Saturday, September 27, 2008

Configure BitLocker (Part 2) - Best Practice

we’ll take a look at BitLocker from an Active Directory point of view and look at BitLocker and TPM configuration using Group Policies and how to perform key recovery.

Disclaimer

I think it is safe to say, that BitLocker in an Active Directory based environment will probably be the most used scenario. By using BitLocker in an Active Directory based environment, you get all the security benefits from BitLocker combined with all the security, availability and scalability that comes with Active Directory.

But, before we get started, you should be aware of a few disclaimers:

  1. Microsoft hasn’t released their BitLocker Deployment Kit yet, so unfortunately we’re unable to provide you with the official links or copies of the scripts used in this article
  2. Also, we haven’t seen the official BitLocker deployment material that will soon be released, but the scripts we are using are provided by Microsoft. Please note however, that the names and the number of scripts covered in this article, may change when the BitLocker Deployment Kit is released
  3. As soon as Microsoft releases the various scripts and white paper which we mention within this article, it will be updated with the respective links and so on, so that it corresponds with filenames etc. We will let you know when the article is updated through our blogs, so stay tuned!

Prerequisites

Before we get started, let us look at some prerequisites that should be satisfied, enabling you to control BitLocker from Active Directory.

  • You will need to extend the schema in Active Directory
  • If you want to control TPM recovery information from Active Directory, then you need to change the permission on the Computer class object in Active Directory
  • BitLocker Active Directory schema extensions are only supported on domain controllers running Windows Server 2003 with SP1 or newer, Windows Server 2003 R2 and Windows Server “Longhorn”
  • BitLocker is only supported to run on Windows Vista Enterprise, Windows Vista Ultimate, and Windows “Longhorn” Server

Note: While I’m writing this article, Service Pack 2 for Windows Server 2003 has hit RTM. SP2 will not include the BitLocker schema updates. You still have to the run the BitLocker schema extension script explained in this article, after you have installed SP2 on your Windows Server 2003 based setup.

Scripts that are needed

It’s time that we get started, so let us look at the files required to get BitLocker integrated with a Windows Server 2003 based Active Directory:

The following files are required so that your Windows Server 2003 based Active Directory is ready to support BitLocker.

  • BitLockerTPMSchemaExtension.ldf
  • Add-TPMSelfWriteACE.vbs

Use the files below to help verify your BitLocker configuration in Active Directory. We’ll use one of them in our example later on in this article.

  • List-ACEs.vbs
  • Get-BitLockerRecoveryInfo.vbs
  • Get-TPMOwnerInfo.vbs

Extend the schema in Active Directory

After you have verified the prerequisites and verified the scripts, you’re ready to extend your Active Directory so that you can store your BitLocker and TPM recovery information in Active Directory.

The way it works, is that the BitLocker recovery information is stored in a sub-object of the Computer object in Active Directory, which means that the Computer object serves as the container for one or more BitLocker recovery objects associated with a particular Computer object. The reason why I say one or more BitLocker recovery objects is because it is possible to have more than one recovery password associated with a BitLocker-enabled computer, for example if you have encrypted more than one volume on the same computer.

The name of the BitLocker recovery object has a fixed length of 63 characters that consists of the following information:

This can be important to know, if you have more than one recovery key associated with a specific computer, and decide to remove some of the recovery keys for security purposes.

But it doesn’t end here. There’s more information stored with the Computer object. If you’re the lucky owner of a computer with a TPM chip (Trusted Platform module) version 1.2, then you’re also able to store the TPM recovery information in Active Directory. Please note however, that there is only one TPM owner password that can be assigned per computer. When the TPM is initialized or when you change the TPM password, then it gets stored as an attribute of the same Computer object used by BitLocker

Let us start by extending the schema with BitLocker and TPM objects and attributes.

  1. Make sure that you’re logged on a domain controller as a user that’s part of the “Schema Admins” group in Active Directory. (Normally the built-in Administrator account is a member of this group per default)
  2. Make sure that you can connect to the domain controller in your Active Directory that holds the Schema Master FSMO role
  3. For this article, I’m using an Active Directory domain called domain.local. With that info on hand, I run the following command (see figure 1):

    ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "dc=domain,dc=local" -k -j .

    The use of the -k parameter suppresses the error message "Object Already Exists" if the portions of the schema already exist.

