BitLocker Drive Encryption CHAPTER 16 653 3. On the Choose How You Want To Unlock This Drive page, select one or more protec- tion methods: • Use A Password To Unlock This Drive. Users will be prompted to type a password before they can access the contents of the drive. • Use My Smart Card To Unlock The Drive. Users will be prompted to insert a smart card before they can access the contents of the drive. You can use this option with removable drives; however, you will not be able to access the drive using Windows Vista or Windows XP because smart cards cannot be used with the BitLocker To Go Reader. • Automatically Unlock This Drive On This Computer. Windows will automatically unlock non-removable data drives without prompting the user. Selecting this option requires that the system volume be protected by BitLocker. If you move the drive to a different computer, you will be prompted for credentials. 4. On the How Do You Want To Store Your Recovery Key page, choose the method to save the recovery key. Click Next. 5. On the Are You Ready To Encrypt This Drive page, click Start Encrypting. How to Manage BitLocker Keys on a Local Computer To manage keys on a local computer, follow these steps: 1. Open Control Panel and click System And Security. Under BitLocker Drive Encryption, click Manage BitLocker. 2. In the BitLocker Drive Encryption window, click Manage BitLocker. Using this tool, you can save the recovery key to a USB flash drive or a file, or you can print the recovery key. How to Manage BitLocker from the Command Line To manage BitLocker from an elevated command prompt or from a remote computer, use the Manage-bde.exe tool. The following example demonstrates how to view the status. manage-bde -status BitLocker Drive Encryption: Configuration Tool Copyright (C) Microsoft Corporation. All rights reserved. Disk volumes that can be protected with BitLocker Drive Encryption: Volume C: [] [OS Volume] Size: 74.37 GB Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 16 Managing Disks and File Systems 654 BitLocker Version: Windows 7 Conversion Status: Fully Encrypted Percentage Encrypted: 100% Encryption Method: AES 128 with Diffuser Protection Status: Protection On Lock Status: Unlocked Identification Field: None Key Protectors: TPM Numerical Password Run the following command to enable BitLocker on the C drive, store the recovery key on the Y drive, and generate a random recovery password. manage-bde -on C: -RecoveryKey Y: -RecoveryPassword BitLocker Drive Encryption: Configuration Tool version 6.1.7100 Copyright (C) Microsoft Corporation. All rights reserved. Volume C: [] [OS Volume] Key Protectors Added: Saved to directory Y:\ External Key: ID: {7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC} External Key File Name: 7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC.BEK Numerical Password: ID: {75A76E33-740E-41C4-BD41-48BDB08FE755} Password: 460559-421212-096877-553201-389444-471801-362252-086284 TPM: ID: {E6164F0E-8F85-4649-B6BD-77090D49DE0E} ACTIONS REQUIRED: 1. Save this numerical recovery password in a secure location away from your computer: 460559-421212-096877-553201-389444-471801-362252-086284 To prevent data loss, save this password immediately. This password helps ensure that you can unlock the encrypted volume. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. BitLocker Drive Encryption CHAPTER 16 655 2. Insert a USB flash drive with an external key file into the computer. 3. Restart the computer to run a hardware test. (Type "shutdown /?" for command line instructions.) 4. Type "manage-bde -status" to check if the hardware test succeeded. NOTE: Encryption will begin after the hardware test succeeds. After you run the command, restart the computer with the recovery key connected to com- plete the hardware test. After the computer restarts, BitLocker will begin encrypting the disk. Run the following command to disable BitLocker on the C drive. manage-bde -off C: BitLocker Drive Encryption: Configuration Tool Copyright (C) Microsoft Corporation. All rights reserved. Decryption is now in progress. You can also use the Manage-bde.exe script to specify a startup key and a recovery key, which can allow a single key to be used on multiple computers. This is useful if a single user has multiple computers, such as a user with both a Tablet PC computer and a desktop computer. It can also be useful in lab environments, where several users might share several different computers. Note, however, that a single compromised startup key or recovery key will require