18.9.11.1.10 Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'

Information

This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives.

Note: This setting is enforced when turning on BitLocker, not when unlocking a volume.

BitLocker will allow unlocking a drive with any of the protectors available on the drive.

The recommended state for this setting is: 'Disabled'.

Rationale:
Using a dictionary-style attack, passwords can be guessed or discovered by repeatedly attempting to unlock a drive.

Since this type of BitLocker password does include anti-dictionary attack protections provided by a TPM, for example, there is no mechanism to slow down rapid brute-force attacks against them.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Disabled':


Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Configure use of passwords for fixed data drives


Note: This Group Policy path may not exist by default.

It is provided by the Group Policy template 'VolumeEncryption.admx/adml' that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).

Impact:
The password option will not be available when configuring BitLocker for fixed drives.

See Also

https://workbench.cisecurity.org/files/1929

Item Details

Category: CONTINGENCY PLANNING, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CP-10(6), 800-53|SC-28(1), CSCv6|13.2

Plugin: Windows

Control ID: 071ba0085236b5586765947bc0c62d0dc65c5d491eebbfa607986226185ceb1b