• No results found

BitLocker/Active Directory Encryption Procedure Department: Information Security Office Version: 1.0 Last Revised: 09/26/2011

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "BitLocker/Active Directory Encryption Procedure Department: Information Security Office Version: 1.0 Last Revised: 09/26/2011"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

BitLocker/Active Directory Encryption Procedure

Department: Information Security Office

Version: 1.0

Last Revised: 09/26/2011

Purpose

To provide a step-by-step procedure for encrypting installed laptop hard drives using BitLocker in

ASU's Active Directory environment.

Scope

Laptops running Windows 7, Server 2008, or newer, used to handle or store sensitive data at ASU.

System requirements:

 TPM 1.2-compliant chip  TCG-compliant BIOS

 Windows 7 Enterprise or Ultimate, or Windows Server 2008 R2  Joined to an ASU Active Directory domain

Note: Domain connection is required to store BitLocker recovery keys and TPM owner

information, not for operation of an encrypted laptop. The laptop does not have to remain

connected to the AD domain after the encryption procedure; however, it is recommended to keep

the laptop connected until the process has completed.

Audience

Technical support staff responsible for end user equipment

Procedure

Preparation

1. Required: Verify that the laptop meets the requirements listed above. 2. Strongly recommended: Back up the laptop's hard drive.

3. Required: Update the laptop to the current BIOS firmware (typically available from the computer manufacturer's support/drivers download site).

4. Recommended: Have a USB drive or other removable media on hand.

Activate the TPM Chip

(2)

be identical, but should be very similar.

1. Boot the system into BIOS setup. 2. Choose "Security" from the BIOS menu. 3. Set "TPM Activation" to "Activate." 4. Set "TPM Security" to "On." 5. Save the settings, exit, and reboot.

Apply Active Directory Storage Settings

Configure the laptop to enable and require storage of the BitLocker recovery key and TPM owner

information in Active Directory. This can be done using any of the following methods:

 Link the ASURITE Group Policy object EnableBitLockerKeyStorage to the system (or, preferably, the OU that contains it).

 Create your own GPO using the EnableBitLockerKeyStorage GPO's settings as a base, and apply it to the system or its containing OU).

 Apply the EnableBitLockerKeyStorage GPO's settings to the laptop manually.

The EnableBitLockerKeyStorage GPO's settings and a brief step-by-step guide to creating a

Group Policy object are included as appendices to this document.

When this task is complete, reboot the system to apply the settings.

Enable BitLocker

The laptop must be configured to enable and require storage of the BitLocker recovery key and

TPM owner information in Active Directory. This can be done by any of the following methods:

1. In the Control Panel, under the System and Security category, choose BitLocker Drive Encryption.

2. Under BitLocker Drive Encryption - Hard Disk Drives, next to the C: drive, click Turn On BitLocker.

3. Check the box to Run BitLocker System Check. 4. Click to Restart when prompted.

BitLocker will initialize the TPM chip and/or partition the disk as required, then will begin drive

encryption. This process can be paused, and/or the system can be used while encryption proceeds

in the background.

Note: During the encryption process, the disk will temporarily appear to be full. Disk encryption

with BitLocker does not affect free disk space noticeably.

Transfer of Ownership

On personnel termination and/or transfer of the laptop to a new user,

1. Use the BitLocker Drive Encryption control panel to disable BitLocker. The disk will be decrypted.

(3)

Data Recovery/Key Retrieval

To recover data from a disk encrypted with BitLocker, follow the instructions online at

http://support.microsoft.com/kb/928202

Appendix: Creating and/or Applying a Group Policy Object

Preparation

Download and install MS Remote Server Administration Tools.

 Download: http://www.microsoft.com/download/en/details.aspx?id=7887

 Documentation: http://technet.microsoft.com/en-us/library/ee449467(WS.10).aspx

Step 1

Start the Group Policy Editor.

 Run mmc.exe

 Add the following snap-ins, selecting your target domain when prompted:

o Active Directory Users and Computers

o Group Policy Management

(Note: You can add whatever other snap-ins you like and save this as your own management console if you like. Just answer "yes" when asked if you want to save the console on closing, and give it a filename. Next time, open the file in MMC to save a few clicks.)

Step 2

Find your OU.

 Expand the Group Policy Management snap-in.

 Expand the Forest, then Domains, then your target domain.  Your top-level OU should be visible now (e.g., M.IT).

