To protect a computer from individuals who have direct access to a com-puter, Windows Vista and Windows Server 2008 include the Trusted Platform Module Services architecture and BitLocke
Trang 1Many of the security features built into the Windows operating system are designed
to protect a computer from attacks by individuals accessing the computer over the network or from the Internet But what about when individuals have direct physi-cal access to a computer? When someone has direct physiphysi-cal access to a computer, many of Windows security safeguards don’t apply For example, if someone can boot
a computer—even if it is to another operating system they’ve installed—he or she could gain access to any data stored on the computer, perhaps even your organization’s most sensitive data To protect a computer from individuals who have direct access to a com-puter, Windows Vista and Windows Server 2008 include the Trusted Platform Module Services architecture and BitLocker Drive Encryption Together these features help protect a computer from many types of attacks by individuals who have direct access to
a computer
Working with Trusted Platforms
Windows Vista and Windows Server 2008 include the Encrypting File System (EFS) for encrypting fi les and folders Using EFS, users can protect sensitive data so that it can only be accessed using their public key certifi cate Encryption certifi cates are stored as part of the data in a user’s profi le As long as users have access to their profi les and the encryption keys they contain, they can access their encrypted fi les
Although EFS offers excellent protection for your data, it doesn’t safeguard the com-puter from attack by someone who has direct physical access In a situation where a user loses a computer, a computer has been stolen, or the attacker is logging on to a computer, EFS might not protect the data because the attacker might be able to gain access to the computer before it boots He could then access the computer from another operating system and change the computer’s confi guration He might then be able to hack into a logon account on the original operating system so that he can log on as the user or confi gure the computer so that he can log on as a local administrator Either way, the attacker could eventually gain full access to a computer and its data
To seal a computer from physical attack and wrap it in an additional layer of protection, Windows Vista and Windows Server 2008 include the Trusted Platform Module (TPM) Services architecture TPM Services protect a computer using a dedicated hardware
Working with Trusted Platforms 467
Managing TPM 469
Introducing BitLocker Drive Encryption 477
Deploying BitLocker Drive Encryption 478
Setting Up and Managing BitLocker Drive Encryption 481 CHAPTER 15
TPM and BitLocker Drive Encryption
Trang 2component called a TPM A TPM is a microchip that is usually installed on the erboard of a computer where it communicates with the rest of the system using a hard-ware bus Computers running Windows Vista or Windows Server 2008 can use a TPM
moth-to provide enhanced protection for data, moth-to ensure early validation of the boot fi le’s integrity, and to guarantee that a disk has not been tampered with while the operating system was offl ine
A TPM has the ability to create cryptographic keys and encrypt them so that they can only be decrypted by the TPM This process, referred to as wrapping or binding, pro-tects the key from disclosure A TPM has a master “wrapping” key called the Storage Root Key (SRK) The SRK is stored within the TPM itself to ensure that the private por-tion of the key is secure
Computers that have TPM can create a key that has not only been wrapped but also sealed The process of sealing the key ensures that the key is tied to specifi c platform measurements and can only be unwrapped when those platform measurements have the same values that they had when the key was created This is what gives TPM-equipped computers increased resistance to attack
Because TPM stores private portions of key pairs separately from memory controlled
by the operating system, keys can be sealed to the TPM to provide absolute assurances about the state of a system and its trustworthiness TPM keys are only unsealed when the integrity of the system is intact Further, because the TPM uses its own internal
fi rmware and logical circuits for processing instructions, it does not rely upon the ating system and is not subject to external software vulnerabilities
The TPM can also be used to seal and unseal data that is generated outside of the TPM, and this is where the true power of the TPM lies In Windows Vista and Windows Server 2008, the feature that accesses the TPM and uses it to seal a computer is called BitLocker Drive Encryption Although BitLocker Drive Encryption can be used in both TPM or non-TPM confi gurations, the most secure method is to use TPM
When you use BitLocker Drive Encryption and a TPM to seal the boot manager and boot fi les of a computer, the boot manager and boot fi les can be unsealed only if they are unchanged since they were last sealed This means you can use the TPM to vali-date a computer’s boot fi les in the pre–operating system environment When you seal
a hard disk using TPM, the hard disk can only be unsealed if the data on the disk is unchanged since it was last sealed This guarantees that a disk has not been tampered with while the operating system was offl ine
