Mitigating attacks against FDE (BitLocker, TrueCrypt, etc) via Firewire, Thunderbolt, or DMA

Last Modified: Mon, 26 Jan 2015 17:28:52 +0000 ; Created: Wed, 16 Jan 2013 19:18:35 +0000

Good Microsoft KB on how to prevent Firewire/Thunderbolt/DMA attacks against a live running system with software FDE.

Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker

Good for versions of Windows including and after Vista and Server 2008.

Windows 8.1 (not 8.0) actually mitigates the attack out of the box now! See Choose the Right BitLocker Countermeasure on technet.microsoft.com (March 26, 2014).

Microsoft's site isn't the most clear since it tries to apply to many versions of Windows. The instructions actually have text that doesn't 100% match what your version of Windows may have.

Windows 7 Quick Start:

  1. Run the program gpedit.msc
  2. Local Computer Policy
  3. Computer Configuration
  4. Administrative Templates
  5. System
  6. Device Installation
  7. Device Installation Restrictions
  8. Prevent installation of devices using drivers that match these device setup classes
  9. Enabled
  10. Comment: https://support.microsoft.com/kb/2516445/
  11. Show... (button inside Options: text box)
  12. d48179be-ec20-11d1-b6b8-00c04fa372a7
  13. Close the Show Contents window with OK
  14. Scroll the Options: text area down until you see the checkbox option
  15. Also apply to matching devices that are already installed.