Using BitLocker to Encrypt Removable Media

[patris1]

کد:

http://www.windowsnetworking.com/articles_tutorials/Using-BitLocker-Encrypt-Removable-Media-Part1.html

PART-1


How to use BitLocker-to-go in order to prevent accidental data disclosure by encrypting removable media.


Introduction

Users who work outside of an organization have always presented a special security challenge to IT employees. On one hand, mobile workers need access to corporate data on their laptops or mobile devices. On the other hand, placing data on such devices puts the data at risk of being compromised should the device be lost or stolen.
Many organizations forbid employees from storing data on laptops or mobile devices for this very reason. This approach is not always practical though. Restricting users from placing data on their laptops or mobile devices means that the users will have to connect to the Internet any time that they need to access data, and as we all know Internet access is not always available. For example, it is common for mobile users to try to get some work done while on a long flight. However, if the user is unable to access any data without an Internet connection then this otherwise productive time is wasted.
Over the years Microsoft has created several different solutions that are designed to help secure the data that is stored on laptops. In Windows Vista for example, Microsoft introduced the BitLocker drive encryption feature. This feature allows the laptop’s entire hard drive to be encrypted.
As much of an improvement as BitLocker is over the file level encryption that was previously available in Windows XP, BitLocker does have its limitations. For example, the Windows Vista version of BitLocker was only able to encrypt the system volume. If a computer contains other volumes, then EFS encryption or a third-party encryption product must still be used to secure those volumes.
Another major BitLocker limitation was its inability to encrypt removable media. While this may not initially sound like such a big deal, it is important to remember that USB flash drives have become ubiquitous. Furthermore, the capacity of such devices has increased exponentially over the last few years. What all of this means is that vast quantities of data can easily be stored in a small, inexpensive, and easy to lose device that offers no native encryption capabilities. The really scary part is that because USB flash drives are small and inexpensive, a user may not even notice when one goes missing.
When Microsoft created Windows 7, one of the things that they set out to do was to address the various shortcomings of BitLocker. Some of these improvements include:

• BitLocker is now capable of encrypting all of a system’s volumes, not just the volume containing the operating system.
• The system now performs an integrity check as a part of the boot process. This helps to verify that the computer hasn’t been tampered with while offline, and that the encrypted drive is in its original computer.
• It is now possible to move an encrypted hard drive to another computer, or replace the system board in a system that has been BitLocker encrypted without losing access to the encrypted files.
• Windows guards against cold boot attacks by requiring users to either enter a PIN or insert a USB flash drive containing key material prior to booting a computer or resuming from hibernation.
• BitLocker recovery keys are now stored in the Active Directory. These keys can be used to regain access to BitLocker encrypted data in the event that a user forgets their PIN, or loses the USB flash drive containing the keying information.

BitLocker to Go

Perhaps the most significant new BitLocker feature is BitLocker to Go. BitLocker to Go makes it possible to encrypt removable storage devices, such as USB flash drives. That way, if the removable media is lost or stolen, the data that it contains will not be compromised.
As you would probably expect, BitLocker encryption is not enabled by default for USB flash drives. However, BitLocker encryption can be enabled either by an administrator (via group policy settings) or by an end user.
What is nice is that Microsoft has made it really easy for an end user to enable BitLocker encryption. BitLocker functionality is now integrated directly into Windows Explorer. This means that if an end user wants to enable BitLocker encryption for a USB device, they do not have to fumble with the Control Panel, looking for the correct setting.
To see what I mean, take a look at Figure A. In this figure, I have inserted a USB flash drive into a computer that is running Windows 7. When I right click on the USB flash drive, Windows displays an option to turn on BitLocker.

Figure A: Windows Explorer now contains an option to turn on BitLocker
If I select the Turn on BitLocker option, BitLocker will only be enabled for the selected drive, not the entire system. When you enable BitLocker, Windows will prompt you to enter a password that you can use to unlock the drive. As you can see in Figure B, you also have the option of using a smart card to unlock the drive.