    The use of the -j . parameters (yes, the dot is part of the parameter) saves an extended log file to the current working directory, which in our case is C:\LDIF.LOG


Figure 1

  1. Make sure that all the schema extensions are applied by checking the LDIF log file before you continue.
  2. The next thing we need to do is set the permissions on the BitLocker and TPM recovery information schema objects. This step will add an Access Control Entry (ACE) making it possible to back up TPM recovery information to Active Directory. Run the following command (see figure 2):

    cscript Add-TPMSelfWriteACE.vbs


Figure 2

And that’s it. You have now extended the schema in Active Directory and prepared it for BitLocker and TPM support.

You’re now ready to modify the necessary Group Policy settings for both BitLocker and the TPM chip (if your computer supports this feature).

Note: For more information on configuring Windows Vista Group Policy Objects (GPO) on the domain please see the following article series from windowsecurity.com:

  1. From Vista you log on with a domain account that has the rights to modify Group Policies
  2. At the Vista Start | Search command prompt you type GPMC.MSC and press Enter
  3. There are several Group Policy settings you can configure as displayed in figure 3, but the one setting you definitely want to configure is the setting that will enabling backup of BitLocker recovery information to Active Directory:
    • Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption
    • Double-click Turn on BitLocker backup to Active Directory Domain Services
    • Select the Enabled radio button


Figure 3

  1. If your client computers support a compliant TPM chip, then you want to enable a Group Policy setting that allows your clients to back up TPM recovery information to Active Directory (see figure 4):
    • Navigate to Computer Configuration > Administrative Templates > System > Trusted Platform Module Services
    • Double-click Turn on TPM backup to Active Directory Domain Services
    • Select the Enabled radio button


Figure 4

Verifying key recovery in Active Directory

The last thing we’ll do is show you how to perform an encryption centrally, where we also make sure that we get a backup of the BitLocker recovery key used by a Vista client computer, which is stored in Active Directory. In our example we’ll use the BitLocker command line utility (manage-bde.wsf).

It should be noted that if you want to use the GUI interface when configuring BitLocker and the TPM chip, then key recovery will still be supported. As long as the Vista machine is a member of domain that satisfies the prerequisites mentioned earlier and the user doing the work is a domain administrator, then the key recovery will happen silently in the background without any user intervention.

BitLocker encryption with TPM support

  1. From the Vista Start Menu, locate the Command Prompt shortcut. Right-click the icon and select Run as administrator
  2. Enter the following command:

    cscript manage-bde.wsf –on –recoverypassword C:
  3. Follow the instructions on the screen to start the encryption process (see figure 5)


Figure 5

  1. While the volume is being encrypted, we can check whether the BitLocker recovery key has been backed up by typing the following command:

    cscript GET-BitLockerRecoveryInfo.VBS

    Notice that the recovery listed in figure 6 below matches the recovery key created in the previous step and listed in figure 5.


Figure 6

Friday, September 26, 2008

Configure BitLocker (Part 1) - Best Practice

BitLocker is a full-volume encryption tool that supports custom protection and authentication methods. However the user and support experience can be a mixed blessing, depending on which protection and authentication methods you choose. In this article we’ll walk you through a best-practice step-by-step approach on how to install and configure BitLocker in Windows Vista and Windows 7.

BitLocker hardware and software requirements

With BitLocker you basically have two different ways to protect the crypto key (a.k.a. Volume Encryption Key).

  • A TPM chip
  • Using a clear key, which is simply a normal password protection method

The crypto key is used to encrypt a volume, but it is just as important that the crypto key is protected as well. If a malicious user deletes the crypto key or it is accidentally deleted, then you better have a good key recovery setup, assuming you want access to your data again (We’ll cover the key recovery part in more details in Part 2). On the positive side, deleting the crypto key on purpose, in a controlled environment, is a great way to decommission and quickly recycle a computer without having to worry about what was installed previously on the encrypted volume.

Before you can install and use BitLocker, you should ensure that the following requirements are met:

  • TPM chip (Trusted Platform module) version 1.2 is available (only a requirement if you want to use BitLocker with a TPM chip)
  • The system BIOS is TCG (Trusted Computing Group) version 1.2 compliant (again, this is only a requirement if you want to use BitLocker with a TPM chip)
  • The system BIOS supports both reading and writing small files on a USB flash drive in the pre-operating system environment
  • The computer must have a least two volumes, before BitLocker can be used:
    • The first volume is the System Volume
      This volume must be NTFS formatted and should differ from the Operating System Volume. The System Volume must not be encrypted, since it contains hardware-specific files that are needed to load Windows after pre-boot authentication.
    • The second volume is the Operating System (OS) Volume
      This volume must be NTFS formatted and contains the Vista operating system and its support files. All data on the OS Volume is protected by BitLocker
  • It should be noted that BitLocker is only included and supported in Windows Vista Enterprise, Windows Vista Ultimate, and Windows “Longhorn” Server

Let us configure BitLocker, by taking you through each of the requirements and spice it up with some useful tricks and hints on the way.


