Microsoft BitLocker is a software disk drive encryption technology. This means that the end-user who plugs the device in needs to authenticate with Windows before the disk is accessible to them. Authentication is usually performed by specifying a password but can also be performed with a physical security card.
Microsoft makes it very easy to administer BitLocker in the enterprise with a tool called “Microsoft BitLocker Administration and Monitoring (MBAM)”. Furthermore, Microsoft distinguishes between encryption on non-removable hard drives and removable hard drives. For removable hard drives, they coin BitLocker as “BitLocker to Go”. The “to Go” part meaning the storage drive can be moved from one Windows computer system to another Windows computer system.
Squadra Technologies Security for Removable Media Manager (secRMM) compliments the “BitLocker to Go” experience by tracking how the end-user is using the encrypted removable media device. secRMM compliments Microsofts MBAM because MBAM is focused more on managing and deploying the devices whereas secRMM is focused on how the device is being used by the end-user.
The secRMM events tell you that the device is configured for BitLocker when the device is plugged into the Windows computer. Specifically, you will get two events when the “BitLock to Go” device is plugged in. The first secRMM ONLINE event will tell you that a device has been plugged in and that it is configured for BitLocker encryption. This event also tells you that the end-user has not yet authenticated with Windows so that he/she cannot yet actually use the device. From a security standpoint though, it is important to know that someone has plugged the device in. Once the end-user authenticates successfully, another secRMM ONLINE event is logged indicating the device is ready for use.
secRMM logs all removable media (smartphones, tablets, usb drives, SDCards, CDRoms, etc.) events into the Windows security event log and also into a Windows event log named secRMM (that is only accessible to Administrators). secRMM has an Excel 2010+ AddIn that lets you look at the event log data in a tabular format. If you use Microsoft System Center, secRMM is integrated into SCCM, SCOM and Orchestrator (with Service Manager coming soon). We used the secRMM Excel AddIn for the screen shots below.
When the “BitLocker to Go” device is first plugged in, you will get an event that looks like the screen shot below. Notice the very last line.
Once the end-user authenticates to Windows, you will see an event that looks like the screen shot below. Notice the Serial Number from screen shot 1 to screen shot 2.
Then, whenever a file is written to the device, you will get an event that looks like the screen shot below. Notice that the source file (i.e. the file the end-user copied to the removable media device) is captured.
Finally, when the “BitLocker to Go” device is removed from the Windows computer, you will get an event that looks like the screen shot below.
=== 01/14/2015 ===
The information above covers how secRMM monitors (audits) a BitLocker device. secRMM has an authorization rule/policy (as of version 22.214.171.124) allowing only BitLocker enabled removable media devices in your environment, either at a computer level or at a user/group level. The secRMM rule is called “AllowBitLockerOnly”. This rule is either on (checked) or off. You can have secRMM apply the “AllowBitLockerOnly” rule when the device is first plugged into the Windows USB port or when a user tried to copy file(s) to the device. If you apply the rule when the device is first plugged in, when a non-BitLocker device is detected, secRMM will eject (unmount) the device so that Windows cannot recognize it. The two screenshots below show both scenarios. The first screenshot shows secRMM event ID=512 and the second shows event ID=513.
In conclusion, Microsoft BitLocker is a very good software encryption technology at a very good price (free with the OS).
For more information on secRMM, please visit http://www.squadratechnologies.com.