8. What Is Bitlocker
• Encrypts
• Operating System Drive
• Fixed Data Drive
• Removable Data Drive
• Checks After Changes
• Bios
• System/Startup Files
12. Bitlocker Modes
• Basic Mode:
- TPM only
• Advanced Modes:
- TPM + PIN
- TPM + USB Dongle
- USB Dongle
- TPM + PIN + USB Dongle
13. Windows 8 And Bitlocker
• Pre-encrypt, ask for pin on first logon
• Only encrypt sectors with data
• Bitlocker Network Unlock
14. Bitlocker Are Vulnerable When:
• The Disk Have Not Yet Been Totally Encrypted
• You Don’t Use Pin
• Especial If The Computer Have Or Might Get:
• Firewire
• Thunderbolt
• Fake Bios Startup (To Get Pin)
15. Important To Do
• Use Bitlocker
• Use Pin
• Change Pin
• Disable Possibility to use
- Firewire
- Thunderbolt
17. Bitlocker Requirements
• A computer running:
• Windows 7 Enterprise (x86/x64)
• Windows 7 Ultimate (x86/x64)
• Windows Server 2008 R2
• With TPM
• A Trusted Computing Group (TCG)-compliant BIOS
• TPM microchip version 1.2 (turned on)
• TPM must be resettable from the operating system
• Removable Storage
• USB
• Floppy
• Memory Card
18. Enable Bitlocker On A Virtual Machine For TESTING:
1. Set “Allow Bitlocker without compatible TPM” In a GPO
2. Create a virtual floppy disk
3. Enable bitlocker with «manage-bde»
cscript c:WindowsSystem32manage-bde.wsf -on C: -rp -sk A:
4. Restart and it will start to encrypt
21. Enabling Bitlocker Server Side
• On The Schema Master:
- C:TempBitlocker Scrip>ldifde -i -v -f
BitLockerTPMSchemaExtension.ldf -c "DC=X"
"DC=DomainName,DC=com" -k -j .
• On Any DC
- cscript Add-TPMSelfWriteACE.vbs
22. Enabling Bitlocker Client Side
• During Deployment
• Best way, but some «challenges»
• After Deployment
• Manual or script
23. Management
• Script
• Active Directory User And Computer
• ADSI Edit
• No Feedback
• No Reporting
26. Bitlocker Links
• BitLocker Drive Encryption Step-by-Step Guide for Windows 7
http://technet.microsoft.com/en-us/library/dd835565(WS.10).aspx
• Using the BitLocker Repair Tool to Recover a Drive
http://technet.microsoft.com/en-us/library/ee523219(WS.10).aspx
• BitLocker Deployment Sample Resources
http://archive.msdn.microsoft.com/bdedeploy
• BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and
TPM Recovery Information to Active Directory
http://technet.microsoft.com/en-us/library/cc766015(WS.10).aspx
• Windows Trusted Platform Module Management Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc749022(WS.10).aspx
• BitLocker Drive Encryption Deployment Guide for Windows 7
http://technet.microsoft.com/en-us/library/dd875547(WS.10).aspx
28. Application Virtualization (App-V) Asset Inventory Service (AIS)
Turns applications into centrally A hosted service that collects software
managed services that are never inventory data and translates it into
installed, never conflict, and are actionable business intelligence.
streamed on-demand to end users.
Diagnostics and Recovery Microsoft Enterprise Desktop
Toolset (DaRT) Virtualization (MED-V)
MDOP supporting
Provides application continuity during
Reduces downtime by accelerating the Flexible Workstyle Windows migrations, allowing legacy
troubleshooting, repair, and data
recovery of unbootable Windows-based applications to run in virtual machine-
desktops. based compatibility workspaces.
Advanced Group Policy BitLocker Administration
Management (AGPM) and Monitoring (MBAM)
Enhances governance and control over Makes BitLocker easier and more cost-effective
Group Policy through robust change to manage by simplifying deployment and
management, versioning, and role- provisioning, improving compliance, and
based administration. minimizing support efforts.
29. What is Microsoft BitLocker Administration
and Monitoring (MBAM)?
• MBAM builds on the BitLocker data protection offering in Windows
7 by providing IT professionals with an enterprise-grade solution
for BitLocker provisioning, monitoring, and key recovery.
GOALS ARE:
Simplify provisioning Provide reporting Reduce support costs
1 and deployment 2 (e.g.: compliance 3 (e.g.: improved
& audit) recovery)
30. Prerequisites For Server
• Operation System:
Windows Server 2008 SP2 (x86/x64)
Windows Server 2008 R2
• Database:
• Compliance and Audit Report Server
• Microsoft Sql Server 2008 R2 Std/Ent/Dev
• Recovery and Hardware Database Server
• Microsoft Sql Server 2008 R2 Enterprise Only
• Security reason: Transparent Data Encryption
(TDE)
31.
32. Installing Mbam
• Single computer configuration
• Everything on a single server.
Supported, but only recommended for testing purposes.
• Three-computer configuration
• Recovery and Hardware Database, Compliance and Audit Reports, and
Compliance and Audit Reports features are installed on a server
• Administration and Monitoring Server feature is installed on a server
• Group Policy template is installed on a server or client computer.
• Five-computer configuration
• Each server feature is installed on dedicated computers:
• Recovery and Hardware Database
• Compliance Status Database
• Compliance and Audit Reports
• Administration and Monitoring Server
• Group Policy Template is installed on a server or client computer
33. Installing Mbam
• Or In Most Cases 2 Computer
• 1 Sql
• 1 Mbam w/Group Policy Template
• Need To Have GPMC Installed
Group Policy Template Server?