Figure B: You must provide a password and / or a smart card that can be used to unlock the drive
After entering a password, Windows generates a recovery key, and prompts you to either save the recovery key to a file or to print the recovery key, as shown in Figure C. You will notice in the figure that the Next button is grayed out until you perform at least one of these actions. Microsoft requires the recovery key to be saved or printed as a way of preventing data loss due to forgotten passwords.

Figure C: You must save or print your recovery key
After saving or printing your recovery key, it is time to encrypt the drive. To do so, just click the Start Encrypting button, shown in Figure D.

Figure D: Click the Start Encrypting button to encrypt the drive
Using an Encrypted Flash Drive

Using an encrypted flash drive really is not that much different than using any other flash drive. If you look at Figure E, you can see that when I insert the flash drive, I am prompted to enter a password. You will also notice that the drive’s icon includes a padlock.

Figure E: Upon inserting an encrypted flash drive, you are required to enter a password
Upon entering the password, the icon changes to show that the drive is unlocked, as shown in Figure F.

Figure F: After entering a password, the drive is unlocked
Other Operating Systems

Since BitLocker to Go was first introduced in Windows 7, you may be wondering what happens if you insert an encrypted flash drive into a PC that is running an older operating system. Figure G shows what happens when you insert an encrypted flash drive into a machine that is running Windows Vista.

Figure G: Vista gives you the option of installing a BitLocker to Go Reader
Although Vista does not natively support BitLocker to Go, you are provided with the option of installing a BitLocker to Go Reader. This reader is stored on the encrypted drive (in a non encrypted format), so it is possible to install the reader even if you do not have Internet access.
Since the dialog box also contains an option to open the folder to view the files, I decided to click on this option to see what Vista would display. As you can see in Figure H, Vista shows you some BitLocker Reader system files. All of the actual data that is stored on the drive is contained within a series of encrypted .NG files.

Figure H: The BitLocker to Go Reader is stored on the flash drive
Conclusion

In this article, I have shown you how you can use BitLocker to Go to manually encrypt a USB flash drive. In Part 2 of this series, I will show you how you can use group policies to automate the process

---

موضوعات مشابه:

• Bitlocker
• bitlocker
• اشكال سرويس removable storage در ويندوز سرور 2003
• Securing Removable Drives in Windows 7
• سوال در مورد نحوه بستن Removable Media مثل كول ديسكها در دومين

---

[patris1]

کد:

http://www.windowsnetworking.com/articles_tutorials/Using-BitLocker-Encrypt-Removable-Media-Part2.html

PART-2

How to enforce BitLocker security in a more uniform manner through the use of group policy settings.


Introduction

The default settings in Windows 7 allow users to decide if and when they want to encrypt data on removable devices. This article explains how you can enforce BitLocker security in a more uniform manner through the use of group policy settings.
In the first part of this article series, I showed you how you could manually use BitLocker to encrypt the contents of a USB flash drive. Although the procedure that I showed you last time works well enough, it tends to leave a lot to chance. Imagine for instance that your company keeps a lot of sensitive information on file. Ideally, you would probably like to prevent any of that data from ever walking out the door. In reality though, you may have employees whose job functions require them to have certain data available, even when they are not connected to the network.
Since the last thing that you want is for an employee to misplace a USB drive filled with personal information about all of the organization’s customers, encryption is an absolute must. BitLocker to Go can definitely provide the type of encryption that you need, but the encryption method that I demonstrated in the first part of the series requires users to manually encrypt their own USB flash drives.
Obviously, we can’t just put encryption into the user’s hands and trust them to do it (especially when so much is at stake). Fortunately, we do not have to. Windows 7 and Windows Server 2008 R2 include group policy settings that you can use to control how and when BitLocker encryption is used.
The Group Policy Object Editor contains quite a few different group policy settings related to BitLocker encryption, but there is an entire folder containing the settings pertaining to BitLocker encryption of removable media. You can access this folder at Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Removable Data Drives. You can see the available group policy settings within this folder in Figure A.

