CHAPTER 11 553 CHAPTER 11 BitLocker and Mobility Options P ortable computers bring unique challenges to IT departments that these workers do not face with more traditional desktop computer deployments. One of these challenges is ensuring that a person using a portable computer is able to use the computer for a maximum amount of time when she is not able to connect to a power outlet. Another challenge is ensuring that a user is able to access important files even when she is unable to connect to the network. A third challenge is ensuring that no one outside the organization is able to recover confidential data on a misplaced or stolen portable computer. In this chapter, you learn about several technologies that assist you in addressing these challenges. BitLocker and BitLocker To Go provide full volume data encryption that protects data if the computer or storage device hosting it is stolen or lost. The Offline Files feature enables you to access data hosted on shared folders when a computer cannot connect to the shared folder host server’s network. Windows 7 power plans allow you to balance system performance with battery life, allowing you to increase performance when energy consumption is less important and to switch over to preserving battery charge when you need to use a portable computer away from a power supply for an extended amount of time. Exam objectives in this chapter: n Configure BitLocker and BitLocker To Go. n Configure mobility options. Lessons in this chapter: n Lesson 1: Managing BitLocker 555 n Lesson 2: Windows 7 Mobility 574 5 5 4 CHAPTER 11 BitLocker and Mobility Options Before You Begin To complete the exercises in the practices in this chapter, you need to have done the following: n Installed the Windows 7 operating system on a stand-alone client PC named Canberra, as described in Chapter 1, “Install, Migrate, or Upgrade to Windows 7.” n Make sure you have access to a small removable USB storage device. This device should not host any data. n Note that a Trusted Platform Module (TPM) chip is not required for the practice exercise at the end of this lesson. real World Orin Thomas O nce, when I was working on a Self-Paced Training Kit, I received a chapter back from editing a few minutes before I was about to board a plane. Unfortunately, the plane I was about to board was going to take me from Melbourne, Australia, to Copenhagen, Denmark, with a stopoff for two hours in Bangkok, Thailand. This is one of those journeys that is within spitting distance of going literally halfway around the world. As I find it almost impossible to sleep on airplanes, I knew that I’d be unable to work after more than 24 hours in transit. Dealing with it now was better than dealing with it in a jet-lagged state on the other side of the world. Besides, I had never been to Copenhagen, and I didn’t want to spend my first day there after I’d recovered from jet lag tapping away on my laptop in my hotel room. Given that you can buy a small car for the price of a first-class ticket from Melbourne to Copenhagen, I was in economy class without any way to power my laptop computer. Going through a chapter after editing can take some time, more time than usually afforded by my laptop computer’s battery. My laptop wasn’t a “newfangled, lasts for 8 hours on one battery” laptop, but one that would do three hours on a good day if I didn’t push it hard. Unfortunately, I needed more than three hours to finish what I needed to do. This is where creating a custom power plan came in. I turned everything down. The screen gave off almost no light, the processor was restricted to a few percent of its maximum speed, and every non- critical device was switched off. The computer was sluggish, but it provided me with enough power that I was able to use it through the entire flight from Melbourne to Bangkok. This gave me enough time to complete my work on the chapter. When I arrived at Bangkok, I still had enough power to connect the laptop to the Internet through my mobile phone and send the revised chapter back to my editor. When I got to Copenhagen, I could concentrate fully on taking in a city I had never visited before. One day, when I get a new laptop that has a bit more battery life, I reckon I could configure a power plan that might get me all the way through a flight from Melbourne to Copenhagen. Until then, Melbourne to Bangkok will have to do! Lesson 1: Managing BitLocker CHAPTER 11 555 Lesson 1: Managing BitLocker Several studies have found that the staff at a medium-sized business loses an average of two laptop computers each year. These studies have determined that the cost of a lost laptop computer to an organization can exceed 20 times the value of the laptop computer itself, adding up to tens of thousands of dollars. The biggest cost involved with a lost laptop computer is determining what data was stored on the computer and the impact of that data finding its way into the hands of a competing organization. Often, it can be difficult to ascertain exactly what data may have been stored on a misplaced computer. When you assume a worst-case scenario, that cost can rise very high. Universal serial bus (USB) flash devices present a similar problem. People often use them to transfer important data from home to the workplace. Because these devices are small, they are easy to misplace. When one of these devices is lost, there is a chance, however small, that some sensitive data may find its way into the hands of a competing organization. Research that has measured the cost of lost equipment has also found that the cost to an organization of losing a laptop computer was significantly lower for organizations that could be sure that a full disk encryption solution such as BitLocker protected all data on their portable computers. This was because in these cases, organizations could be sure that a competing organization was unable to recover any important data that might be stored on a misplaced computer or device. This significantly reduced the cost to the organization of the loss because it did not have to determine what might be stored on the lost equipment because that data was effectively irretrievable. In this lesson, you learn how to configure the BitLocker and BitLocker To Go features in Windows 7 so that if someone in your organization loses a laptop computer or USB flash device, you can be certain that the person who finds it is unable to recover any data stored on the device. After this lesson, you will be able to: n Configure BitLocker and BitLocker To Go Policies. n Manage Trusted Platform Module PINs. n Configure Startup Key storage. n Configure Data Recovery Agent support. Estimated lesson time: 40 minutes BitLocker BitLocker is a full volume encryption and system protection feature that is available on computers running the Enterprise and Ultimate editions of Windows 7. The function of BitLocker is to protect computers running Windows 7 from offline attacks. Offline attacks include booting using an alternative operating system in an attempt to recover data stored on the hard disk and removing the computer’s hard disk and connecting it to another computer in an attempt to access the data it contains. 