Research that has measured the cost of lost equipment has also found that the cost to an organization of losing a laptop computer was significantly lower for organizations that could be
Trang 1C h a p t e r 1 1
BitLocker and Mobility
Options
Portable computers bring unique challenges to IT departments that these workers do not face with more traditional desktop computer deployments One of these challenges is
ensuring that a person using a portable computer is able to use the computer for a maximum amount of time when she is not able to connect to a power outlet Another challenge is
ensuring that a user is able to access important files even when she is unable to connect to the network A third challenge is ensuring that no one outside the organization is able to
recover confidential data on a misplaced or stolen portable computer In this chapter, you
learn about several technologies that assist you in addressing these challenges
BitLocker and BitLocker To Go provide full volume data encryption that protects data
if the computer or storage device hosting it is stolen or lost The Offline Files feature
enables you to access data hosted on shared folders when a computer cannot connect
to the shared folder host server’s network Windows 7 power plans allow you to balance
system performance with battery life, allowing you to increase performance when energy
consumption is less important and to switch over to preserving battery charge when you
need to use a portable computer away from a power supply for an extended amount of time
Exam objectives in this chapter:
n Configure BitLocker and BitLocker To Go
n Configure mobility options
Lessons in this chapter:
n Lesson 1: Managing BitLocker 555
n Lesson 2: Windows 7 Mobility 574
Trang 2Before You Begin
To complete the exercises in the practices in this chapter, you need to have done the following:
n Installed the Windows 7 operating system on a stand-alone client PC named Canberra,
as described in Chapter 1, “Install, Migrate, or Upgrade to Windows 7 ”
n Make sure you have access to a small removable USB storage device This device should not host any data
n Note that a Trusted Platform Module (TPM) chip is not required for the practice exercise at the end of this lesson
real World
Orin Thomas
Once, when I was working on a Self-Paced Training Kit, I received a chapter back from editing a few minutes before I was about to board a plane
Unfortunately, the plane I was about to board was going to take me from Melbourne, Australia, to Copenhagen, Denmark, with a stopoff for two hours in Bangkok, Thailand This is one of those journeys that is within spitting distance of going literally halfway around the world As I find it almost impossible to sleep on airplanes, I knew that I’d be unable to work after more than 24 hours in transit
Dealing with it now was better than dealing with it in a jet-lagged state on the other side of the world Besides, I had never been to Copenhagen, and I didn’t want to spend my first day there after I’d recovered from jet lag tapping away on my laptop
in my hotel room Given that you can buy a small car for the price of a first-class ticket from Melbourne to Copenhagen, I was in economy class without any way to power my laptop computer Going through a chapter after editing can take some time, more time than usually afforded by my laptop computer’s battery My laptop wasn’t a “newfangled, lasts for 8 hours on one battery” laptop, but one that would
do three hours on a good day if I didn’t push it hard Unfortunately, I needed more than three hours to finish what I needed to do This is where creating a custom power plan came in I turned everything down The screen gave off almost no light, the processor was restricted to a few percent of its maximum speed, and every non-critical device was switched off The computer was sluggish, but it provided me with enough power that I was able to use it through the entire flight from Melbourne to Bangkok This gave me enough time to complete my work on the chapter When I arrived at Bangkok, I still had enough power to connect the laptop to the Internet through my mobile phone and send the revised chapter back to my editor When I got to Copenhagen, I could concentrate fully on taking in a city I had never visited before One day, when I get a new laptop that has a bit more battery life, I reckon
I could configure a power plan that might get me all the way through a flight from Melbourne to Copenhagen Until then, Melbourne to Bangkok will have to do!