Figure A: All of the settings related to BitLocker encryption of removable media are stored in the Removable Data Drives folder
Control Use of BitLocker on Removable Drives

The first group policy setting that I want to show you is the Control Use of BitLocker on Removable Drives setting. As the name implies, this setting allows you to control whether or not users are allowed to encrypt removable media with BitLocker.
At its simplest, disabling this setting prevents users from encrypting removable media, whereas users can use BitLocker to encrypt removable media if you do nothing at all. There is a little bit more to it though.
If you do choose to enable this group policy setting, then there are two options that you can set. The first of these options allows you to choose whether or not you want to allow users to apply BitLocker protection on removable data drives. Obviously, this option is a bit redundant, but the reason why Microsoft chose to include it was because it allows you to control this setting and the next setting that I am about to talk about independently when the group policy setting is enabled.
The second setting allows users to suspend and decrypt BitLocker protection on removable data drives. In other words, you can control whether or not you want to allow users to turn off BitLocker for a removable storage device.
Configure Use of Smart Cards on Removable Drives

This group policy setting allows you to control whether or not smart cards can be used as a mechanism for authenticating users for access to BitLocker encrypted content. If you do decide to enable this group policy setting, then there is a sub option that you can use to require the use of smart cards. If you choose this option, then users will only be able to access BitLocker encrypted content by using smart card based authentication.
Deny Write Access to Removable Drives Not Protected By BitLocker

The Deny Write Access to Removable Drives Not Protected By BitLocker setting is one of the more important group policy settings related to the encryption of removable media. When you enable this setting, then Windows will check every removable storage device that is inserted into the computer to see if BitLocker encryption is enabled. If BitLocker isn’t enabled on the drive, then the drive is treated as read only. Users are only given write access if BitLocker is enabled on the drive. That way, you can prevent users from writing data to unencrypted removable media.
When you enable this group policy setting, you are also given the option of blocking write access to devices configured in another organization. This option can go a long way in helping to prevent the unauthorized use of removable media.
Imagine for instance that you want to make sure that only authorized users write data to removable drives, and that any data written to removable drives is encrypted. Now suppose that a disgruntled employee decides that they want to copy your customer list to a USB flash drive. If one of your stated goals is to prevent data from being written to removable devices in an unencrypted format, then you would naturally enable the Deny Write Access to Removable Drives Not Protected By BitLocker setting.
That will give you some degree of protection, but it is still possible for a user to enable BitLocker on a home computer, encrypt a USB flash drive, and then bring the encrypted drive into the office and write data to it. Enabling the Do Not Allow Write Access to Devices Configured in Another Organization option allows Windows to look at where the removable storage device came from. If the device was encrypted by another organization, then BitLocker will deny write access to the device.
Allow Access to BitLocker Protected Removable Drives From Earlier Versions of Windows

I tend to think that this option is a bit misnamed. The reality is that Windows does not really care what version of Windows was used to format a removable drive. Instead, this option allows you to control whether or not you want to allow users to unlock BitLocker encrypted drives that have been formatted with the FAT file system.
If you enable this setting, there is another option that you can enable that will prevent the BitLocker to Go Reader from being installed onto drives that are formatted with the FAT file system.
Configure Use of Passwords for Removable Data Drives

This is one of the more self explanatory settings. It allows you to control whether or not you want to require the use of a password to unlock the contents of removable drives. Assuming that you do want to password protect removable drives, you have the option to control the password’s length and complexity requirements.
Conclusion

The group policy settings that I have shown you go a long way toward controlling how BitLocker is used with removable media. One of the problems with encrypting data however, is that if the encryption keys are lost, then the data cannot be decrypted. In Part 3, I will show you a technique for avoiding this problem by storing the encryption keys in the Active Directory

[patris1]

کد:

http://www.windowsnetworking.com/articles_tutorials/Using-BitLocker-Encrypt-Removable-Media-Part3.html

PART-3


This article explains how you can store BitLocker Recovery keys in the Active Directory database.


