through the use of BitLocker. In this episode, we will explore the importance of encrypting all disks with BitLocker to protect the confidentiality and integrity of data at rest. We will also discuss the vulnerability associated with unencrypted data and provide guidance on enabling BitLocker for Windows 11 systems.

Summary:

BitLocker is a critical security feature that ensures all disks on Windows 11 systems are encrypted, safeguarding data at rest from unauthorized access. By encrypting data, even when the operating system is not running, BitLocker protects against potential disclosure by preventing adversaries from directly accessing non-volatile memory. This episode focuses on the significance of employing BitLocker and provides remediation steps to enable full disk encryption using BitLocker on Windows 11 systems.

Importance

BitLocker is a critical security feature that ensures all disks on Windows 11 systems are encrypted, safeguarding data at rest from unauthorized access. By encrypting data, even when the operating system is not running, BitLocker protects against potential disclosure by preventing adversaries from directly accessing non-volatile memory. This episode focuses on the significance of employing BitLocker and provides remediation steps to enable full disk encryption using BitLocker on Windows 11 systems.

Exploitation:

Failure to implement full disk encryption using BitLocker exposes Windows 11 information systems to potential data breaches. Unencrypted data is susceptible to unauthorized disclosure, compromising the confidentiality and integrity of sensitive information. Adversaries can exploit the absence of encryption to access data at rest, even when the operating system enforces permissions on data access.

Checking for Compliance:

To verify compliance with the requirement of employing BitLocker for full disk encryption on Windows 11 systems, perform the following checks:

  1. Verify that all Windows 11 information systems (including SIPRNet) utilize BitLocker for full disk encryption.

  2. For virtual desktop implementations (VDIs) where the virtual desktop instance is deleted or refreshed upon logoff, the check is Not Applicable (NA).

  3. For AVD implementations with no data at rest, the check is also Not Applicable (NA).

  4. If full disk encryption using BitLocker is not implemented, it is considered a finding.

  5. Open "BitLocker Drive Encryption" from the Control Panel and check if the operating system drive or any fixed data drives have "Turn on BitLocker" enabled. If not, it is considered a finding.

Remediation:

To enable full disk encryption using BitLocker on Windows 11 systems, follow these steps:

For Windows 11 Pro:

  1. Open Settings.

  2. Click on System.

  3. Navigate to the Storage page.

  4. Under the "Storage management" section, access Advanced storage settings.

  5. Click on Disks & volumes.

  6. Select the drive with the partition you want to encrypt.

  7. Choose the partition and click the Properties button.

  8. Click the "Turn on BitLocker" option.

  9. Select the option to back up the recovery key.

  10. Click the Next button.

  11. Choose the "Encrypt used disk space only" option.

  12. Click the Next button.

  13. Select the "New encryption mode" option.

  14. Check the "Run BitLocker system check" option.

  15. Click the Restart now button (if applicable) 2.

For Windows 11 Home:

  1. Open Settings.

  2. Click on Privacy & Security.

  3. Access the Device encryption setting.

  4. Turn on the Device encryption toggle switch.

  5. (Optional) Click the "BitLocker drive encryption" option under the "Related" section.

  6. Under the "Operating system drive" section, click the "Back up your recovery key" option.

  7. Click the Save to a file option.

  8. Save the BitLocker recovery key in a different location.

  9. Click the Save button3.

Powershell Script:

# Set the vulnerability number
$vulnNumber = "V-253259"

# Set the Working Directory
$WorkingDirectory = "C:\Add\The\Directory\Here"

# Set the file path
$filePath = "$($WorkingDirectory)\$vulnNumber.txt"

# Create or clear the status file
$existingStatusFile = Test-Path $filePath
if (-not $existingStatusFile) {
    New-Item -Path $filePath -ItemType File -Force -Confirm:$false
} else {
    Clear-Content -Path $filePath
}

# Define the vulnerability details
$status = "Open"
$findingDetails = "Windows 11 information systems do not use BitLocker for full disk encryption."
$comments = "Enable full disk encryption on all information systems using BitLocker."

# Get BitLocker volumes
$bitlockerVolumes = Get-BitLockerVolume

# Check if any volume is not fully encrypted
if ($bitlockerVolumes | Where-Object { $_.VolumeStatus -ne 'FullyEncrypted' }) {
    $status = "Open"
    $findingDetails = "BitLocker is not enabled on one or more volumes."
    $comments = "Enable full disk encryption on all information systems using BitLocker."
} else {
    $status = "NotAFinding"
    $findingDetails = "Windows 11 information systems use BitLocker for full disk encryption."
    $comments = "Not a finding."
}

# Write the variables to the status file
$status         | Set-Content -Path $filePath
$findingDetails | Add-Content -Path $filePath
$comments       | Add-Content -Path $filePath

Powershell Script Explanation:

The provided PowerShell script evaluates the compliance status of BitLocker for full disk encryption on Windows 11 systems. It checks for fully encrypted volumes and sets the appropriate status, finding details, and comments. The script generates a status file with the evaluation results.

Closing Note:

Enabling BitLocker for full disk encryption on Windows 11 systems is crucial to protect the confidentiality and integrity of data at rest. By following the provided remediation steps and utilizing the PowerShell script, organizations can enhance the security posture of their Windows 11 Pro and Windows 11 Home systems. Regularly validating compliance with BitLocker encryption requirements ensures a robust security foundation.

Sources:

Microsoft. (n.d.). How to configure BitLocker encryption on Windows 11. Windows Central. Retrieved from https://www.windowscentral.com/how-enable-bitlocker-encryption-windows-11

Microsoft. (n.d.). How to configure BitLocker encryption on Windows 11. Windows Central. Retrieved from https://www.windowscentral.com/how-enable-bitlocker-encryption-windows-11

Microsoft. (n.d.). How to configure BitLocker encryption on Windows 11. Windows Central. Retrieved from https://www.windowscentral.com/how-enable-bitlocker-encryption-windows-11

Microsoft. (n.d.). How to configure BitLocker encryption on Windows 11. Windows Central. Retrieved from https://www.windowscentral.com/how-enable-bitlocker-encryption-windows-11

Links:

Kingdom Dominion Security & Technology: https://www.kdsecntech.com/

Thank you for reading our episode on enabling BitLocker for full disk encryption on Windows 11. By implementing this security measure, you can enhance the confidentiality and integrity of your information at rest. If you have any further questions or suggestions, please feel free to reach out. Stay secure!

Stay safe and secure!

Kingdom Dominion Security & Technology

Reply

or to participate.