Trang 3Lesson 1: Managing BitLocker
Several studies have found that the staff at a medium-sized business loses an average of
two laptop computers each year These studies have determined that the cost of a lost
laptop computer to an organization can exceed 20 times the value of the laptop computer
itself, adding up to tens of thousands of dollars The biggest cost involved with a lost laptop
computer is determining what data was stored on the computer and the impact of that
data finding its way into the hands of a competing organization Often, it can be difficult
to ascertain exactly what data may have been stored on a misplaced computer When you
assume a worst-case scenario, that cost can rise very high Universal serial bus (USB) flash
devices present a similar problem People often use them to transfer important data from
home to the workplace Because these devices are small, they are easy to misplace When one
of these devices is lost, there is a chance, however small, that some sensitive data may find its
way into the hands of a competing organization
Research that has measured the cost of lost equipment has also found that the cost to
an organization of losing a laptop computer was significantly lower for organizations that
could be sure that a full disk encryption solution such as BitLocker protected all data on
their portable computers This was because in these cases, organizations could be sure that
a competing organization was unable to recover any important data that might be stored
on a misplaced computer or device This significantly reduced the cost to the organization of
the loss because it did not have to determine what might be stored on the lost equipment
because that data was effectively irretrievable In this lesson, you learn how to configure the
BitLocker and BitLocker To Go features in Windows 7 so that if someone in your organization
loses a laptop computer or USB flash device, you can be certain that the person who finds it is
unable to recover any data stored on the device
After this lesson, you will be able to:
n Configure BitLocker and BitLocker To Go Policies
n Manage Trusted Platform Module PINs
n Configure Startup Key storage
n Configure Data Recovery Agent support
Estimated lesson time: 40 minutes
BitLocker
BitLocker is a full volume encryption and system protection feature that is available on
computers running the Enterprise and Ultimate editions of Windows 7 The function of
BitLocker is to protect computers running Windows 7 from offline attacks Offline attacks
include booting using an alternative operating system in an attempt to recover data stored
on the hard disk and removing the computer’s hard disk and connecting it to another
computer in an attempt to access the data it contains
Trang 4BitLocker provides full encryption of a computer’s volumes Without the BitLocker
encryption key, the data stored on the volume is inaccessible BitLocker stores the encryption key for the volume in a separate safe location, and it releases this key, making the data on the volume accessible, only after it is able to verify the integrity of the boot environment BitLocker provides the following benefits:
n It prevents an attacker from recovering data from a stolen computer unless that person also steals the passwords that provide access to the computer Without the appropriate authentication, the hard disk remains encrypted and inaccessible
n It simplifies the process of hard disk drive disposal Rather than having to wipe
a computer’s hard disk, you can be sure that without the accompanying BitLocker key, any data on the disposed hard disk is irrecoverable Many organizations have suffered security breaches because people have been able to recover data on hard disk drives after the hard disk has theoretically been disposed of
n It protects the integrity of the boot environment against unauthorized modification
by checking the boot environment each time you turn on the computer If BitLocker detects any modifications to the boot environment, it forces the computer into BitLocker recovery mode
Although BitLocker does provide some forms of protection, BitLocker does not protect data hosted on the computer once the computer is fully active If there are multiple users of
a computer and BitLocker is enabled, BitLocker cannot stop them from reading each other’s files if file and folder permissions are not properly set BitLocker encrypts the hard disk, but that encryption does not protect data from attack locally or over the network once the computer is operating normally To protect data from access on a powered-up computer, configure NTFS permissions and use Encrypting File System (EFS) You learned about these technologies in Chapter 8, “BranchCache and Resource Sharing ”
More Info BitLocker eXeCUtIVe OVerVIeW
For a more detailed summary of the functionality of BitLocker in Windows 7, consult the
following executive overview document hosted on Microsoft TechNet: http://technet.microsoft
.com/en-us/library/dd548341(WS.10).aspx.
BitLocker Modes
You can configure BitLocker to function in a particular mode The mode that you choose depends on whether you have a Trusted Platform Module (TPM) on your computer and the level of security that you want to enforce The modes involve selecting a combination
of TPM, personal identification number (PIN), and startup key A startup key is a special cryptographically generated file that is stored on a separate USB device The available BitLocker modes are as follows:
Trang 5n tpM-only mode In TPM-only mode, the user is unaware that BitLocker is functioning
and does not have to provide any passwords, PINs, or startup keys to start the
computer The user becomes aware of BitLocker only if there is a modification to the
boot environment, or if she removes her hard disk drive and tries to use it on another
computer TPM-only mode is the least secure implementation of BitLocker because it
does not require additional authentication
n tpM with startup key This mode requires that a USB device hosting a preconfigured
startup key be available to the computer before the computer can boot into
Microsoft Windows If the device hosting the startup key is not available at boot time,
the computer enters recovery mode This mode also provides boot environment
protection through the TPM
n tpM with pIN When you configure this mode, the user must enter a PIN before
the computer boots You can configure Group Policy so that it is possible to enter
a password containing numbers, letters, and symbols rather than a simple PIN If you
do not enter the correct PIN or password at boot time, the computer enters recovery
mode This mode also provides boot environment protection through the TPM
n tpM with pIN and startup key This is the most secure option You can configure this
option through Group Policy When you enable this option, a user must enter a startup