Introduction

In my previous article, I talked about how to regulate the way in which BitLocker is used in your organization through the use of group policy settings. As I alluded to towards the end of that article though, one of the big problems with encrypted media is the potential for data loss.
As you know, BitLocker encrypted drives are protected by a password. The problem is that users are prone to forget passwords, and in doing so they could end up permanently locking themselves out of the encrypted drive. Even though the data on the drive is still present, data loss still effectively occurs because the data remains inaccessible to the user. If you really stop and think about it, encrypted data that can not be decrypted is really no different than corrupt data.
If you think back to the first article in this series, you will recall that when you encrypt a drive with BitLocker, Windows displays a message similar to the one that’s shown in Figure A, telling you that in the event that the password is forgotten, a recovery key can be used to access the drive. Not only does Windows automatically provide you with this recovery key, it forces you to either print the recovery key or save it to a file.

Figure A: BitLocker protects users against data loss by providing them with a recovery key
Having a recovery key to fall back on is a good idea, but in the real world it is just not practical. How many users do you think will even remember that a recovery key even exists, much less where they put the print out? The loss of an encryption key can have catastrophic consequences in a corporate environment where data is often irreplaceable. Thankfully, you do not have to depend on the end users to keep track of their recovery keys. You can store the recovery keys in the Active Directory instead.
Preparing the Active Directory

Before we can configure BitLocker to store recovery keys in the Active Directory, we need to do a bit of prep work. As I’m sure you already know, BitLocker to Go was first introduced with Windows 7 and Windows Server 2008 R2. As such, it stands to reason that if you want to support BitLocker to Go key recovery at the Active Directory level, then you are going to need to run some of the Windows Server 2008 R2 code on your domain controllers.
Believe it or not, you do not have to upgrade all your domain controllers to Windows Server 2008 R2, unless you just want to. Instead, you can simply use a Windows Server 2008 R2 installation DVD to extend the Active Directory schema on the domain controller that is acting as the schema master for your Active Directory forest.
Before I show you how to extend your Active Directory schema, I need to warn you that this procedure assumes that all of your domain controllers are running Windows 2000 Server SP4 or above. If you have older domain controllers, then they must be upgraded before you will be able to perform the necessary schema extensions.
You should also perform a full system state backup of your domain controllers prior to extending the Active Directory schema. If something should go wrong during the extension process, it could have devastating effects on the Active Directory, so it is important to have a good backup that you can fall back on.
With that said, you can extend the Active Directory schema by inserting your Windows Server 2008 R2 installation DVD into your schema master. After doing so, open a Command Prompt window using the Run As Administrator option, and enter the following command (where D: represents the drive containing your installation media):
D:
CD\
CD SUPPORT\ADPREP
ADPREP /FORESTPREP
When the ADPrep utility loads, you will be asked to confirm that your domain controllers are all running the appropriate versions of Windows Server. Simply press the C key and then press Enter to start the schema extension process, as shown in Figure B. The entire schema extension should only take a couple of minutes to complete.

Figure B: The Active Directory schema must be extended before BitLocker keys can be stored in the Active Directory
Configuring Group Policies

Simply extending the Active Directory schema alone does not force BitLocker to store recovery keys in the Active Directory. For that we are going to have to configure a few group policy settings.
Begin the process by loading the group policy that applies to your workstations into the Group Policy Management Editor. Now, navigate through the console tree to Computer Configuration | Policies | Administrative Templates: Policy Definitions | Windows Components | BitLocker Drive Encryption | Removable Data Drives. As you may recall, I talked about most of the individual policy settings in the previous article.
At this point, you should enable the Deny Write Access to Removable Drives Not Protected by BitLocker setting, as shown in Figure C. Actually, this isn’t an absolute requirement, but it does give you a way of forcing users to encrypt their USB flash drives. If you are going to force users to use BitLocker encryption, then you may also want to select the Do Not Allow Write Access to Devices Configured in Another Organization. Again, this isn’t a requirement, but it does help to improve security.