When you use BitLocker Drive Encryption and do not use a TPM to seal the boot ager and boot fi les of a computer, TPM cannot be used to validate a computer’s boot
man-fi les in the pre–operating system environment This means there is no way to tee the integrity of the boot manager and boot fi les of a computer
Trang 3Managing TPM
A computer running Windows Server 2008 must be equipped with a compatible TPM and compatible fi rmware to take advantage of TPM Both Windows Vista and Windows Server 2008 support TPM version 1.2 and require Trusted Computing Group (TCG)–
compliant fi rmware Firmware that is TCG-compliant is fi rmware that supports the Static Root of Trust Measurement as defi ned by the Trusted Computing Group In some confi gurations of TPM and BitLocker Drive Encryption, you’ll also need to make sure the fi rmware supports reading USB fl ash drives at startup
Understanding TPM States and Tools
The TPM Services architecture in Windows Vista and Windows Server 2008 provides the basic features required to confi gure and deploy TPM-equipped computers This architecture can be extended with a feature called BitLocker Drive Encryption, which is discussed in “Introducing BitLocker Drive Encryption” on page 477
Before you can use TPM, you must turn on TPM in fi rmware and initialize the TPM for
fi rst use in software As part of the initialization process, you’ll set the owner password
on the TPM After TPM is enabled, you can manage the TPM confi guration
In some cases, computers that have TPM might ship with TPM turned on However, in most cases, you’ll fi nd TPM is not turned on by default You turn on TPM in fi rmware
With my servers, I needed to:
1 Start the computer Press F2 during startup to access the fi rmware In the
fi rmware, I accessed the Advanced screen and then the Peripheral Confi guration screen
2 On the Peripheral Confi guration screen, Trusted Platform Module was listed as
an option After scrolling down to highlight this option, I pressed Enter to display
an options menu On the options menu, I selected Enable and then pressed Enter
3 To save the setting change and exit the fi rmware, I then pressed F10 When
prompted to confi rm that I wanted to exit, I pressed Y and the computer then rebooted
Windows Vista and Windows Server 2008 provide several tools for working with TPM, including:
managing TPM You can access this tool by clicking Start, typing tpm.msc in the
Search box, and then pressing Enter
owner password You can access this tool by clicking Start, typing tpminit in the
Search box, and then pressing Enter
When you are working with Trusted Platform Module Management, you’ll be able
to determine the exact state of the TPM If you try to start Trusted Platform Module
Trang 4Management without turning on TPM, you’ll see an error like the one shown in the lowing screen:
Similarly, if you try to run Initialize The TPM Security Hardware without turning on TPM, you’ll see an error like the one shown in the following screen
Only when you’ve turned on TPM in fi rmware will you be able to access and work with the TPM tools When you are working with the Trusted Platform Module Management console, shown in Figure 15-1, you should note the TPM status and the TPM manufac-turer information The TPM status indicates the exact state of the TPM (see Table 15-1) The TPM manufacturer information shows that the TPM supports specifi cation version 1.2 Support for TPM version 1.2 or later is required
Table 15-1 TPM Status Indicators and Their Meanings
The TPM is on and ownership has not been taken The TPM is turned on in fi rmware but hasn’t been initialized yet The TPM is on and ownership has
been taken The TPM is turned on in fi rmware and has been initialized The TPM is off and ownership has
not been taken The TPM is turned off in software but hasn’t been initialized yet
Trang 5Figure 15-1 Use the Trusted Platform Module Management console to initialize and manage TPM
Initializing a TPM for First Use
Initializing a TPM confi gures it for use on a computer The initialization process involves turning on the TPM and then setting ownership of the TPM By setting owner-ship of the TPM, you are assigning a password that helps ensure that only the autho-rized TPM owner can access and manage the TPM The TPM password is required to turn off the TPM if you no longer want to use it and to clear the TPM if the computer is
to be recycled In an Active Directory domain, you can confi gure Group Policy to save TPM passwords
To initialize the TPM and create the owner password, complete the following steps:
1 Start the Trusted Platform Module Management console On the Action menu,
choose Initialize TPM to start the Initialize The TPM Security Hardware wizard
Note
If the Initialize The TPM Security Hardware wizard detects fi rmware that does not meet Windows requirements or no TPM is found, you will not be able to continue and should ensure that the TPM has been turned on in fi rmware Otherwise, you’ll see the Create The TPM Owner Password page
2 On the Create The TPM Owner Password page, shown in Figure 15-2, click
Automatically Create The Password (Recommended)
Note
If the Initialize The TPM Security Hardware wizard detects fi rmware that does not meet Windows requirements or no TPM is found, you will not be able to continue and should ensure that the TPM has been turned on in fi rmware Otherwise, you’ll see the Create The TPM Owner Password page.