all computers with the same key to be rekeyed. For detailed information about using Manage-bde.exe, run manage-bde.exe -? from a command prompt. How to Recover Data Protected by BitLocker When you use BitLocker, the encrypted volumes will be locked if the encryption key is not available, causing BitLocker to enter recovery mode. Likely causes for the encryption key’s unavailability include: n Modification of one of the boot files. n The BIOS is modified and the TPM is disabled. n The TPM is cleared. n An attempt is made to boot without the TPM, PIN, or USB key being available. n The BitLocker-encrypted disk is moved to a new computer. After the drive is locked, you can boot only to recovery mode, as shown in Figure 16-19. In recovery mode, you enter the recovery password using the function keys on your keyboard (just as you do when entering the PIN), pressing F1 for the digit 1, F2 for the digit 2, and so Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 16 Managing Disks and File Systems 656 forth, with F10 being the digit 0. You must use function keys because localized keyboard support is not yet available at this phase of startup. FIGURE 16-19 Recovery mode prompts you for a 48-character recovery password. If you have the recovery key on a USB flash drive, you can insert the recovery key and press Esc to restart the computer. The recovery key will be read automatically during startup. If you cancel recovery, the Windows Boot Manager will provide instructions for using Startup Repair to fix a startup problem automatically. Do not follow these instructions be- cause Startup Repair cannot access the encrypted volume. Instead, restart the computer and enter the recovery key. MoRe inFo Additionally, you can use the BitLocker Repair Tool, Repair-bde.exe, to help recover data from an encrypted volume. If a BitLocker failure prevents Windows 7 from starting, you can run repair-bde from the Windows Recovery Environment (Windows RE) command prompt. For more information about repair-bde, run repair-bde /? at a command prompt. For more information about troubleshooting startup problems, including using repair-bde, refer to Chapter 29. How to Disable or Remove BitLocker Drive Encryption Because BitLocker intercepts the boot process and looks for changes to any of the early boot files, it can cause problems in the following nonattack scenarios: n Upgrading or replacing the motherboard or TPM n Installing a new operating system that changes the MBR or the Boot Manager n Moving a BitLocker-encrypted disk to another TPM-enabled computer n Repartitioning the hard disk n Updating the BIOS n Installing a third-party update outside the operating system (such as hardware firmware updates) Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. BitLocker Drive Encryption CHAPTER 16 657 To avoid entering BitLocker recovery mode, you can temporarily disable BitLocker, which allows you to change the TPM and upgrade the operating system. When you re-enable BitLocker, the same keys will be used. You can also choose to decrypt the BitLocker-protected volume, which will completely remove BitLocker protection. You can only re-enable BitLocker by repeating the process to create new keys and re-encrypt the volume. To disable or decrypt BitLocker, follow these steps: 1. Log on to the computer as Administrator. 2. From Control Panel, open BitLocker Drive Encryption. 3. To temporarily disable BitLocker by using a clear key, click Suspend Protection and then click Yes. To disable BitLocker permanently, click Turn Off BitLocker and then click Decrypt Drive. How to Decommission a BitLocker Drive Permanently Compromises in confidentiality can occur when computers or hard disks are decommissioned. For example, a computer that reaches the end of its usefulness at an organization might be discarded, sold, or donated to charity. The person who receives the computer might extract confidential files from the computer’s hard disk. Even if the disk has been formatted, data can often be extracted. BitLocker reduces the risks of decommissioning drives. For example, if you use a startup key or startup PIN, the contents of the volume are inaccessible without this additional infor- mation or the drive’s saved recovery information. You can decommission a drive more securely by removing all key blobs from the disk. By deleting the BitLocker keys from the volume, an attacker needs to crack the encryption—a task that is extremely unlikely to be accomplished within anyone’s lifetime. As a cleanup task, you should also discard all saved recovery information, such as recovery information saved to AD DS. To remove all key blobs on a secondary drive (data volume), you can format that drive from Windows or the Windows RE. Note that this format operation will not work on a drive that is currently in use. For example, you cannot use it to more securely decommission the drive used to run Windows. To remove all key blobs on a running drive, you can create a script that performs the fol- lowing tasks: 1. Calls the Win32_EncryptableVolume.GetKeyProtectors method to retrieve all key protec- tors (KeyProtectorType 0). 