Figure C: If you want to force BitLocker encryption for removable drives, you must enable the Deny Write Access to Removable Drives Not Protected by BitLocker setting
The next step in the process is to enable the Choose How BitLocker Removable Drives Can Be Recovered setting. If you look at Figure D, you can see the dialog box that is displayed when you double click on the Deny Write Access to Removable Drives Not Protected by BitLocker setting. As you can see in the figure, there are a series of check boxes that can be selected when this group policy setting is enabled.

Figure D: There are three options that you should enable
If your goal is to save a copy of each recovery key in the Active Directory, then there are three of these options that you must enable. First, you must select the Allow Data Recovery Agent option. This option should be selected by default, but since this option is what makes the entire key recovery process possible, it is important to verify that the option is enabled.
Next, you will have to select the Save BitLocker Recovery Information to AD DS for Removable Data Drives. As you have probably already figured out, this is the option that actually saves the BitLocker recovery keys to the Active Directory.
Finally, you should select the Do Not Enable BitLocker Until Recovery Information Is Stored To AD DS For Removable Data Drives option. This option forces Windows to confirm that the recovery has been written to the Active Directory before BitLocker is allowed to encrypt the drive. That way, you do not have to worry about a power failure wiping out the recovery key half way through the encryption process.
Although not a requirement, some administrators also like to enable the Omit Recovery Option From The BitLocker Setup Wizard option. This prevents users from saving or printing their own copies of the recovery key.
Conclusion

In this article, I have shown you how to configure the Active Directory to store BitLocker recovery keys for removable drives. In Part 4, I will show you how the recovery process works

[patris1]

کد:

http://www.windowsnetworking.com/articles_tutorials/Using-BitLocker-Encrypt-Removable-Media-Part4.html

PART-4


This article concludes the series on BitLocker To Go by demonstrating the process of recovering BitLocker keys from the Active Directory.


Introduction

In my previous article, I explained that Windows Server 2008 R2 offers the ability to store BitLocker keys for removable devices within the Active Directory database. Since I have already shown you how to enable the necessary group policy settings that allow BitLocker keys to be stored in the Active Directory, I wanted to conclude the series by showing you how the key recovery process works.
For the sake of this demonstration, let us pretend that one of the big wigs in your organization has placed the only copies of some critically important files onto a BitLocker encrypted flash drive, and that now he has forgotten the drive’s password. What do you do?
The first step in the recovery process is to insert the BitLocker encrypted flash drive into a computer that’s running Windows 7. When you do, the dialog box shown in Figure A appears, and you are asked to enter the password that is used to unlock the drive. Since the password has been forgotten, we must perform a password recovery.

Figure A: Windows prompts you to enter a password to gain access to the encrypted drive
If you look at the figure above, you will notice that it contains a link labeled I Forgot My Password. Clicking on this link takes you to the screen shown in Figure B.

Figure B: Windows provides recovery options that can be used in the event of a forgotten password
As you look at the screen capture above, the thing that really stands out is the option to type a recovery key. Although we will use this option later on, we are not quite ready to use it yet. If you look carefully at the figure above, you will notice a line of text that says: Your Recovery Key Can Be Identified By: 1A8BBF9A. The hexadecimal number that appears at the end of the text string is unique to the flash drive, and can be used to identify the flash drive during the recovery process. You should therefore write down this number, because you are going to need it later on.
Determining the flash drive’s unique identity is only the first step in the recovery process. Now we actually have to retrieve the recovery key from the Active Directory. There is just one minor hurdle standing in our way. Although the recovery key for the flash drive is stored in the Active Directory, we need to have a way of retrieving it. None of the administrative interfaces that are currently installed on our server presently offer this capability.
Installing the BitLocker Recovery Password Viewer