Trang 6Figure 15-2 Initialize the TPM
3 On the Save Your TPM Owner Password page, shown in Figure 15-3, note the
48-character TPM owner password Click Save The Password
Figure 15-3 Note the 48-character TPM owner password
4 In the Save As dialog box, shown in Figure 15-4, select a location to save the
password backup fi le and then click Save By default, the password backup fi le is
saved as ComputerName.tpm Ideally, you’ll save the TPM ownership password to
removable media, such as a USB fl ash drive
Trang 7Figure 15-4 Save the TPM owner password
5 On the Save Your TPM Owner Password page, click Print The Password if you
want to print a hard copy of the password Be sure to save the printout containing the password in a secure location, such as a safe or locked fi le cabinet
6 Click Initialize The initialization process may take several minutes to complete
When initialization is complete, click Close In the TPM Management console, the status should be listed as “The TPM is on and ownership has been taken,” as shown in Figure 15-5
Figure 15-5 The status of an initialized TPM shows ownership has been taken
Turning an Initialized TPM On or Off
Computers that have TPM might ship with TPM turned on If you decide not to use TPM, you should turn off and clear the TPM If you want to reconfi gure or recycle a computer, you should also turn off and clear the TPM
To turn off TPM, complete the following steps:
1 Start the Trusted Platform Module Management console On the Action menu,
choose Turn TPM Off This starts the Manage The TPM Security Hardware wizard
Trang 82 On the Turn Off The TPM Security Hardware page, shown in Figure 15-6, use
one of the following methods for entering the current password and turning off the TPM:
If you have the removable media onto which you saved your TPM owner password, insert it and click I Have A Backup File With The TPM Owner Password On the Select Backup File With The TPM Owner Password page, click Browse and then use the Open dialog box to locate the tpm fi le saved
on your removable media Click Open, and then click Turn TPM Off
If you do not have the removable media onto which you saved your word, click I Want To Type The TPM Owner Password On the Type Your TPM Owner Password page, enter the TPM password (including dashes) and then click Turn TPM Off
If you do not know your TPM owner password, click I Don’t Have The TPM Owner Password, and then follow the instructions provided to turn off the TPM without entering the password Because you are logged on locally to the computer, you will be able to turn off the TPM
3 In the TPM Management console, the status should be listed as “The TPM is off
and ownership has been taken.” Do not discard the TPM owner password fi le or printout You will need this information if you want to turn the TPM back on
Figure 15-6 Click an option for turning off the TPM
After you’ve used the previously listed procedure to turn off the TPM in software, you can turn on the TPM in software by following these steps:
1 Start the Trusted Platform Module Management console On the Action menu,
choose Turn TPM On This starts the Manage The TPM Security Hardware wizard
Trang 92 On the Turn On The TPM Security Hardware page, use one of the following
methods for entering the current TPM password and turning on the TPM:
If you have the removable media onto which you saved your TPM owner password, insert it and click I Have A Backup File With The TPM Owner Password On the Select Backup File With The TPM Owner Password page, click Browse and then use the Open dialog box to locate the tpm fi le saved
on your removable media Click Open, and then click Turn TPM On
If you do not have the removable media onto which you saved your word, click I Want To Type The TPM Owner Password On the Type Your TPM Owner Password page, enter the TPM password (including dashes) and then click Turn TPM On
pass-If you do not know your TPM owner password, click I Don’t Have The TPM Owner Password, and then follow the instructions provided to turn on the TPM without entering the password Because you are logged on locally to the computer, you will be able to turn on the TPM
3 In the TPM Management console, the status should be listed as “The TPM is on
and ownership has been taken.” Do not discard the TPM owner password fi le or printout You will need this information if you want to manage the TPM
Clearing the TPM
Clearing the TPM cancels the TPM ownership and fi nalizes the shutdown of the TPM
You should only clear the TPM when a TPM-equipped computer is to be recycled
To clear the TPM, complete the following steps:
1 Start the Trusted Platform Module Management console On the Action menu,
choose Clear TPM This starts the Manage The TPM Security Hardware wizard
Clearing the TPM resets it to factory defaults and fi nalizes its shutdown As a result, you will lose all created keys and data protected by those keys
2 On the Clear The TPM Security Hardware page, select a method for entering the
current password and clearing the TPM:
If you have the removable media onto which you saved your TPM owner password, insert it and click I Have A Backup File With The TPM Owner Password On the Select Backup File With The TPM Owner Password page, click Browse and then use the Open dialog box to locate the tpm fi le saved
on your removable media Click Open, and then click Clear TPM
If you do not have the removable media onto which you saved your word, click I Want To Type The TPM Owner Password On the Type Your
Trang 10TPM Owner Password page, enter your password (including dashes) and then click Clear TPM
If you do not know your TPM owner password, click I Don’t Have The TPM Owner Password, and follow the instructions provided to clear the TPM without entering the password Because you are logged on locally to the computer, you will be able to clear the TPM
Changing the TPM Owner Password
You can change the TPM password at any time To change the TPM owner password, complete the following steps:
1 Start the Trusted Platform Module Management console On the Action menu,
choose Change Owner Password This starts the Manage The TPM Security Hardware wizard
2 On the Change TPM Owner Password page, select a method for entering the
current password:
If you have the removable media onto which you saved your TPM owner password, insert it and click I Have A Backup File With The TPM Owner Password On the Select Backup File With The TPM Owner Password page, click Browse and then use the Open dialog box to locate the tpm fi le saved on your removable media Click Open, and then click Create New Password
If you do not have the removable media onto which you saved your word, click I Want To Type The TPM Owner Password On the Type Your TPM Owner Password page, enter your password (including dashes) and then click Create New Password
3 On the Create The TPM Owner Password page, select Automatically Create The
Password (Recommended) and then click Next
4 On the Save Your TPM Owner Password page, note the 48-character TPM owner
password Click Save The Password In the Save As dialog box, select a location to save the password backup fi le and then click Save If you are saving the password backup fi le to the same location and name, click Yes when prompted to replace the existing fi le
5 On the Save Your TPM Owner Password page, click Print The Password if you
want to print a hard copy of the password Be sure to save the printout containing the password in a secure location, such as a safe or locked fi le cabinet
6 To complete the process, click Change Password
Trang 11Introducing BitLocker Drive Encryption
BitLocker Drive Encryption, a feature included in all editions of Windows Server 2008 and in the Ultimate and Enterprise editions of Windows Vista, is designed to protect the data on lost, stolen, or inappropriately decommissioned computers Without Bit-Locker Drive Encryption, there are a variety of ways a user with direct physical access