Prepare the system BIOS

A TPM chip is not required, but is highly recommended when using BitLocker. There are actually a couple of reasons for this:

  • Since Microsoft is one of the big supporters of the Trusted Computing Platform initiative, they’ve build a lot of Vista security features (including BitLocker) around this chip, which can also be configured from an Active Directory based infrastructure using Group Policies.
  • BitLocker is extremely weak when it comes to pre-boot authentication options, compared to 3rd party hard disk encryption tools. The best and most secure method when using BitLocker is a TPM + pin code enabled configuration.

A TPM chip is basically a smart card that is molded to the motherboard of the computer. The TPM chip is capable of performing cryptographic functions. It can create, store and manage keys and also perform digital signature operations, and best of all, protect itself against attacks.

Hopefully by now, you should be convinced that using BitLocker together with a TPM chip is a good thing. But before you can take advantage of your TPM chip in Vista, you need to make sure that it is TCG version 1.2 compliant. Most of the newer TPM chips can be firmware upgraded, so that they’re compatible with Vista. However this also means that your BIOS needs an upgrade. If you’re not sure whether your computer fulfills the TPM requirements, you should go visit your computer manufactures website for more information.

On most systems, all you need to do is enter the BIOS setup and enable the TPM chip (usually identified in the BIOS as a “Security Chip”). Once you have done that, you’re ready to move on to the next section.

Prepare the hard disk

If you have purchased a computer recently that is Vista Ready and/or has Vista pre-installed, then you’ll notice that the hard drive has at least two different volumes. Basically what it means is that the volumes on the computer have been prepared to support BitLocker, and you can simply move on to the next section.

If you don’t have the volumes prepared from your hardware vendor or simply want to re-install Vista and also prepare it for BitLocker, then you need to prepare the volumes required by BitLocker, mentioned earlier. This should be done during the Vista installation process.

This can be easily done using Windows PE 2.0 which is included with your Vista DVD and a small simple script which we have included in this article. This process is actually easier than you think. Here’s what you need to do:

Copy the following script to a USB key:

bde-part.txt (used to partition the hard disk):

select disk 0
clean
create partition primary size=1500
assign letter=S
active
format fs=ntfs quick
create partition primary
assign letter=C
format fs=ntfs quick
list volume
exit

Important: The “clean” command in the bde-part.txt script will wipe all your existing partitions on disk 0 (your primary drive) including the repair/installation partitions that may have been preconfigured by your computer manufacture, so use this command with care or omit it from the script. Instead of the clean command, you can use the diskpart select volume=<drive letter> and thereafter the diskpart delete volume if you want more granular control of which volumes you want to delete.

Once you have copied the script to a USB key, it is time to make use of it.

  1. Insert the USB key and start the computer from the Windows Vista product DVD
  2. In the initial Install Windows screen, choose your Installation language, Time and currency format, and Keyboard layout, and then click Next
  3. In the next Install Windows screen, click System Recovery Options, located in the lower left corner of the screen
  4. In the System Recovery Options dialog box, choose your keyboard layout, and then click Next
  5. In the next System Recovery Options dialog box, make sure no operating system is selected. To do this, click in the empty area of the Operating System list, below any listed entries. Then click Next
  6. In the next System Recovery Options dialog box, click Command Prompt (see figure 1)


Figure 1

  1. Allocate the drive letter assigned to your USB key by entering the following commands one-by-one:

    diskpart
    list volumes
    exit

    Make a note of the drive letter assigned to the USB key.
  1. Prepare the volumes by entering the following command:

    diskpart /s >:\bde-part.txt

    where should be replaced with the drive letter allocated to your USB key.

    Once you have completed the above steps, you should exit the command prompt window and return to the installation program and complete the Vista installation.

    Prepare the TPM chip

    Before we can use the TPM chip, we need to prepare it. This means that we need to ensure the following:

    • Ensure that the correct TPM driver is installed in Vista
    • Initialize the TPM chip
    • Take ownership of the TPM chip

    Note: If you don’t want to use a TPM chip with BitLocker, then you can skip this section and move on to the next section.

    There are several reasons why Microsoft depends on a TPM chip that is version 1.2 TCG compliant, but two of the primary reasons, besides added security features, are compatibility and stability. Microsoft delivers this through a generic TPM Vista driver. The rule of thumb is that you should only use Microsoft’s TPM driver if you want to use BitLocker with a TPM chip.

