IT tutorials
 
Technology
 

Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 8) - Deploying BitLocker Drive Encryption

11/14/2013 2:53:36 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

5. Deploying BitLocker Drive Encryption

Deploying BitLocker Drive Encryption in an enterprise changes the way both administrators and users work with computers. A computer with BitLocker Drive Encryption normally requires user intervention to boot to the operating system—a user must enter a PIN, insert a USB flash drive containing a startup key, or use a smart card with a valid certificate. Because of this, after you deploy BitLocker Drive Encryption, you can no longer be assured that you can perform remote administration that requires a computer to be restarted without having physical access to the computer—someone will need to be available to type in the required PIN, insert the USB flash drive with the startup key, or use a smart card with a valid certificate.

To work around this issue, you can configure Network Unlock on your trusted, wired networks. Before you use BitLocker Drive Encryption, you should perform a thorough evaluation of your organization’s computers. You need to develop plans and procedures for the following:

  • Evaluating the various BitLocker authentication methods and applying them as appropriate

  • Determining whether computers support TPM, and thus whether you must use TPM or non-TPM BitLocker configurations

  • Storing, using, and periodically changing encryption keys, recovery passwords, and other validators used with BitLocker

You also need to develop procedures for the following activities:

  • Working with BitLocker-encrypted drives

  • Supporting BitLocker-encrypted drives

  • Recovering computers with BitLocker-encrypted drives

When developing these procedures, you need to take into account the way BitLocker encryption works and the requirements to have PINs, startup keys, and recovery keys available whenever you work with BitLocker-encrypted computers. After you evaluate your organization’s computers and develop basic plans and procedures, you need to develop a configuration plan for implementing BitLocker Drive Encryption.

Several versions of BitLocker

Several implementations of BitLocker Drive Encryption are available: the original as released with Windows Vista, an update for Windows Server 2008 and Windows 7, and an update for Windows 8 and Windows Server 2012. Although computers running Windows 8 and Windows Server 2012 can work with any of the available versions, earlier versions of Windows can’t necessarily work with the latest version of BitLocker. With this in mind, you might need to configure Group Policy to allow access from earlier versions of Windows.

BitLocker Drive Encryption requires a specific disk configuration. To turn on BitLocker Drive Encryption on the drive containing the Windows operating system, the drive must have at least two partitions:

  • The first partition is for BitLocker Drive Encryption. This partition, designated as the active partition, holds the files required to start the operating system and is not encrypted.

  • The second is the primary partition for the operating system and your data. This partition is encrypted when you turn on BitLocker.

With implementations of BitLocker prior to Windows 7 and Windows Server 2008, you need to create the partitions in a certain way to ensure compatibility. This is no longer the case. When you install Windows 7 and later or Windows Server 2008 and later, an additional partition is created automatically during setup. By default, this additional partition is used by the Windows Recovery Environment (Windows RE). However, if you enable BitLocker on the system volume, Windows usually moves Windows RE to the system volume and then uses the additional partition for BitLocker.

Using BitLocker on a hard disk is easy. On a computer with a compatible TPM, you must create or make available a BitLocker Drive Encryption partition on your hard drive and then initialize the TPM . On a computer without a compatible TPM, you only need to create or make available a BitLocker Drive Encryption partition on your hard drive.

You can use local Group Policy and Active Directory–based Group Policy to help manage and maintain TPM and BitLocker configurations. Group Policy settings for TPM Services are found in Administrative Templates policies for Computer Configuration under System\Trusted Platform Module Services. Group Policy settings for BitLocker are found in Administrative Templates policies for Computer Configuration under Windows Components\BitLocker Drive Encryption. There are separate subfolders for fixed data drives, operating system drives, and removable data drives.

Policies you might want to configure include the following:

  • Trusted Platform Module Services policies

    • Configure The Level Of TPM Owner Authorization Information Available To The Operating System

    • Configure The List Of Blocked TPM Commands

    • Ignore The Default List Of Blocked TPM Commands

    • Ignore The Local List Of Blocked TPM Commands

    • Standard User Individual Lockout Threshold

    • Standard User Lockout Duration

    • Standard User Total Lockout Threshold

    • Turn On TPM Backup To Active Directory Domain Services

  • BitLocker Drive Encryption policies

    • Choose Default Folder For Recovery Password

    • Choose Drive Encryption Method And Cipher Strength

    • Prevent Memory Overwrite On Restart

    • Provide The Unique Identifiers For Your Organization

    • Validate Smart Card Certificate Usage Rule Compliance

  • Fixed Drive policies

    • Allow Access To BitLocker-Protected Fixed Data Drives From Earlier Versions Of Windows

