Wednesday, 12 May 2010

BitLocker and backing up Recovery Keys to AD

BitLocker can be enabled by Administrators on any Windows 7 drive. This includes Operating System drives, any other partions and removable drives such as SD cards, USB key and USB hard Disks.

In an Active Directory environment the recovery keys can be stored automatically in the Computer Account. These keys can only be read by Administrators of the computer object in Active Directory so remain private.

You can use Certificates with BitLocker instead of recovery keys but my current environment does not have a PKI infrastructure or AD Certificate Services so I haven't included this in this blog.

Before you start using BitLocker and backing up Recovery Keys in an Active Directory environment you must complete all the steps in "BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory" Updated: June 21, 2008 which I found at http://technet.microsoft.com/en-us/library/cc766015(WS.10).aspx

This can be summarized below:-

- Update AD Forest Schema
- Run a Script in each domain in the forest to update computer objects
(runs against AD, not each computer)
- Configure AD Group Policies to enforce backing up of Recovery Password and Keys
to the Computer Account in AD.

What the guide above doesn't tell you is that in addition to the Active Directory Group Policies above, the following Local Group Policies must be configured on each Windows 7 computer.You must Enable the Bitlocker Policies for each BitLocker encrytion scenario used on the Windows 7 computer.

Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption

- Configure how BitLocker-protected operating system drives can be recovered
- Configure how BitLocker-protected removable data drives can be recovered
- Configure how BitLocker-protected fixed data drives can be recovered
- Configure how BitLocker-protected drives can be recovered (Windows Server 2008 and Vista).


Below is an example Local Group Policy for BitLocker on the Operating System Drive.


Next you can enable BitLocker and the keys will automatically be backed up to AD, assuming connectivity to an Active Directory Server exists. The above policy settings will not allow BitLocker to be enabled unless it successfully backed up in Active Directory.

Important - If BitLocker is already enabled before these Group policies are enabled then the Recovery Keys are not backed up to AD!!

To manually backup to AD,you will need to use the following command from each computer, with Local Administrator rights.

manage-bde -protectors -adbackup C: -id {Full recovery key identification}

To recovery the backup recover key for a computer you can use:-

Get-BitLockerRecoveryInfo.vbs

This script is provided by Microsoft, which can be downloaded from here :-

http://go.microsoft.com/fwlink/?LinkId=78953

To use this script open a command prompt and enter and enter the following syntax:-

Get-BitLockerRecoveryInfo computername

You will need Administrator permissions on the computer account in AD to gain access to the BitLocker recovery key.
Posted by at No comments:
Labels:

Monday, 19 April 2010

Windows 7, BitLocker, Offline Files and "Access Denied"


Scenario:-
  • Windows 7 Enteprise Edtion x64 (64-bit) member of a Domain

  • Office 2007 Professional Plus with Service Pack 2

  • Windows Server 2003 Appliance Edition with NAS as file server.

  • Documents Folder is redirected to a network share ie file://myfileserver/users$/myname/documents

  • Computer is connected to the network and authenticated in the domain.

  • Offline Files is enabled and has been synchronising with no problems.

  • Share and NTFS permissions are set correctly and you have been able to open and save files with no problems.

  • BitLocker is subsequently used to encrypt the system drive


    • Symptoms:-
  • Accessing any file from the documents folder produces "Access Denied"

  • Includes Office 2007 documents, Adobe PDF's, Notepad files etc


    • Workaround:-
    Option 1 - Edit Offline Files settings and unencrypted Offline Files
    Option 2 - Disable Offline Folders, restart the computer and connect to the share (files no longer available when not connected to the network).

    The Background:-
    Found a frustrating issue that has been bugging me all day.

    Everytime I try to open a file stored on my redirected Documents folder I get "Access Denied" even though the file server is up and running, permissions are set correctly and logging on the server shows I'm authenticating successfully.

    By default, Windows 7 enables Offline Files for redirected folders and quietly synchronises all the files to a special system database. It is located in C:\Windows\CSC which is protected from users (yes, even administrators) by an ACL and Encyrpted.