5 5 6 CHAPTER 11 BitLocker and Mobility Options BitLocker provides full encryption of a computer’s volumes. Without the BitLocker encryption key, the data stored on the volume is inaccessible. BitLocker stores the encryption key for the volume in a separate safe location, and it releases this key, making the data on the volume accessible, only after it is able to verify the integrity of the boot environment. BitLocker provides the following benefits: n It prevents an attacker from recovering data from a stolen computer unless that person also steals the passwords that provide access to the computer. Without the appropriate authentication, the hard disk remains encrypted and inaccessible. n It simplifies the process of hard disk drive disposal. Rather than having to wipe a computer’s hard disk, you can be sure that without the accompanying BitLocker key, any data on the disposed hard disk is irrecoverable. Many organizations have suffered security breaches because people have been able to recover data on hard disk drives after the hard disk has theoretically been disposed of. n It protects the integrity of the boot environment against unauthorized modification by checking the boot environment each time you turn on the computer. If BitLocker detects any modifications to the boot environment, it forces the computer into BitLocker recovery mode. Although BitLocker does provide some forms of protection, BitLocker does not protect data hosted on the computer once the computer is fully active. If there are multiple users of a computer and BitLocker is enabled, BitLocker cannot stop them from reading each other’s files if file and folder permissions are not properly set. BitLocker encrypts the hard disk, but that encryption does not protect data from attack locally or over the network once the computer is operating normally. To protect data from access on a powered-up computer, configure NTFS permissions and use Encrypting File System (EFS). You learned about these technologies in Chapter 8, “BranchCache and Resource Sharing.” More Info BitLocker EXECUTIVE OVERVIEW For a more detailed summary of the functionality of BitLocker in Windows 7, consult the following executive overview document hosted on Microsoft TechNet: http://technet.microsoft .com/en-us/library/dd548341(WS.10).aspx. BitLocker Modes You can configure BitLocker to function in a particular mode. The mode that you choose depends on whether you have a Trusted Platform Module (TPM) on your computer and the level of security that you want to enforce. The modes involve selecting a combination of TPM, personal identification number (PIN), and startup key. A startup key is a special cryptographically generated file that is stored on a separate USB device. The available BitLocker modes are as follows: Lesson 1: Managing BitLocker CHAPTER 11 557 n TPM-only mode In TPM-only mode, the user is unaware that BitLocker is functioning and does not have to provide any passwords, PINs, or startup keys to start the computer. The user becomes aware of BitLocker only if there is a modification to the boot environment, or if she removes her hard disk drive and tries to use it on another computer. TPM-only mode is the least secure implementation of BitLocker because it does not require additional authentication. n TPM with startup key This mode requires that a USB device hosting a preconfigured startup key be available to the computer before the computer can boot into Microsoft Windows. If the device hosting the startup key is not available at boot time, the computer enters recovery mode. This mode also provides boot environment protection through the TPM. n TPM with PIN When you configure this mode, the user must enter a PIN before the computer boots. You can configure Group Policy so that it is possible to enter a password containing numbers, letters, and symbols rather than a simple PIN. If you do not enter the correct PIN or password at boot time, the computer enters recovery mode. This mode also provides boot environment protection through the TPM. n TPM with PIN and startup key This is the most secure option. You can configure this option through Group Policy. When you enable this option, a user must enter a startup PIN and have the device hosting the startup key connected before the computer will boot into Windows. This option is appropriate for high-security environments. This mode also provides boot environment protection through the TPM. n BitLocker without a TPM This mode provides hard disk encryption but does not provide boot environment protection. This mode is used on computers without TPM chips. You can configure BitLocker to work on a computer that does not have a TPM chip by configuring the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require Additional Authentication At Startup policy. This policy is shown in Figure 11-1. When you configure BitLocker to work without a TPM chip, you need to boot with a startup key on a USB storage device. Managing the TPM Chip Most implementations of BitLocker store the encryption key in a special chip on the computer’s hardware known as the TPM chip. The TPM Management console, shown in Figure 11-2, allows administrators to manage the TPM. Using this console, you can store TPM recovery information in Active Directory Domain Services (AD DS) clear the TPM, reset the TPM lockout, and enable or disable the TPM. You can access the TPM Management console from