    • Choose How BitLocker-Protected Fixed Drives Can Be Recovered

    • Configure Use Of Hardware-Based Encryption For Fixed Data Drives

    • Configure Use Of Passwords For Fixed Data Drives

    • Configure Use Of Smart Cards On Fixed Data Drives

    • Deny Write Access To Fixed Drives Not Protected By BitLocker

    • Enforce Drive Encryption Type On Fixed Data Drives

  • Operating System Drive policies

    • Allow Enhanced PINs For Startup

    • Allow Network Unlock At Startup

    • Allow Secure Boot For Integrity Validation

    • Choose How BitLocker-Protected Operating System Drives Can Be Recovered

    • Configure Minimum PIN Length For Startup

    • Configure TPM Platform Validation Profile For BIOS-Based Firmware Configurations

    • Configure TPM Platform Validation Profile For Native UEFI Firmware Configurations

    • Configure TPM Platform Validation Profile (Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2)

    • Configure Use Of Hardware-Based Encryption For Operating System Drives

    • Configure Use Of Passwords For Operating System Drives

    • Disallow Standard Users From Changing The PIN Or Password

    • Enable User Of BitLocker Authentication Requiring Preboot Keyboard Input On Slates

    • Enforce Drive Encryption Type On Operating System Drives

    • Require Additional Authentication At Startup

    • Reset Platform Validation Data After BitLocker Recovery

    • Use Enhanced Boot Configuration Data Validation Profile

  • Removable Data Drive policies

    • Allow Access To BitLocker-Protected Removable Data Drives From Earlier Versions Of Windows

    • Choose How BitLocker-Protected Removable Drives Can Be Recovered

    • Configure Use Of Hardware-Based Encryption For Removable Data Drives

    • Configure Use Of Passwords For Removable Data Drives

    • Configure Use Of Smart Cards On Removable Data Drives

    • Control Use Of BitLocker On Removable Drives

    • Deny Write Access To Removable Drives Not Protected By BitLocker

    • Enforce Drive Encryption Type On Removable Data Drives

Active Directory includes TPM and BitLocker recovery extensions for Computer objects. For TPM, the extensions define a single property of the Computer object, called ms-TPM-OwnerInformation. When the TPM is initialized or when the owner password is changed, the hash of the TPM ownership password can be stored as a value of the ms-TPM-OwnerInformation attribute on the related Computer object. For BitLocker, these extensions define Recovery objects as child objects of Computer objects and are used to store recovery passwords and associate them with specific BitLocker-encrypted volumes.

By default, Windows stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation in the registry. Because of this change, you no longer have to save this information separately to Active Directory for backup and recovery purposes.

Generally, you want to ensure that BitLocker recovery information is always available if it’s needed. You can configure Group Policy to save recovery information in Active Directory using the following techniques:

  • With Choose How BitLocker-Protected Fixed Drives Can Be Recovered, enable the policy, accept the default options to allow data-recovery agents, and then save the recovery information in Active Directory.

  • With Choose How BitLocker-Protected Operating System Drives Can Be Recovered, enable the policy, accept the default options to allow data-recovery agents, and then save the recovery information in Active Directory.

  • With Choose How BitLocker-Protected Removable Drives Can Be Recovered, enable the policy, accept the default options to allow data-recovery agents, and then save the recovery information in Active Directory.

Ensuring FIPS compliance

For Federal Information Processing Standard (FIPS) compliance, you cannot create or save a BitLocker recovery password. Instead, you need to configure Windows to create recovery keys. The FIPS setting is located in the Security Policy Editor at Local Policies\Security Options\System Cryptography.

Use FIPS-compliant algorithms for encryption, hashing, and signing. To do this, enable the security option System Cryptography: Use FIPS Compliant Algorithms For Encryption, Hashing, And Signing in Local Group Policy or Active Directory Group Policy as appropriate. With this setting enabled, users can save only a recovery key to a USB flash drive. Users will not be able to save a recovery password to Active Directory Domain Services (AD DS), local folders, or network folders, and they also will not be able to use the BitLocker Drive Encryption Wizard or other methods to create a recovery password. Because recovery passwords cannot be saved to AD DS when FIPS is enabled, Windows will display an error if AD DS backup is required by Group Policy.
 
Others
 
- Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 7) - Using Network Unlock
- Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 6) - Setting permitted encryption types
- Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 5) - Hardware encrypted drives, Optimizing encryption
- Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 4) - Introducing BitLocker Drive Encryption
- Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 3) - Clearing the TPM, Changing the TPM owner password
- Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 2) - Preparing and initializing a TPM for first use
- Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 1) - Understanding TPM states and tools
- Dynamics AX 2009 Monitoring Tools (part 3) - Code Profiler Tool
- Dynamics AX 2009 Monitoring Tools (part 2) - Monitoring Database Activity
- Dynamics AX 2009 Monitoring Tools (part 1) - Tracing Options and Other Tracing Activities
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us