2. Creates a not-to-be-used recovery password blob (discarding the actual recovery password) by using Win32_EncryptableVolume.ProtectKeyWithNumericalPassword and a randomly generated password sequence. This is required because Win32_EncryptableVolume.DeleteKeyProtector will not remove all key protectors. 3. Uses Win32_EncryptableVolume.DeleteKeyProtector to remove all of the usable key protectors associated with the identifiers mentioned previously. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 16 Managing Disks and File Systems 658 4. Clears the TPM by calling the Win32_TPM.Clear method. For more information about developing a script or application to perform secure decom- missioning on a BitLocker-encrypted drive, refer to the Win32_EncryptableVolume WMI pro- vider class documentation at http://msdn.microsoft.com/en-us/library/aa376483.aspx and the Win32_TPM WMI provider class documentation at http://msdn.microsoft.com/en-us/library /aa376484.aspx. How to Prepare AD DS for BitLocker BitLocker is also integrated into AD DS. In fact, although you can use BitLocker without AD DS, enterprises really shouldn’t—key recovery and data recovery agents are an extremely important part of using BitLocker. AD DS is a reliable and efficient way to store recovery keys so that you can restore encrypted data if a key is lost, and you must use Group Policy settings to configure data recovery agents. If your AD DS is at the Windows Server 2008 or later functional level, you do not need to prepare the AD DS for BitLocker. If your AD DS is at a functional level of Windows Server 2003 or earlier, however, you will need to update the schema to support BitLocker. For detailed instructions on how to configure AD DS to back up BitLocker and TPM recovery information, read “Configuring Active Directory to Back Up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information” at http://go.microsoft.com/fwlink/?LinkId=78953. For information about retrieving recovery passwords from AD DS, read “How to Use the BitLocker Recovery Password Viewer For Active Directory Users And Computers Tool to View Recovery Passwords for Windows Vista” at http://support.microsoft.com/?kbid=928202. How to Configure a Data Recovery Agent Earlier versions of Windows supported storing BitLocker recovery keys in AD DS. This works well, but each BitLocker-protected volume has a unique recovery key. In enterprises, this can consume a large amount of space in AD DS. By using a data recovery agent instead of storing recovery keys in AD DS, you can store a single certificate in AD DS and use it to recover any BitLocker-protected volume. To configure a data recovery agent, follow these steps: 1. Publish the future data recovery agent’s certificate to AD DS. Alternatively, export the certificate to a .cer file and have it available. 2. Open a Group Policy object that targets the Windows 7 computers using the Group Policy object Editor and then select Computer Configuration\Policies\Windows Settings \Security Settings\Public Key Policies. 3. Right-click BitLocker Drive Encryption, click Add Data Recovery Agent to start the Add Recovery Agent Wizard, and then click Next. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. BitLocker Drive Encryption CHAPTER 16 659 4. On the Select Recovery Agents page, click Browse Directory (if the certificate is stored in AD DS) or Browse Folders (if you have saved the .cer file locally). Select a .cer file to use as a data recovery agent. After the file is selected, it will be imported and will appear in the Recovery Agents list in the wizard. You can specify multiple data recovery agents. After you specify all of the data recovery agents that you want to use, click Next. 5. The Completing The Add Recovery Agent page of the wizard displays a list of the data recovery agents that will be added to the Group Policy object. Click Finish to confirm the data recovery agents and close the wizard. The next time Group Policy is