    The problem on my computer is that when I subsequently enabled BitLocker on the system partition, everytime I tried to access any file on my redirected Documents folder I got "Access denied".

    I discovered that if I turn off Offline Files and reboot then I am able to access the files no problem.

    This narrowed down, I tried reformating the Offline Files Database using the registry key below.

    HEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CSC\Parameters\FormatDatabase
    D-WORD (32-BIT) Value = 1

    I re-enabled Offline Files, added the registry Key and rebooted. Same problem existed.

    Finally, I unencrypted my Offline Files and as if by magic the problem disappeared. I've rebooted now several times and the problem has not come back. I tested this again by encrypting the Offline Files and immediately the problem came back.

    So the moral of my story is don't use BitLocker on the system partition and Offline Files with the default encryption of Offline Files. Go in and unencrypt Offline Files first.

    Hope this post helps another frustrated user find the issue quicker than I did :-)
    Posted by at No comments:
    Labels: , , ,

    Friday, 16 April 2010

    Windows 7, Bitlocker and failed shutdowns

    Scenario
    Windows 7 computer has been shutting down with no problesm
    You subsequently enable BitLocker and the computer doesn't turn off at shutdown.

    Symptoms:-
  • Windows Shutdown normally
  • Black screen
  • Power Light on
  • No issues in the Event Logs
  • Windows doesn't report any shutdown problems on next startup


    • Fix:-
    Microsoft have released a hotfix, which looks like it was released in November 2009 and is not available via Windows or Microsoft Update.

    You can find it here:- http://support.microsoft.com/kb/975496

    You have to submit your details and they send you an email with a link almost immediatly.

    Posted by at No comments:

    Tuesday, 13 April 2010

    Windows 7 & 2008 R2 and the BranchCache Featu

    I attended an event last night hosted by Windows Server User Group (WSUG) @ Microsoft UK, London Victoria.

    It was hosted by Joey Snow from Microsoft in Redmond.

    The nuts of it is:-

    BrancheCache is used for WAN optimisation where remote branch offices already use the WAN to download from HTTP (Sharepoint/IIS etc) or File Sharing servers in a remote datacentre.

    It does not protect users from WAN failure as a connection to the remote server is always required each and everytime a file is accessed.

    There are two decision points to use either:-

    1/ Hosted
    - Requires a local 2008 R2 Server to perform the caching
    - Local 2008 R2 Server requires a SSL Certificate, trusted by the local Windows 7 clients
    - Use Group Policy to configure the local Windows 7 clients to use the local cache server
    - Files can be seeded on the local cache server

    2/ Distributed
    - Using local Windows 7 client computers only, no server
    - Peer to peer broadcasts on current subnet only
    - Configured using Group Policy
    - Really should use BitLocker to encrypt the client drives or EFS to encrypt the cache file
    - As each client computer is shutdown the cache becomes unavailable

    Both options require the remote datacentre server is running 2008 R2 with Branchcache feature enabled and only Windows 7 clients can utilize the feature.

    The feature is secure and only users with permission can access files and the cached files are stored in a single file similar to Offline files.

    BranchCache only works on files over 64k, this rules out caching most logon scripts from domain controllers.

    The cache file is stored in the Network Service profile and are protected by ACL's only.

    I don't recommend you use it for roaming profiles file servers either as it will only help users that log on to multiple computers at the same time.

    There are already other options for optimizing branch office WAN performance and these include Read-Only domain controllers, Distributed File System (DFS) and Folder redirection with Offline Files

    I have to be honest and I can only see one use for this in a business, that is a small branch office that has no budget for local infrastructure and is currently really struggling with a maxed out WAN connection. If the branch office has budget wouldn't you install a 2008 R2 Server as a local File Server running Read-only domain controller and DFS up to the datacentre for backups.

    I'd recommend enabling Transparent caching on all branch office Windows 7 clients combined with BitLocker if this data could be sensitive as it has no dependencies on 2008 R2 and is transparent to the users.
    Posted by at No comments:
    Subscribe to: Posts (Atom)