to a computer could gain full control and then access the computer’s data whether that data was encrypted with EFS or not For example, a user could use a boot disk to boot the computer and reset the administrator password A user could also install and then boot to a different operating system, and then use this operating system to unlock the other installation
BitLocker Drive Encryption prevents all access to a computer’s drives except by rized personnel by wrapping entire drives in tamper-proof encryption If a user tries
autho-to access a BitLocker encrypted drive, the encryption prevents them from viewing or manipulating the data in any way This dramatically reduces the risk of an unauthor-ized person gaining access to confi dential data using offl ine attacks
BitLocker Drive Encryption reduces disk throughput Because of this, it should be used on
an enterprise server only if the server is not in a physically secure location and requires additional protection
BitLocker Drive Encryption can use a TPM to validate the integrity of a computer’s boot manager and boot fi les at startup, and to guarantee that a computer’s hard disk has not been tampered with while the operating system was offl ine BitLocker Drive Encryp-tion also stores measurements of core operating system fi les in the TPM
Every time the computer is started, Windows validates the boot fi les, the operating tem fi les, and any encrypted volumes to ensure that they have not been modifi ed while the computer was offl ine If the fi les have been modifi ed, Windows alerts the user and refuses to release the key required to access Windows The computer then goes into Recovery mode, prompting the user to provide a recovery key before allowing access to the boot volume The Recovery mode is also used if a BitLocker encrypted disk drive is transferred to another system
sys-BitLocker Drive Encryption can be used in both TPM and non-TPM computers If a computer has a TPM, BitLocker Drive Encryption uses the TPM to provide enhanced protection for your data and to ensure early boot fi le integrity These features together help prevent unauthorized viewing and accessing of data by encrypting the entire Windows volume and by safeguarding the boot fi les from tampering If a computer doesn’t have a TPM or its TPM isn’t compatible with Windows, BitLocker Drive Encryp-tion can be used to encrypt entire volumes and in this way protect the volumes from tampering This confi guration, however, doesn’t allow the added security of early boot
Trang 12On computers with a compatible TPM that is initialized, BitLocker Drive Encryption can use one of three TPM modes:
boots, TPM is used to validate the boot fi les, the operating system fi les, and any encrypted volumes As the user doesn’t need to provide an additional startup key, this mode is transparent to the user and the user logon experience is unchanged However, if the TPM is missing or the integrity of fi les or volumes has changed, BitLocker will enter Recovery mode and require a recovery key or password to regain access to the boot volume
for validation When the computer boots, TPM is used to validate the boot fi les, the operating system fi les, and any encrypted volumes The user must enter a PIN when prompted to continue startup If the user doesn’t have the PIN or is unable
to provide the correct PIN, BitLocker will enter Recovery mode instead of booting
to the operating system As before, BitLocker will also enter Recovery mode if the TPM is missing or the integrity of boot fi les or encrypted volumes has changed
vali-dation When the computer boots, TPM is used to validate the boot fi les, the ating system fi les, and any encrypted volumes The user must have a USB fl ash drive with a startup key to log on to the computer If the user doesn’t have the startup key or is unable to provide the correct startup key, BitLocker will enter Recovery mode As before, BitLocker will also enter Recovery mode if the TPM is missing or the integrity of boot fi les or encrypted volumes has changed
On computers without a TPM or on computers that have incompatible TPMs, Locker Drive Encryption uses Startup Key Only mode As the name implies, this mode requires a USB fl ash drive containing a startup key The user inserts a USB fl ash drive
Bit-in the computer before turnBit-ing it on The key stored on the fl ash drive unlocks the puter If the user doesn’t have the startup key or is unable to provide the correct startup key, BitLocker will enter Recovery mode BitLocker will also enter Recovery mode if the integrity of encrypted volumes has changed
com-Deploying BitLocker Drive Encryption
Deploying BitLocker Drive Encryption in an enterprise changes the way both istrators and users work with computers A computer with BitLocker Drive Encryption requires user intervention to boot to the operating system—a user must either enter a PIN or insert a USB fl ash drive containing a startup key Because of this, after you’ve deployed BitLocker Drive Encryption, you can no longer be assured that you can perform remote administration that requires a computer to be restarted without hav-ing physical access to the computer—someone will need to be available to type in the required PIN or insert the USB fl ash drive with the startup key
Trang 13Before you use BitLocker Drive Encryption, you should perform a thorough evaluation
of your organization’s computers You will need to develop plans and procedures for:
Evaluating the various BitLocker authentication methods and applying them as appropriate
Determining whether computers support TPM and thus whether you must use TPM or non-TPM BitLocker confi gurations
Storing, using, and periodically changing encryption keys, recovery passwords, and other validators used with BitLocker
You will need to develop new procedures for:
Working with BitLocker encrypted drives Supporting BitLocker encrypted drives Recovering computers with BitLocker encrypted drives These procedures will need to take into account the way BitLocker encryption works and the requirements to have PINs, startup keys, and recovery keys available whenever you work with BitLocker encrypted computers After you’ve evaluated your organiza-tion’s computers and developed basic plans and procedures, you’ll need to develop a confi guration plan for implementing BitLocker Drive Encryption
Note
Two implementations of BitLocker Drive Encryption are available: the original BitLocker Drive Encryption as released with Windows Vista and the updated BitLocker Drive Encryption as released with Windows Server 2008 With the updated implementation, you can use BitLocker encryption on both system and data volumes Because Windows Vista and Windows Server 2008 share the same core kernel and architecture, the updated BitLocker Drive Encryption should also become available in Windows Vista
BitLocker Drive Encryption requires a specifi c disk confi guration On a computer with
a compatible TPM, you must create or make available a BitLocker Drive Encryption partition on your hard drive and then initialize the TPM as discussed previously under
“Initializing a TPM for First Use” on page 471 On a computer without a compatible TPM, you only need to create or make available a BitLocker Drive Encryption partition
on your hard drive
The way you create the BitLocker Drive Encryption partition depends on whether the computer has an operating system installed If the computer doesn’t have an operat-ing system installed, follow the procedure discussed under “Creating the BitLocker Drive Encryption Partition for a Computer with No Operating System” on page 482 If the computer has an operating system installed, follow the procedure discussed under
Note
Two implementations of BitLocker Drive Encryption are available: the original BitLocker Drive Encryption as released with Windows Vista and the updated BitLocker Drive Encryption as released with Windows Server 2008 With the updated implementation, you can use BitLocker encryption on both system and data volumes Because Windows Vista and Windows Server 2008 share the same core kernel and architecture, the updated BitLocker Drive Encryption should also become available in Windows Vista.
