Microsoft Windows access controls depend on subjects using Windows to access the secured objects. But what if an attacker is able to bypass Windows and its access controls? Nearly all of today’s computers support multiple boot devices. It is not difficult to create a bootable DVD or USB device that loads another operating system and completely bypasses Windows. Such a boot device could provide direct access to disks and other connected devices without the access controls defined in Windows. In short, an attacker can boot another operating system, effectively bypass all access controls, and gain full access to stored data.

Attacking a computer by booting into a different operating system is easy. Windows access controls alone are not sufficient to protect data. This is a prime example that highlights the need for a defense-in-depth strategy. You need additional controls to protect sensitive data. One type of additional control should be physical controls to limit direct access to computers that store sensitive data. By limiting physical access, you make it more difficult for an attacker to insert a disk or USB device and boot a computer from alternate media.

Another type of control is the use of encryption. Files, folders, and volumes can be encrypted using Windows encryption. Windows-encrypted files cannot be booted into another operating system. Windows stores the decryption keys. An attacker could still potentially boot from alternate media, but the data on the storage devices would be encrypted and useless outside Windows. Whether the encrypted data are stored on a disk or backed up onto other media, it is useless without the decryption keys. Encryption makes stealing backup media far less attractive to attackers. Encryption provides a valuable additional layer in your defense strategy.

Encryption is handy when transferring data between programs. Programs can reside on the same or different computers. It is important to protect sensitive information as it is being transferred from one storage location to another. Commonly, networks are used to transport data. This type of data transport can be vulnerable to attack. Encryption is used to ensure that no unauthorized user can view sensitive data. Encryption also validates both the integrity and the source of the data.

Microsoft provides various programs and methods to secure data with encryption. For securing data at rest, Microsoft includes:

• BitLocker for encrypting entire volumes

• Encrypting File System (EFS) for encrypting files and folders

For securing data in transit, Microsoft provides support for many methods and strategies, including:

• Secure networking protocols

• Digital certificates

• Public key infrastructure

• Virtual private networks