PIN and have the device hosting the startup key connected before the computer will
boot into Windows This option is appropriate for high-security environments This
mode also provides boot environment protection through the TPM
n BitLocker without a tpM This mode provides hard disk encryption but does not
provide boot environment protection This mode is used on computers without TPM
chips You can configure BitLocker to work on a computer that does not have a TPM
chip by configuring the Computer Configuration\Administrative Templates\Windows
Components\BitLocker Drive Encryption\Operating System Drives\Require Additional
Authentication At Startup policy This policy is shown in Figure 11-1 When you
configure BitLocker to work without a TPM chip, you need to boot with a startup key
on a USB storage device
Managing the TPM Chip
Most implementations of BitLocker store the encryption key in a special chip on the
computer’s hardware known as the TPM chip The TPM Management console, shown in
Figure 11-2, allows administrators to manage the TPM Using this console, you can store TPM
recovery information in Active Directory Domain Services (AD DS) clear the TPM, reset the
TPM lockout, and enable or disable the TPM You can access the TPM Management console
from the BitLocker Drive Encryption control panel by clicking the TPM Administration icon
Trang 6FIgUre 11-1 Allow BitLocker without a TPM chip
FIgUre 11-2 TPM Management console
Trang 7Configuring a BitLocker DRA
Data Recovery Agents (DRAs) are special user accounts that you can use to recover encrypted
data You can configure a DRA to recover BitLocker-protected drives if the recovery password
or keys are lost The advantage of a DRA is that you can use it organization-wide, meaning
that you can recover all BitLocker-encrypted volumes using a single account rather than
having to recover a specific volume’s recovery password or key
The first step you must take in configuring BitLocker to support DRAs is to add the account
of a DRA to the Computer Configuration\Windows Settings\Security Settings\Public Key
Policies\BitLocker Drive Encryption node, as shown in Figure 11-3 A DRA account is a user
account enrolled with a special type of digital certificate In organizational environments, this
digital certificate is almost always issued by an AD DS certificate authority (CA)
FIgUre 11-3 Assigning the recovery key
After you have configured the DRA, It is also necessary to configure the Computer
Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\
Prove The Unique Identifiers For Your Organization policy to support DRA recovery BitLocker
works with DRAs only when an identification field is present on a volume and the value
matches that configured for the computer Figure 11-4 shows this policy configured with the
identification field set to ContosoBitLockerSelfHost You also use this policy when denying
write access to removable devices not protected by BitLocker You will learn more about
denying write access to removable devices later in this lesson
After you have configured the DRA and the Identifiers, you need to configure the
following policies to allow specific volume types to utilize the DRA:
n Choose How BitLocker-Protected Operating System Drives Can Be Recovered
n Choose How BitLocker-Protected Fixed Drives Can Be Recovered
n Choose How BitLocker-Protected Removable Drives Can Be Recovered
Trang 8FIgUre 11-4 Configure unique identifiers
Each of these policies is similar in that you configure it to allow the DRA You can also configure a recovery password and a recovery key for each volume type, as shown in
Figure 11-5 You can use any of the items you specify in these policies for recovery These policies also allow you to force the backup of recovery passwords and keys to AD DS It is even possible to block the implementation of BitLocker unless backup to AD DS is successful You should not enable the option of backing up data to AD DS when clients running
Windows 7 are not members of an AD DS domain
In some cases, you may have already enabled BitLocker on a volume prior to preparing
a DRA You can update a volume to support a DRA by using the manage-bde –SetIdentifier
command on the encrypted volume from an elevated command prompt You can verify the
identifier setting by using the manage-bde –status command and checking the Identification
Field setting in the resulting output To verify that the DRA is configured properly, issue the
manage-bde –protectors –get command This lists the certificate thumbprint assigned to the
DRA To recover data from a volume protected by a DRA, connect the volume to a working
computer that has the DRA private key installed and use the manage-bde.exe –unlock <drive>
-Certificate –ct <certificate thumbprint> command from an elevated command prompt You
will use some of these commands in the practice at the end of this lesson
Trang 9FIgUre 11-5 Recovery policies
More Info CONFIgUrINg a BitLocker Dra
To learn more about configuring a BitLocker DRA, consult the following Microsoft TechNet
article: http://technet.microsoft.com/en-us/library/dd875560(WS.10).aspx.
Enabling BitLocker
To enable BitLocker on a computer, open the BitLocker Drive Encryption control panel and
then click Turn On BitLocker A user must be a member of the local Administrators group
to enable BitLocker on a computer running Windows 7 When you click Turn On BitLocker,
a check is performed to see if your computer has the appropriate TPM hardware, or has the
appropriate Group Policy if that hardware is not present, to support BitLocker If the TPM
hardware is not present and Group Policy is not configured appropriately, an error message is
displayed informing you that the computer does not support BitLocker and you are unable to
implement BitLocker
The next step in configuring BitLocker is to configure which authentication choice to
use with BitLocker You learned about the different BitLocker modes—TPM-only, TPM with
startup key, TPM with PIN, and TPM with startup key and PIN—earlier in this lesson If you are
using BitLocker without a TPM, you only have the option of requiring a Startup key, as shown
in Figure 11-6 You can configure the option to require TPM with startup key and PIN only
through Group Policy
Trang 10FIgUre 11-6 Configure BitLocker startup options
If you choose to require a startup key, Windows prompts you to designate the USB storage device that hosts the startup key Windows then writes the startup key to the designated device The next step in the BitLocker process involves storing the recovery key, as shown in Figure 11-7 The recovery key is different from the startup key or PIN You should store the recovery key in a different location to the startup key That way, if you lose your startup key, you have not also lost the recovery key
FIgUre 11-7 Save the recovery key