    Verify that you are using the right driver for your TPM chip (assuming your computer supports it) by entering the Device Manager. In the category called Security Devices, you should see Microsoft’s TPM driver, called “Trusted Platform Module 1.2”. If you want to verify the driver version, simply right-click the Trusted Platform Module 1.2 device and select Properties and then click the Driver tab, as illustrated in Figure 2.


    Figure 2

    If for some reason or another, you’re using a different TPM driver, then you can upgrade the driver to the before-mentioned Microsoft TPM driver, which you’ll find on the Vista DVD.

    Once you have verified that the right TPM driver is loaded, it’s time to initialize the TPM chip. This can be done in two different ways, either by using the TPM MMC (simply type tpm.mcs) or configure it from the command line. In this article we’ll show you how this is done from the command line using the command line utility manage-bde.wsf which is a WMI based script.

    1. From the Vista Start Menu, locate the Command Prompt shortcut. Right-click the icon and select Run as administrator
    2. Enter the following command:

      cscript manage-bde.wsf –tpm –takeownership -

      where should be replaced with your own choice of password

      Treat this password as your TPM master password.
    3. The TPM chip is now ready for use (see Figure 3).


    Figure 3

    Encrypt the volumes

    Up until now, we have gone through all the preliminary steps that are needed, before we can actually start encrypting volumes. Some of the steps explained so far, may already have been prepared directly by the manufacture of your computer, or not applicable if your computer doesn’t have a version 1.2 TPM compliant chip. Let’s move on and encrypt some data. This can be done in two different ways, either by using the BitLocker Control Panel GUI or done from the command line. In this article we’ll show you how this is done from the command line for various reasons:

    1. The BitLocker Control Panel GUI is only supported on machines with a compliant TPM chip. This means that if you want to take advantage of BitLocker without using a TPM chip, then your only option is the BitLocker command line utility (manage-bde.wsf)
    2. Another reason is, that officially, BitLocker in Vista only supports encryption of the OS Volume (which is normally the C: drive). However with the command line utility, you have the option to encrypt data volumes as well, a feature that is only officially supported in Longhorn Server
    3. The command line utility can be used to centrally encrypt client computers in an Active Directory environment, which we’ll take a closer look at in Part 2 of this article series.

    How the volumes can be encrypted

    • From the Vista Start Menu, locate the Command Prompt shortcut. Right-click the icon and select Run as administrator
    • Enter the following command: cscript manage-bde.wsf –on /?
    • This will show you the different pre-boot authentication and key recovery options you have with BitLocker. In this article we’ll show you how to encrypt a volume with TPM support, a volume without TPM support and finally a volume other than the C: drive

    BitLocker encryption with TPM support

    1. From the Vista Start Menu, locate the Command Prompt shortcut. Right-click the icon and select Run as administrator
    2. Enter the following command:

      cscript manage-bde.wsf –on –recoverypassword C:


    Figure 4

    1. Follow the instructions on the screen to start the encryption process (see figure 4)

    BitLocker encryption without TPM support:

    1. From the Vista Start Menu, locate the Command Prompt shortcut. Right-click the icon and select Run as administrator
    2. Enter the following command:

      cscript manage-bde.wsf –on –startupkey :-recoverypassword –recoverykey :

      is the drive letter assigned to the USB key that is used instead of the TPM chip. Remember to include the colon with the drive letter

      can be either a hard drive, a USB key or a network drive. Again, remember to include the colon with the drive letter

    BitLocker encryption of data volumes

    The procedure is the same as the two previous examples. Just replace the drive letter with the drive you want to encrypt. The feature does however come with a couple of caveats if you’re not careful.

    • The first one is that this will only work if you have encrypted the OS Volume with the manage-bde command line utililty as well
    • The second caveat is that after the data volume is encrypted, you will not be able to access the data after you reboot the computer, unless you automatically unlock the data volume. Here’s how you can avoid this problem:
    1. We’ll assume you have encrypted the Data Volume using one of our examples in this article or your own preferences
    2. Before you restart the computer, enter the following command:

      cscript manage-bde.wsf –autounlock –enable :

      is the drive letter assigned to the Data Volume. Remember to include the colon with the data drive letter

    The above command will generate an external key protector on the data volume and store the crypto key on the OS Volume (normally the C: drive) which we encrypted earlier. That way the crypto key for the data volume is protected by the crypto key for the OS Volume, but still automatically loaded during the boot phase.