 Keep expanding if you are managing a sub-OU (e.g., M.IT.ACIT).  Right-click your OU and choose the appropriate option:

o Link an Existing GPO... (step 3a)

o Create a GPO in this domain, and Link it here... (step 3b)

Step 3a

Link an existing GPO.

 Select the template from the list of Group Policy objects and click OK.  It will appear under your OU name. Double-click it to view more information.

(4)

Step 3b

Create a GPO and Link it.

 Give your template a name. You can choose an existing template as a starting point.

 The Group Policy Management Editor should open in a new window. Choose the settings you want to apply, then save the template and exit.

Appendix: EnableBitLockerKeyStorage GPO Settings

Computer Configuration (Enabled) Policies

Administrative Templates

Policy definitions (ADMX files) retrieved from the local machine. System/Trusted Platform Module Services

Policy Turn on TPM backup to Active Directory Domain Services

Require TPM backup to AD DS Enabled

If selected, cannot set or change TPM owner password if backup fails (recommended default).

If not selected, can set or change TPM owner password even if backup fails. Backup is not automatically retried. Windows Components/BitLocker Drive Encryption

Policy

Store BitLocker recovery information in Active Directory Domain Services(Windows Server 2008 and Windows Vista)

Require BitLocker backup to AD DS Enabled

If selected, cannot turn on BitLocker if backup fails (recommended default). If not selected, can turn on BitLocker even if backup fails. Backup is not automatically retried.

Select BitLocker recovery information to store: Recovery passwords and key

packages A recovery password is a 48-digit number that unlocks access to a

BitLocker-protected drive.

A key package contains a drive's BitLocker encryption key secured by one or more recovery passwords

Key packages may help perform specialized recovery when the disk is damaged or corrupted.

Windows Components/BitLocker Drive Encryption/Fixed Data Drives

Policy Choose how BitLocker-protected fixed drives can be recovered

Allow data recovery agent Enabled

Configure user storage of BitLocker recovery information:

Allow 48-digit recovery password Allow 256-bit recovery key

Omit recovery options from the BitLocker setup wizard Enabled

(5)

Configure storage of BitLocker recovery information to AD DS: Backup recovery passwords and key packages

Do not enable BitLocker until recovery information is stored to AD DS for

fixed data drives Enabled

Windows Components/BitLocker Drive Encryption/Operating System Drives

Policy

Choose how BitLocker-protected operating system drives can be recovered

Allow data recovery agent Enabled

Configure user storage of BitLocker recovery information:

Allow 48-digit recovery password Allow 256-bit recovery key

Omit recovery options from the BitLocker setup wizard Enabled

Save BitLocker recovery information to AD DS for operating system drives Enabled

Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key

packages Do not enable BitLocker until recovery information is stored to AD DS for

operating system drives Enabled

References

Download now ( PDF - 5 Page - 419.52 KB )

Related documents

The Challenges of Administering Active Directory

Access Manager, ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Cloud Manager, Compliance Suite, the cube logo design, Directory and

Managing User Accounts

The CIMC can be configured to use Active Directory for user authentication and authorization. To use Active Directory, configure users with an attribute that holds the user role

Sam Cavaliere. Microsoft Corporation

Build on Active Directory to “light up” Office and SharePoint with presence Build on Active Directory to “light up” Office and SharePoint with presence Build on Active Directory to

6) Click the lock in the lower left corner of the Directory Utility Window and authenticate with the local administrator account s credentials.

computer that is configured to use Directory Access's Active Directory plug-in. Users with mobile accounts can log in using their Active Directory credentials while the computer is

Configuring Active Directory Binding for OS X (10.4.x) within Miami Dade Schools

You can start or stop using mobile Active Directory user accounts on a computer that is configured to use Directory Access's Active Directory plug-in. Users with mobile ac- counts

BitLocker To Go USB Flash Drive encryption User Guide

• If you forget the password for the encrypted drive, the BitLocker recovery key which was either saved or printed when setting up encryption will enable you to unlock the drive

E-Pollbook Flash Drive Guide for BitLocker

In order to save or open files from a drive encrypted with BitLocker, you must first unlock the drive by entering the encryption password.. Without the password or the Recovery

The Challenges of Administering Active Directory

Elevated administrative privileges, especially when in the hands of someone with malicious intent, dramatically increase the risk exposure of Active Directory and the