Deploying BitLocker Drive Encryption 479
Trang 14“Creating the BitLocker Drive Encryption Partition for a Computer with an Operating System” on page 482
You can use Local Group Policy and Active Directory Group Policy to help you manage and maintain TPM and BitLocker confi gurations TPM Services Group Policy settings are found in Computer Confi guration\Administrative Templates\System\Trusted Plat-form Module Services and include:
Turn On TPM Backup To Active Directory Domain Services Confi gure The List Of Blocked TPM Commands
Ignore The Default List Of Blocked TPM Commands Ignore The Local List Of Blocked TPM Commands BitLocker Group Policy settings are found in Computer Confi guration\Administrative Templates\Windows Components\BitLocker Drive Encryption and include:
Turn On BitLocker Backup To Active Directory Domain Services Control Panel Setup: Confi gure Recovery Folder
Control Panel Setup: Confi gure Recovery Options Control Panel Setup: Enable Advanced Startup Options Confi gure Encryption Method
Prevent Memory Overwrite On Restart Confi gure TPM Platform Validation Profi le BitLocker policy settings apply to both Windows Vista and Windows Server 2008 Unlike Active Directory Domain Services for Windows Server 2003, Active Directory Domain Services for Windows Server 2008 includes the TPM and BitLocker recovery extensions for Computer objects For TPM, the extensions defi ne a single property of the Computer object called ms-TPM-OwnerInformation When the TPM is initialized or when the owner password is changed, the hash of the TPM ownership password can be stored as a value of the ms-TPM-OwnerInformation attribute on the related Computer object For BitLocker, these extensions defi ne Recovery objects as child objects of Com-puter objects and are used to store recovery passwords and associate them with specifi c BitLocker encrypted volumes
Trang 15To ensure that TPM and BitLocker recovery information is always available, you should confi gure Group Policy to require its backup With Turn On TPM Backup To Active Direc- tory Domain Services, enable the policy and then use the setting Require TPM Backup To
AD DS With Turn On BitLocker Backup To Active Directory Domain Services, enable the policy and then use the setting Require BitLocker Backup To AD DS
For Federal Information Processing Standard (FIPS) compliance, you cannot create or save
a BitLocker recovery password So instead, you’ll need to confi gure Windows to create recovery keys The FIPS setting is located in the Security Policy Editor at Local Policies\
Security Options\System Cryptography: Use FIPS Compliant Algorithms For Encryption, Hashing, And Signing To do this, enable the security option System Cryptography: Use FIPS Compliant Algorithms For Encryption, Hashing, And Signing in Local Group Policy or Active Directory Group Policy as appropriate With this setting enabled, users can save a recovery key only to a USB fl ash drive Users will not be able to save a recovery password
to AD DS, local folders, or network folders, and also will not be to use the BitLocker Drive Encryption wizard or other method to create a recovery password Because recovery passwords cannot be saved to AD DS when FIPS is enabled, Windows will display an error
if AD DS backup is required by Group Policy
Setting Up and Managing BitLocker Drive Encryption
With Windows Server 2008, you can confi gure and enable BitLocker Drive Encryption
on both system volumes and data volumes However, if you want to encrypt a server’s data volumes you must fi rst encrypt its system volume When you use encrypted data volumes, the operating system mounts BitLocker data volumes as it would any other volume
The encryption key for a protected data volume is created and stored independently from the system volume and all other protected data volumes To allow the operat-ing system to mount encrypted volumes, the key chain protecting the data volume
is stored encrypted on the operating system volume If the operating system enters Recovery mode, the data volumes are not unlocked until the operating system is out of Recov ery mode
Setting up BitLocker Drive Encryption is a multistep process that involves:
1 Partitioning a computer’s hard disks appropriately and installing the operating
system, if you are confi guring a new computer
2 Initializing and confi guring a computer’s TPM (if applicable)
3 Installing the BitLocker Drive Encryption feature (as necessary)
SIDE OUT Using TPM, BitLocker, and FIPS with AD DS
To ensure that TPM and BitLocker recovery information is always available, you should confi gure Group Policy to require its backup With Turn On TPM Backup To Active Direc- tory Domain Services, enable the policy and then use the setting Require TPM Backup To
AD DS With Turn On BitLocker Backup To Active Directory Domain Services, enable the policy and then use the setting Require BitLocker Backup To AD DS.