the BitLocker Drive Encryption control panel by clicking the TPM Administration icon. 5 5 8 CHAPTER 11 BitLocker and Mobility Options FIGURE 11-1 Allow BitLocker without a TPM chip FIGURE 11-2 TPM Management console Lesson 1: Managing BitLocker CHAPTER 11 559 Configuring a BitLocker DRA Data Recovery Agents (DRAs) are special user accounts that you can use to recover encrypted data. You can configure a DRA to recover BitLocker-protected drives if the recovery password or keys are lost. The advantage of a DRA is that you can use it organization-wide, meaning that you can recover all BitLocker-encrypted volumes using a single account rather than having to recover a specific volume’s recovery password or key. The first step you must take in configuring BitLocker to support DRAs is to add the account of a DRA to the Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption node, as shown in Figure 11-3. A DRA account is a user account enrolled with a special type of digital certificate. In organizational environments, this digital certificate is almost always issued by an AD DS certificate authority (CA). FIGURE 11-3 Assigning the recovery key After you have configured the DRA, It is also necessary to configure the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\ Prove The Unique Identifiers For Your Organization policy to support DRA recovery. BitLocker works with DRAs only when an identification field is present on a volume and the value matches that configured for the computer. Figure 11-4 shows this policy configured with the identification field set to ContosoBitLockerSelfHost. You also use this policy when denying write access to removable devices not protected by BitLocker. You will learn more about denying write access to removable devices later in this lesson. After you have configured the DRA and the Identifiers, you need to configure the following policies to allow specific volume types to utilize the DRA: n Choose How BitLocker-Protected Operating System Drives Can Be Recovered n Choose How BitLocker-Protected Fixed Drives Can Be Recovered n Choose How BitLocker-Protected Removable Drives Can Be Recovered 5 6 0 CHAPTER 11 BitLocker and Mobility Options FIGURE 11-4 Configure unique identifiers Each of these policies is similar in that you configure it to allow the DRA. You can also configure a recovery password and a recovery key for each volume type, as shown in Figure 11-5. You can use any of the items you specify in these policies for recovery. These policies also allow you to force the backup of recovery passwords and keys to AD DS. It is even possible to block the implementation of BitLocker unless backup to AD DS is successful. You should not enable the option of backing up data to AD DS when clients running Windows 7 are not members of an AD DS domain. In some cases, you may have already enabled BitLocker on a volume prior to preparing a DRA. You can update a volume to support a DRA by using the manage-bde –SetIdentifier command on the encrypted volume from an elevated command prompt. You can verify the identifier setting by using the manage-bde –status command and checking the Identification Field setting in the resulting output. To verify that the DRA is configured properly, issue the manage-bde –protectors –get command. This lists the certificate thumbprint assigned to the DRA. To recover data from a volume protected by a DRA, connect the volume to a working computer that has the DRA private key installed and use the manage-bde.exe –unlock <drive> -Certificate –ct <certificate thumbprint> command from an elevated command prompt. You will use some of these commands in the practice at the end of this lesson. Lesson 1: Managing BitLocker CHAPTER 11 561 FIGURE 11-5 Recovery policies More Info CONFIGURING A BitLocker DRA To learn more about configuring a BitLocker DRA, consult the following Microsoft TechNet article: http://technet.microsoft.com/en-us/library/dd875560(WS.10).aspx. Enabling BitLocker To enable BitLocker on a computer, open the BitLocker Drive Encryption control panel and then click Turn On BitLocker. A user must be a member of the local Administrators group to enable BitLocker on a computer running Windows 7. When you click Turn On BitLocker, a check is performed to see if your computer has the appropriate TPM hardware, or has the appropriate Group Policy if that hardware is not present, to support BitLocker. If the TPM hardware is not present and Group Policy is not configured appropriately, an error message is displayed informing you that the computer does not support BitLocker and you are unable to implement BitLocker. The next step in configuring BitLocker is to configure which authentication choice to use with BitLocker. You learned about the different BitLocker modes—TPM-only, TPM with startup key, TPM with PIN, and TPM with startup key and PIN—earlier in this lesson. If you are using BitLocker without a TPM, you only have the option of requiring a Startup key, as shown in Figure 11-6. You can configure the option to require TPM with startup key and PIN only through Group Policy. 562 CHAPTER 11 BitLocker and Mobility Options FIGURE 11-6 Configure BitLocker startup options If you choose to require a startup key, Windows prompts you to designate the USB storage device that hosts the startup key. Windows then writes the startup key to the designated device. The next step in the BitLocker process involves storing the recovery key, as shown in Figure 11-7. The recovery key is different from the startup key or PIN. You should store the recovery key in a different location to the startup key. That way, if you lose your startup key, you have not also lost the recovery key. FIGURE 11-7 Save the recovery key . following: n Installed the Windows 7 operating system on a stand-alone client PC named Canberra, as described in Chapter 1, “Install, Migrate, or Upgrade to Windows 7. ” n Make sure you have. computers running the Enterprise and Ultimate editions of Windows 7. The function of BitLocker is to protect computers running Windows 7 from offline attacks. Offline attacks include booting using. mobility options. Lessons in this chapter: n Lesson 1: Managing BitLocker 555 n Lesson 2: Windows 7 Mobility 574 5 5 4 CHAPTER 11 BitLocker and Mobility Options Before You Begin To complete the exercises