34. Prerequisites For Clients
• A computer running:
• Windows 7 Enterprise (x86/x64)
• Windows 7 Ultimate (x86/x64)
• A Trusted Computing Group (TCG)-compliant
BIOS
• TPM microchip version 1.2 (turned on)
• TPM must be resettable from the operating
system
35. MBAM Client
• Encrypt volumes BEFORE a user receives the computer
• Works with Windows 7 deployment tools (MDT/SCCM)
• Client can:
• Manage TPM reboot process
• Be configured with TPM first and PIN later (e.g.: user provides PIN at
first logon)
• Recovery key escrow can be bypassed and then escrowed when user
first logs on
• Best Practice
• Encrypt volumes AFTER a user receives a computer
• Client is provides a Policy Driven Experience
• Client will manage TPM reboot process
• Standard or Admin users can encrypt
• Only use when unencrypted machines appear on the network
36. MBAM Policy Settings
• A superset of BitLocker policies
• New MBAM Policies
• Policy for Fixed Disk Volume Auto-unlock
• Hardware capability check before encryption
• Allow user to request an exemption
• Interval client verifies policy compliance
(default = 90 min)
• Policy location:
• Computer Configuration > Administrative Templates >
Windows Components > MDOP MBAM (BitLocker
Management)
39. Hardware Capability Management
• Some older computers may not properly support
TPM
• To ensure those computers aren’t encrypted, a
feature is included that can be used to define
which computers are BitLocker capable
• How you turn it on:
• Group Policy setting so client checks before
encryption starts
• From Central Console, define computers that
are capable or not
40. How It Works
•
1 New Computer Discovered, Info Added To
Central HW List
2 State Need To be Modified On Website By
•
Operator With Permissions
3 When Feature Is Enabled Only Compatible
•
Computers Will Be Encrypted
4 Mbam Client Check Compatibility Before
•
Encrypting (Make/Model/Bios Version)
41. Troubleshooting:
• “HKLMSoftwareMicrosoftMBAM”
Create Dword “NoStartupDelay” value=1
Create Dword “DisableMachineVerification” value=1
• Prevent Delay Of Hardware Compatibility Checking
delete this 2 keys and restart the MBAM agent:
HKLMsoftwaremicrosoftMBAMHWExemptionTimer
HKLMsoftwaremicrosoftMBAMHWExemptionType
HWExemptionType are 0=unknown,1=incompatible,2=compatible
• Mbam Fails To Start Encrypt Disk
%windir%system32bdeHdCfg.exe -target default -size 300 -quiet
http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/9e6dc763-03e5-421c-b0c5-33ca89477880
http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/ecd17002-0f06-4a62-845c-920442adb2b5
http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/0f62a250-2eb7-4e9a-aab8-bc4cafb6f71a
42. Compliance and Reporting
Need to know how effective Who and when keys
Need to know the
your rollout is, or how have been accessed and
last known state of a
compliant your company is? when new hardware has
lost computer?
been added?
• MBAM agent collects and passes data to
reporting server
• All clients pass this up, encrypted or not
• IT can clarify WHY a computer is not compliant
• Built on SQL Server® Reporting Services
(SSRS), it gives you
flexibility to add your own reports
44. Central Storage of Recovery Key
• Recovery Key(s) are Escrowed
• Operating System Volume
• Fixed Data Volumes
• Removable Data Volumes
• Stored outside of Microsoft Active Directory®
• 3-Tier Architecture
• DB encrypted with SQL Server’s Transparent
Data Encryption
• Web Service API to build org-specific solutions
• All logging and authorization are done at web
service layer to ensure parity for custom apps
45. Helpdesk Key Recovery UI
• MBAM provides a web page for helpdesk functionality
• Provide BitLocker Recovery Key for authorized users
• Provide TPM unlock package for authorized users
• All requests (successful or not) are logged:
who, when, which volume
• Role based authorization model to get recovery info
• Tier 1: Helpdesk needs to have
person/key match
• Tier 2: Key ID is sufficient (limited role)
• Create your own custom page leveraging web service
layer
46. Single Use Recovery Keys
• Once a BitLocker Recovery key has been
exposed , the client will create a new one
• As part of regular client/server communication,
client checks to
see if Recovery Key has been exposed
• MBAM client will create new one
• Transparent to user
• Recovery Keys are created once a volume is
unlocked
47.
48. MBAM Links
• Getting Started With MBAM
http://onlinehelp.microsoft.com/mdop/hh285638.aspx
• Deploying MBAM
http://onlinehelp.microsoft.com/mdop/hh285644.aspx
• Operations for MBAM
http://onlinehelp.microsoft.com/mdop/hh285664.aspx
• Troubleshooting MBAM
http://onlinehelp.microsoft.com/mdop/hh352745.aspx
• Downloadable MBAM technical documentation
http://www.microsoft.com/download/details.aspx?id=27555
49. Friday
16:25 : EDB Ergogroup Stand
Saturday
10:05 :Windows 8, what’s The Fuzz All About, Auditorium 6
15:05 : DaRT Flash Talk, Microsoft/HP Stand
16:25 : EDB Ergogroup Stand
Blog: olavtvedt.blogspot.com
Twitter: @olavtwitt