For Federal Information Processing Standard (FIPS) compliance, you cannot create or save
a BitLocker recovery password So instead, you’ll need to confi gure Windows to create recovery keys The FIPS setting is located in the Security Policy Editor at Local Policies\
Security Options\System Cryptography: Use FIPS Compliant Algorithms For Encryption, Hashing, And Signing To do this, enable the security option System Cryptography: Use FIPS Compliant Algorithms For Encryption, Hashing, And Signing in Local Group Policy or Active Directory Group Policy as appropriate With this setting enabled, users can save a recovery key only to a USB fl ash drive Users will not be able to save a recovery password
to AD DS, local folders, or network folders, and also will not be to use the BitLocker Drive Encryption wizard or other method to create a recovery password Because recovery passwords cannot be saved to AD DS when FIPS is enabled, Windows will display an error
if AD DS backup is required by Group Policy.
Setting Up and Managing BitLocker Drive Encryption 481
Trang 164 Checking fi rmware to ensure that the computer is set to fi rst start from the
disk containing the system partition and the Bitlocker partition, not the USB or CD/DVD drives
5 Turning on and confi guring BitLocker Drive Encryption
After you’ve turned on and confi gured BitLocker encryption, there are several niques you can use to maintain the environment and perform recovery
Creating the BitLocker Drive Encryption Partition for a Computer with No Operating System
BitLocker Drive Encryption requires two NTFS drive partitions, one for the system ume and one for the operating system volume The system volume partition must be at least 1.5 gigabytes (GB) and set as the active partition
On new hardware, you create the BitLocker Drive Encryption partition on a computer with no operating system To do this, you start the computer from the installation media and then create two partitions on the computer’s primary disk:
The fi rst partition is the partition for BitLocker Drive Encryption This partition holds the fi les required to start the operating system and is not encrypted The second is the primary partition for the operating system and your data This partition is encrypted when you turn on BitLocker
You can partition a drive with no operating system for BitLocker Drive Encryption by following these steps:
1 Insert the Windows Installation disc for the hardware architecture and then boot
from the installation disc by pressing a key when prompted If the server does not allow you to boot from the installation disc, you might need to change fi rmware options to allow booting from a CD/DVD-ROM drive
2 If Windows Setup doesn’t start automatically, select Windows Setup (EMS
Enabled) on the Windows Boot Manager menu to start Windows Setup
3 On the Install Windows page, select the language, time, and keyboard layout
options that you want to use Click Next
4 On the next Setup page, you have several options:
If a Repair Your Computer link is available in the lower-left corner of the Install Windows page, click this option to start the System Recovery Options wizard On the System Recovery Options page, click Command Prompt to access the MIN-WINPC environment
If a Repair Your Computer link is not available (such as when there is no current Windows Server 2008 or later operating system already installed), click Install Now Proceed through the installation process until you get
to the Where Do You Want To Install Windows page At this point, press Shift+F10 to access a command prompt
Trang 175 In the Command Prompt window, type diskpart and press Enter
6 Select the hard disk to use by typing select disk 0
7 Erase the existing partition table by typing clean This destroys all data on
the disk
8 Create the BitLocker partition by typing create partition primary size=1500
9 Designate the partition as S: by typing assign letter=s
10 Make the partition the active partition by typing active
11 Format the partition using NTFS as the fi le system by typing format fs=ntfs
12 Create the operating system partition using the rest of the available disk space by
typing create partition primary
13 Designate the partition as C: by typing assign letter=c
14 Format the partition using NTFS as the fi le system by typing format fs=ntfs
15 Quit the DiskPart application by typing exit
16 Quit the command prompt by typing exit
17 Return to the main installation screen by clicking Close Proceed with the
installation process Install Windows Server 2008 on drive C
18 If the computer has a TPM, you will need to initialize it as discussed under
“Initializing a TPM for First Use” on page 471 Although you are working with
fi rmware, you should also ensure that the computer is set to fi rst start from the disk containing the system partition and the Bitlocker partition, not the USB or CD/DVD drives
Creating the BitLocker Drive Encryption Partition for a Computer with an Operating System
BitLocker Drive Encryption requires two NTFS drive partitions, one for the system ume and one for the operating system volume The system volume partition must be at least 1.5 GB and set as the active partition
On a computer running Windows Server 2008, Windows confi gures an available tion as the necessary BitLocker Drive Encryption partition during the BitLocker confi g-uration process As long as the server has at least two partitions on one or more disks, Windows will confi gure one partition as the boot partition and another partition as the active, system partition The boot partition is the one containing the operating system
parti-fi les The active, system partition is the one containing the boot manager and other parti-fi les needed by BitLocker during startup Because you will not be able to encrypt the active, system partition used by BitLocker, it is a recommended best practice that you size the fi rst partition on the fi rst available disk (typically disk 0) with BitLocker in mind
Setting Up and Managing BitLocker Drive Encryption 483
Trang 18Specifi cally, this partition should be at least 1.5 GB in size and should not be used for other purposes, such as storing server data