applied to the targeted Windows 7 computers, the data re- covery agent certificate will be applied to the drive. At that point, you will be able to recover a BitLocker-protected drive using the certificate configured as the data recovery agent. Because of this, you must carefully protect the data recovery agent certificate. How to Manage BitLocker with Group Policy BitLocker has several Group Policy settings located in Computer Configuration\Policies \Administrative Templates\Windows Components\BitLocker Drive Encryption that you can use to manage the available features. Table 16-2 lists these policies, which are written to the registry on targeted computers under the following registry key: HKLM\Software\Policies\Microsoft\FVE TABLE 16-2 Group Policy Settings for BitLocker Drive Encryption POLICY DESCRIPTION Store BitLocker Recovery Information In Active Directory Domain Services (Windows Server 2008 And Windows Vista) Enabling this policy silently backs up BitLocker recovery in- formation to AD DS. For computers running Windows 7 and Windows Server 2008 R2, enable the Fixed Data Drives \Choose How BitLocker-Protected Fixed Drives Can Be Recovered, Operating System Drives\Choose How BitLocker- Protected Operating System Drives Can Be Recovered, or Removable Data Drives\Choose How BitLocker-Protected Removable Drives Can Be Recovered policies. Choose Default Folder For Recovery Password Enabling this policy and configuring a default path for it sets the default folder to display when the user is saving recovery information for BitLocker. The user will have the ability to override the default. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 16 Managing Disks and File Systems 660 POLICY DESCRIPTION Choose How Users Can Recover BitLocker-Protected Drives (Windows Server 2008 And Windows Vista) Enabling this policy allows you to control which recovery mechanisms the user can choose. Disabling the recovery password will disable saving to a folder or printing the key because these actions require the 48-digit recovery pass- word. Disabling the 256-bit recovery key will disable saving to a USB key. If you disable both options, you must enable AD DS backup or a policy error will occur. For computers running Windows 7 and Windows Server 2008 R2, enable the Fixed Data Drives\Choose How BitLocker-Protected Fixed Drives Can Be Recovered, Operating System Drives\Choose How BitLocker-Protected Operating System Drives Can Be Recovered, or Removable Data Drives\Choose How BitLocker- Protected Removable Drives Can Be Recovered policies. Choose Drive Encryption Method And Cipher Strength Enabling this policy allows configuration of the encryption method used by BitLocker Drive Encryption. The default if this key is not enabled is 128-bit AES with Diffuser. Other choices that can be configured are 256-bit AES with Diffuser, 128-bit AES, and 256-bit AES. Prevent Memory Overwrite On Restart Enabling this policy prevents Windows from overwriting memory on restarts. This potentially exposes BitLocker secrets but can improve restart performance. Provide The Unique Identifiers For Your Organization Enable this policy if you want to prevent users from mount- ing BitLocker-protected drives that might be from outside organizations. Validate Smart Card Certifi- cate Usage Rule Compliance Enable this policy only if you want to restrict users to smart cards that have an object identifier (OID) that you specify. Operating System Drives \Require Additional Authentication At Startup or Operating System Drives \Require Additional Authen- tication At Startup (Windows Server 2008 And Windows Vista) Enabling this policy allows configuring additional startup options and allows enabling of BitLocker on a non–TPM- compatible computer. On TPM-compatible computers, a secondary authentication can be required at startup—either a USB key or a startup PIN, but not both. Allow Enhanced PINs For Startup Enhanced PINs permit the use of characters including upper- case and lowercase letters, symbols, numbers, and spaces. By default, enhanced PINs are disabled. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. BitLocker Drive Encryption CHAPTER 16 661 POLICY DESCRIPTION Operating System Drives \Configure Minimum PIN Length For Startup Enables you to require a minimum PIN length. Operating System Drives \Choose How BitLocker- Protected Operating System Drives Can Be Recovered Enabling this policy allows you to control which recovery mechanisms the user can choose and whether recovery information is stored in the AD DS. Disabling the recovery password will disable saving to a folder or printing the key because these actions require the 48-digit recovery pass- word. Disabling the 256-bit recovery key will disable saving to a USB key. Operating System Drives \Configure TPM Platform Validation Profile Enabling this policy allows detailed configuration of the PCR indices. Each index aligns with Windows features that run during startup. Fixed Data Drives\Configure Use Of Smart Cards On Fixed Data Drives Enables or requires smart cards for BitLocker to protect non–operating system volumes. Fixed Data Drives\Deny Writer Access To Fixed Drives Not Protected By BitLocker Requires drives to be BitLocker-protected before users can save files. Fixed Data Drives\Allow Ac- cess To BitLocker-Protected Fixed Data Drives From Earlier Versions Of Windows Allows you to prevent the BitLocker To Go Reader from being copied to fixed data drives, preventing users of earlier versions of Windows (including Windows Server 2008, Windows Vista, and Windows XP SP2 or SP3) from entering a password to access the drive. Fixed Data Drives\Configure Use Of Passwords For Fixed Drives Requires passwords to access BitLocker-protected fixed drives and configures password complexity. Fixed Data Drives\Choose How BitLocker-Protected Fixed Drives Can Be Recovered Enabling this policy allows you to control which recovery mechanisms the user can choose and whether recovery information is stored in the AD DS. Disabling the recovery password will disable saving to a folder or printing the key because these actions require the 48-digit recovery pass- word. Disabling the 256-bit recovery key will disable saving to a USB key. For information about BitLocker To Go policies (which are configured in the Removable Data Drives node), refer to the section titled “BitLocker To Go” earlier in this chapter. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 16 Managing Disks and File Systems 662 The Costs of BitLocker Most security features require a tradeoff. The benefit to any security feature is that it reduces risk and thus reduces the cost associated with a security compromise. Most security features also have a cost—purchase price, increased maintenance, or decreased user productivity. The benefit of using BitLocker is reduced risk of loss of data confidentiality in the event of a stolen hard disk. Like most security features, BitLocker has costs (aside from any software or hardware costs): n If a PIN or external key is required, the startup experience is not transparent to the user. If the user loses his PIN or startup key, he will need to wait for a Support Center representative to read him the password so that he can start his computer. n In the event of hard disk failure or data corruption, recovering data from the disk can be more difficult. MoRe inFo You should implement BitLocker in your organization only if the reduced security risks outweigh these costs. For more information about cost/benefit analysis, read the Security Risk Management Guide at http://technet.microsoft.com/en-us/library /cc163143.aspx. Encrypting File System BitLocker is not a replacement for the EFS introduced in Windows 2000, but it is a supplement to the EFS that ensures that the operating system itself is protected from attack. Best prac- tices for protecting sensitive computers and data will combine the two features to provide a high level of assurance of the data integrity on the system. EFS continues to be an important data-integrity tool in Windows 7. EFS allows the encryp- tion of entire volumes or individual folders and files and can support multiple users using the same computer, each with protected data. Additionally, EFS allows multiple users to have secure access to sensitive data while protecting the data against unauthorized viewing or modification. EFS cannot be used to encrypt system files, however, and it should be combined with BitLocker to encrypt the system drive where sensitive data must be protected. EFS is susceptible to offline attack using the SYSKEY, but when you combine EFS with BitLocker to encrypt the system volume, this attack vector is protected. EFS uses symmetric key encryption along with public key technology to protect files and folders. Each user of EFS is issued a digital certificate with a public and private key pair. EFS uses the keys to encrypt and decrypt the files transparently for the logged-on user. Authorized users work with encrypted files and folders just as they do with unencrypted files and folders. Un- authorized users receive an Access Denied message in response to any attempt to open, copy, move, or rename the encrypted file or folder. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... Set-VolumeLabel.ps1 n 678 Get-DefragAnalysis.ps1 Start-Defrag.ps1 Chapter 16  Managing Disks and File Systems Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark C hapter 1 7 Managing Devices and Services n Understanding Device Installation and Management  679 n Understanding Power Management  72 7 n Understanding Services  74 8 n Summary  75 8 n Additional Resources  75 9 T he Windows 7 operating... in Windows 7 include support for integrated display brightness control, a new Display Color Calibration (DCC) tool, and an enhanced Windows Touch technology that supports multi-touch For additional information on display enhancements in Windows 7, see the Hardware Design For Windows 7 page on Windows Hardware Developer Central (WHDC) at http://www.microsoft.com/whdc/system/hwdesign/HWdesign_Win7.mspx... addition, WPD supersedes the Windows Media Device Manager (WMDM) and Windows Image Acquisition (WIA) features used in earlier versions of Windows 682 Chapter 17 Managing Devices and Services Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Display Enhancements in Windows 7 W indows 7 now supports WDDM 1.1, which reduces memory consumption for Windows Aero and provides improved... Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 671 Default Quota Threshold = 0xffffffffffffffff Default Quota Limit = 0xffffffffffffffff SID Name = BUILTIN\Administrators (Alias) Change time = Tuesday, April 11, 2006 Quota Used = 0 7: 54:59 AM Quota Threshold = 1844 674 4 073 709551615 Quota Limit = 1844 674 4 073 709551615 n fsutil quota track C:  Enables disk quotas on the C volume... configured, and managed Device Enhancements in Windows 7 The device experience in Windows 7 builds upon the many improvements previously made in this area in Windows Vista The following list summarizes some of the changes to device management implemented in Windows Vista Many of these changes are Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 679 significant for IT professionals who... chapter n Display enhancements  Windows 7 includes numerous display enhancements that provide improved display performance and reliability For an overview of some of these enhancements, see the sidebar titled “Display Enhancements in Windows 7 later in this chapter n Other device enhancements  Windows 7 includes numerous other device enhancements, including the following: • Windows Biometric Framework... Split-Merge on www.verypdf.com to remove this watermark 677 bination of a TPM chip and a PIN BitLocker To Go is new in Windows 7 and allows removable drives to be encrypted while providing the BitLocker To Go Reader tool to enable previous versions of Windows to access the contents of the encrypted drive using a password Additional Resources These resources contain additional information and tools related... security of your organization depend on the disks and file systems stored within each Windows computer, you must carefully consider your client-storage management requirements Fortunately, Windows 7 provides simple disk and volume management using either graphical or command-line tools Windows Vista and Windows 7 improve on Windows XP by allowing partitions to be dynamically resized and thereby allowing... directory disk usage Copyright (C) 2005-20 07 Mark Russinovich Sysinternals - www.sysinternals.com Files: 96459 Directories: 19696 Size: 51,641,352,816 bytes Size on disk: 47, 6 47, 077 ,498 bytes EFSDump Users can share EFS-encrypted files by adding other user certificates to a file However, auditing the users who have rights to files would be very time-consuming using the Windows Explorer graphical interface... v1.1 Copyright (C) 2004 Mark Russinovich Sysinternals - wwww.sysinternals.com Source: C:\Users\User1\Documents\file.txt Target: C:\Users\User1\Documents\dest\file.txt Source: C:\Users\User1\Documents\file2.txt Target: DELETE Time of last update to pending moves key: 2/ 27/ 2008 10:08 AM Summary Windows 7 uses local storage, which is typically based on hard disks, to store critical operating system files . ID: {7B7E1BD1-E 579 -4F6A-8B9C-AEB626FE08CC} External Key File Name: 7B7E1BD1-E 579 -4F6A-8B9C-AEB626FE08CC.BEK Numerical Password: ID: {75 A76E33 -74 0E-41C4-BD41-48BDB08FE755}. time = Tuesday, April 11, 2006 7: 54:59 AM Quota Used = 0 Quota Threshold = 1844 674 4 073 709551615 Quota Limit = 1844 674 4 073 709551615 n fsutil quota track