Before you can recover BitLocker recovery keys from the Active Directory, you will have to install a utility called the BitLocker Recovery Password Viewer. Although there is nothing particularly difficult about installing this utility, the option for enabling it is really buried within the Server Manager. I have to confess that even though I knew that the utility existed, I had to look up some instructions on how to enable it because I had so much trouble locating it within the Server Manager.
To install the BitLocker Recovery Password Viewer, open the Server Manager, and select the Features container. Next, click on the Add Features link, which will cause Windows to open the Add Features Wizard. The Add Features Wizard contains a series of checkboxes that are linked to the various features that you can install. There is a BitLocker checkbox on the list, but this is not the option that we need. Instead, scroll down the list of features until you locate the Remote Server Administration Tools option. Expand this option, and then locate a sub option called Feature Administration Tools. Expand the Feature Administration Tools and then select the BitLocker Drive Encryption Administration Utilities check box. Verify that the check boxes beneath this option are also selected, as shown in Figure C, and then click Next.

Figure C: You must enable the BitLocker Drive Encryption Administration Utilities
Now, click the Next button and you will see a screen providing you with a summary of the features that are about to be installed, along with a warning message that a reboot may be required after the installation process completes. Click the Install button, and the necessary binaries will be installed.
When the installation process completes, Windows will display the Installation Results screen, shown in Figure D. As you can see, Windows tells you which components were installed, but does not force a reboot. I am not sure if a reboot is actually required or not, but I will tell you that after I installed the BitLocker Recovery Password Viewer, I spent several hours trying to recover BitLocker keys. It wasn’t until after I got frustrated and rebooted the server that the recovery process actually began to work.

Figure D: Even though Windows Server does not force a reboot, you may have to reboot the server anyway
The Key Recovery Process

Now that you have finished installing the various administrative tools, you can move forward with the key recovery process. It is worth noting that Windows does not provide you with a standalone interface for key recovery. Instead, key recovery is performed through the Active Directory Users and Computers console.
To recover a BitLocker key, open the Active Directory Users and Computers console, and then right click on the listing for your domain. The resulting shortcut menu will contain a Find BitLocker Recovery Password option, as shown in Figure E.

Figure E: Key recovery is performed through the Active Directory Users and Computers console
When you select the BitLocker Recovery Password option, you will be taken to the Find BitLocker Recovery Password dialog box, shown in Figure F. Remember the eight digit hexadecimal number that uniquely identifies the encrypted drive? This is where you enter that number. Upon doing so, click the Search button and the server will retrieve the drive’s recovery password. If you look at the lower portion of the dialog box, you can see that the recovery password is not the password that the user originally used to encrypt the drive, but rather a 48 digit string of numbers.

Figure F: The recovery key is displayed in the lower portion of the dialog box.
Now that you have the recovery key for the drive, go back to the PC in which you inserted the flash drive, and enter the recovery key into the space provided, as shown in Figure G.

Figure G: Enter the BitLocker recovery key in the space provided.
After you enter the recovery key, you should see a screen similar to the one shown in Figure H, telling you that you have been granted temporary access to the drive. In other words, the drive remains encrypted, and the forgotten password is still in effect. If you were to remove and reinsert the drive at this point, you would have to work through the recovery process all over again unless the user happens to remember the password.

Figure H: Entering the recovery key provides temporary access to the encrypted drive
To avoid having to enter the 48 digit recovery key each time the drive is used, click the Manage BitLocker link. Doing so will take you to the dialog box shown in Figure I, which allows you to change the password that is used to gain access to the drive.

Figure I: After you have gained access to an encrypted drive, you should reset the drive’s password
Conclusion

In this article series, I have explained that BitLocker to Go provides you with an easy way to secure data that is stored on removable media. If you plan to use BitLocker to Go though, you should implement Active Directory based key recovery so as to avoid data loss due to forgotten passwords