On a computer running Windows Vista Ultimate or Windows Vista Enterprise, you can, in most cases, create the required BitLocker Drive Encryption partition without having to reinstall the operating system To do this, use the BitLocker Drive Prepara-tion Tool (BdeHdCfg.exe), which you’ll fi nd in the %ProgramFiles%\BitLocker folder
If the tool is not available, you should be able to download it from the Microsoft load Web site See Microsoft Knowledge Base article 930063 for more information
Down-(http://support.microsoft.com/kb/930063/en-us)
The BitLocker Drive Preparation Tool automates the process of creating the BitLocker partition, moving the required fi les to this partition, and setting the partition as the active volume There are many caveats to using this tool:
The drive must be formatted as a basic disk with simple volumes Although ware RAID confi gurations can be implemented, no software spanning, mirroring,
hard-or other RAID confi gurations are supphard-orted
The partition must be a primary partition Extended partitions and logical drives are not supported
The partition must be formatted as NTFS and the fi le system must not be compressed
The partition cluster size must be less than or equal to 4 KB in size
You can perform four general operations with the BitLocker Drive Preparation Tool:
bdehdcfg -driveinfo at the command prompt The output shows the drive
let-ter, total size, maximum free space, and partition type of the Windows Recovery Environment, operating system, and unallocated partitions
size, you can use this operation to automatically create the BitLocker partition, move the required fi les to this partition, and set the partition as the active volume
In the following example, you create a new S: partition in 1.5 GB of unallocated space:
bdehdcfg –target unallocated –newdriveletter s: -size 1500 –quiet -restart
to split to create the required BitLocker partition, you can perform a split tion For a split operation, at least 10 percent of the operating system partition must remain free after the partition is reduced by 1.5 GB to create the BitLocker partition In the following example, you create a new S: partition by splitting the C: partition and using 1.5 GB of previously unallocated space on this partition: bdehdcfg –target c: shrink –newdriveletter s: -size 1500 –quiet -restart
Trang 19Merge Partition When a disk has a separate partition (that is not being used as the operating system partition) you can merge the required boot fi les into the partition and set the partition as the active partition for BitLocker using a merge operation For a merge operation, the partition must have a total capacity of at least 1.5 GB and at least 800 MB of free disk space In the following example, you merge BitLocker required fi les and settings into the existing D: partition:
bdehdcfg –target d: merge -size 1500 –quiet -restart
If the computer has a TPM, you will need to initialize it as discussed under “Initializing
a TPM for First Use” on page 471
Confi guring and Enabling BitLocker Drive Encryption
As discussed previously, BitLocker Drive Encryption can be used in a TPM or non-TPM confi guration Both confi gurations require some preliminary work before you can turn
on and confi gure BitLocker Drive Encryption
With Windows Vista Ultimate and Enterprise, BitLocker should be installed by default
With Windows Server 2008, you can install the BitLocker Drive Encryption feature using the Add Features Wizard Alternatively, on a server, you can install BitLocker Drive Encryption by entering the following command at an elevated command prompt:
servermanagercmd -install bitlocker Either way, you will need to restart the computer
to complete the installation process
After you’ve installed BitLocker, you can determine the readiness status of a computer
by accessing the BitLocker Drive Encryption console Click Start, Control Panel, rity, and then BitLocker Drive Encryption If the system isn’t properly confi gured yet, you’ll see a message similar to the one shown in the following screen
If you see this message on a computer with a compatible TPM, refer to “Understanding TPM States and Tools” on page 469 to learn more about TPM states and enabling TPM
in fi rmware If you see this message on a computer with an incompatible TPM or no TPM, you’ll need to change the computer’s Group Policy settings so that you can turn
on BitLocker Drive Encryption without a TPM
Setting Up and Managing BitLocker Drive Encryption 485
Trang 20You can confi gure policy settings for BitLocker encryption in Local Group Policy or in Active Directory Group Policy For local policy, you apply the desired settings to the computer’s Local Group Policy object For domain policy, you apply the desired set-tings to a Group Policy object processed by the computer While you are working with domain policy, you can also specify requirements for computers with a TPM
To confi gure the way BitLocker can be used with or without a TPM, follow these steps:
1 Open the appropriate Group Policy object for editing in the Group Policy Object
Editor or the Group Policy Management Editor
2 Double-click the setting Control Panel Setup: Enable Advanced Startup
Options in the Computer Confi guration\Administrative Templates\Windows Components\BitLocker Drive Encryption folder
3 In the Control Panel Setup: Enable Advanced Startup Options Properties dialog
box, shown in Figure 15-7, defi ne the policy setting by selecting Enabled
Figure 15-7 Choose an option for turning off the TPM
4 If you want to allow BitLocker to be used without a compatible TPM, select the
Allow BitLocker Without A Compatible TPM check box This changes the policy setting so that you can use BitLocker encryption with a startup key on a computer without a TPM
Trang 215 You can confi gure policy for computers with TPM in several ways You can:
Allow users to create or skip creating a TPM startup key by setting the
Con-fi gure TPM Startup Key Option list to Allow User To Create Or Skip
Allow users to create or skip creating a TPM startup PIN by setting the
Con-fi gure TPM Startup PIN Option list to Allow User To Create Or Skip
Require a startup key with TPM while disallowing a startup PIN by setting the Confi gure TPM Startup Key Option list to Require Startup Key With TPM and the Confi gure TPM Startup PIN Option list to Disallow Startup PIN With TPM
Require a startup PIN with TPM while disallowing a startup key by setting the Confi gure TPM Startup Key Option list to Disallow Startup Key With TPM and the Confi gure TPM Startup PIN Option list to Require Startup PIN With TPM
7 Close the Group Policy Object Editor To force Group Policy to apply immediately
to this computer, click Start, type gpupdate.exe /force in the Search box, and
then press Enter
Computers that have a startup key or a startup PIN also have a recovery password The recovery password is required in the event that:
Changes are made to the system startup information The encrypted drive must be moved to another computer The user is unable to provide the appropriate startup key or PIN The recovery password should be managed and stored separately from the startup key
or startup PIN Although users are given the startup key or startup PIN, administrators should be the only ones with the recovery password As the administrator, you will need the recovery password to unlock the encrypted data on the volume if BitLocker enters a locked state The recovery password is unique to this particular BitLocker
Trang 22encryption You cannot use it to recover encrypted data from any other BitLocker encrypted volume—even from other BitLocker encrypted volumes on the same com-puter To increase security, you should store startup keys and recovery passwords apart from the computer
When you install BitLocker Drive Encryption and confi gure policy (if necessary), the BitLocker Drive Encryption console becomes available in Control Panel When you are confi guring BitLocker encryption, the confi guration options you have will depend on whether the computer has a TPM as well as how you’ve confi gured Group Policy
To enable BitLocker encryption for use with a startup key, follow these steps:
1 Click Start, Control Panel, Security, and then double-click BitLocker Drive
Encryption As shown in the following screen, the Turn On BitLocker option will
be listed under the operating system volume
2 Click Turn On BitLocker If you are warned about BitLocker degrading
performance, as shown in the following screen, click Continue With BitLocker Drive Encryption
3 On the Set BitLocker Startup Preferences page, shown in the following screen,
click the Require Startup USB Key At Every Startup option as you want to require
a user to insert a startup key to boot to the operating system
Trang 234 Insert a USB fl ash drive in the computer (if it is not already there)
5 On the Save Your Startup Key page, choose the location of your USB fl ash drive,
and then click Save
6 Next, you need to save the recovery password As you should not store the
recovery password and the startup key on the same media, remove the USB fl ash drive and insert a second USB fl ash drive
Note
The startup key is different from the recovery password If you create a startup key, this key will then be required to start the computer The recovery password is required to unlock the computer if BitLocker enters Recovery mode, such as would happen if Bit- Locker suspects the computer has been tampered with while offl ine
7 On the Save The Recovery Password page, shown in the following screen, click Save
The Password On A USB Drive
Note
The startup key is different from the recovery password If you create a startup key, this key will then be required to start the computer The recovery password is required to unlock the computer if BitLocker enters Recovery mode, such as would happen if Bit- Locker suspects the computer has been tampered with while offl ine.
Setting Up and Managing BitLocker Drive Encryption 489
Trang 248 In the Save A Recovery Password To A USB Drive dialog box, choose the location
of your USB fl ash drive, and then click Save Do not remove the USB drive with the recovery password
9 You can now optionally save the recovery password to a folder, print the recovery
password, or both For each option, click the option and follow the wizard steps
to set the location for saving or printing the recovery password When you are
fi nished, click Next
10 On the Encrypt The Volume page, shown in the following screen, confi rm that the
Run BitLocker System Check check box is selected, and then click Continue
Trang 2511 Confi rm that you want to restart the computer by clicking Restart Now The
computer restarts and BitLocker ensures that the computer is compatible and ready for encryption If the computer is not ready for encryption, you will see an error and will need to resolve the error status before you can complete this procedure If the computer is ready for encryption, the Encryption
BitLocker-In Progress status bar is displayed You can monitor the ongoing completion status of the disk volume encryption by dragging your mouse cursor over the BitLocker Drive Encryption icon in the notifi cation area at the bottom of your screen By double-clicking this icon, you can open the Encrypting dialog box, shown in the following screen, and monitor the encryption process more closely
You also have the option to pause the encryption process Volume encryption takes approximately one minute per gigabyte to complete
By completing this procedure, you have encrypted the operating system volume and created a recovery password unique to that volume The next time you turn your computer on, the USB fl ash drive with the startup key must be plugged into
a USB port on the computer If you do not have the USB fl ash drive containing your startup key, then to access the data you will need to use Recovery mode and supply the recovery password
To enable BitLocker encryption for use with a startup PIN, follow these steps:
1 Click Start, Control Panel, Security, and then double-click BitLocker Drive
Encryption The Turn On BitLocker option will be listed under the operating system volume
2 Click Turn On BitLocker If you are warned about BitLocker degrading
performance, click Continue With BitLocker Drive Encryption
3 On the Set BitLocker Startup Preferences page, select the Require PIN At
Every Startup option as you want to require a user to enter a PIN to boot to the operating system
4 On the Type Your Startup PIN page, enter the desired PIN The PIN can be
any number you choose from 4 to 20 digits in length The PIN is stored on the computer
5 Insert a USB fl ash drive on which you want to save the recovery password and
then click Next
Continue with steps 7 to 11 starting on page 489
Setting Up and Managing BitLocker Drive Encryption 491