Examples of encryption algorithms:
Symmetric: uses a single key to encrypt and decrypt data
Asymmetric key: uses mathematically-related keys. This allows one key to be public, so it could be published in a certificate.
Hash: one-way encryption
EFS encryption: used to encrypt files on NTFS volume.
Bitlocker drive encryption(BDE): encrypt an entire volume.
EFS encryption: http://technet.microsoft.com/en-us/library/cc749610%28v=WS.10%29.aspx
EFS creates a certificate for the user encrypting the files, thus
allowing only that user to automatically decrypt the files upon use. An encryption certificate can be added to the file in order to share it with other users.
To encrypt a folder or file, click properties on the object, Advanced, then check Encrypt contents to secure data. When you encrypt a folder, you have the option to apply changes to this folder only, or to this folder, subfolders, and files.
To decrypt a folder or file, you just uncheck the Encrypt contents.
You cannot both compress and encrypt an NTFS file
encrypted files are decrypted when moved to a non-NTFS volume
files are automatically encrypted when put in a folder that has encryption enabled. However, moving one out does not automatically decrypt it
Files that are set to System or in the root directory cannot be encrypted
cipher.exe /e c:\home\flintstones
cipher.exe /d c:\home\flintstones
to allow another user to decrypt a file, right click properties on the encrypted file, advanced, click Add under "users who can access this file". Click the user to select their EFS certification
EFS and group policy:
Computer configuration\policies\windows settings\security settings\public key policies\encrypting file system
Choose Allow or Don't Allow EFS
Allow, Require, or Don't allow Elliptic Curve Cryptography
Check on uncheck:
Encrypt the contents of the user's Documents folder
Require a smart card for EFS
Create caching-capable user key from smart card
Display key backup notifications when user key s created or changed
Certificates tab allows you to set key size. You can also enable or disable EFS from creating it's own certificates when a certificate authority is not available.
2.3.1 Configure Bitlocker encryption
http://technet.microsoft.com/en-us/library/jj612864.aspxhttp://technet.microsoft.com/en-us/library/hh831713.aspx
http://technet.microsoft.com/en-us/library/hh831412.aspx
http://technet.microsoft.com/en-us/library/jj649829%28v=wps.620%29.aspx
http://download.microsoft.com/download/F/4/1/F41E0BFA-8F1B-44E3-91F0-8AF84908DCC7/Understand_and_Troubleshoot_BitLocker_in_Windows_Server_8_Beta.docx
Bitlocker requires Trusted Platform Module 1.2 or 2.0, or USB access to save a startup key to a removable device.
Hard disk must be partitioned with at least two drives:
OS/boot drive contains operating system and its support files. Must be NTFS.
System drive contains files needed to load Windows after firmware has readied the hardware. Bitlocker is not enabled on this drive.
Windows automatically creates the partitions required for Bitlocker.
Bitlocker uses AES-128 or AES-256
Startup modes:
TPM: Bitlocker encryption key stored on TPM
PIN: user must supply a numeric pre-boot PIN
Enhanced PIN: alphanumeric PIN
USB key: A startup key is stored on a USB
Network key: a key provided by a WDS server.
For drives that are not OS volumes, you can choose to use a password or a smart card or have it automatically unlock. If you choose password or smart card, you can save a recovery key
Installing bitlocker:
Add roles and Features
select Bitlocker Drive Encryption(Bitlocker)
Installing Bitlocker will also install the feature Enhanced Storage(EnhancedStorage) to support hard drives that support hardware encryption
Including the management tools will also install Bitlocker Drive Encryption Administration(RSAT-Feature-Tools-Bitlocker), Bitlocker Drive Encryption Tools(RSAT-Feature-Tools-Bitlocker-RemoteAdminTool), Bitlocker Recovery Password Viewer(RSAT-Feature-Tools-Bitlocker-BdeAducExt), AD DS & AD LDS Tools(Rsat-AD-Tools), AD DS Tools(RSAT-ADDS) and AD DS Snap-ins and command-line(RSAT-ADDS-Tools), the manage-bde command line tool, and the PS module Bitlocker
install-windowsfeature bitlocker -includemanagementools
You can check whether your computer has TPM installed by running the TPM management(tpm.msc) snap-in. (You can also get to this mmc via the Bitlocker option in control panel). The TPM must be initialized here before using Bitlocker.
Enable Bitlocker for a drive or removable drive that's not the OS volume:
go to control panel, Bitlocker Drive Encryption.
Click Turn on Bitlocker for the volume you want to encrypt
You can select a Password or Smart card to unlock the drive. You can also allow it to auto unlock. Next you will be prompted with options for backing up your recovery key: Save to USB, Save to file, print the key.
You will be prompted with whether you want to use:
"Encrypt used disk space only": This will encrypt as space is used
"Encrypt entire drive"
Once you have encrypted the volume, you have the option to go back and backup the recovery key again, change or remove password, add or remove a smart card, turn on auto-unlock, or disable bitlocker.
Note: You can also use a certificate as a protector on a data volume using manage-bde
Bitlocker to Go
Allows encryption of removable usb drives. Once the drive is plugged in, you can Turn on Bitlocker in the bitlocker control panel
For removable data drives, the recovery password and recovery key can be
saved to a folder, saved to your Microsoft account online, or printed.
Bitlocker Recovery:
http://technet.microsoft.com/en-us/library/dn383583.aspx
Bitlocker allowed recovery options should be set in group policy (see 2.2.3)
1. Use a recovery password
2. A designated Data Recover Agent(DRA) can supply a certificate (configured by GP see 2.2.3)
3. An ADDS administrator can retrieve the recovery key from AD.
manage-bde - command line utility to manage bitlocker on a client.
A few parameters:
manage-bde -status to show bitlocker status
manage-bde -protectors -add c: -tpmandpin
manage-bde -on c: -password
-off, -lock, -unlock, -autounlock, -changepassword, -changepin, changekey
Powershell
http://technet.microsoft.com/en-us/library/jj649829.aspx
A few commands:
get-bitlockervolume
enable-bitlocker
disable-bitlocker
add-bitlockerkeyprotector
remove-bitlockerkeyprotector
lock-bitlocker
unlock-bitlocker
enable-bitlockerautolock
Extra Note: In an Enterpries, you may want to use the Microsoft Bitlocker Administration and Monitoring tool (MBAM),included with the Microsoft Desktop Optimization Pack(MDOP), for bitlocker administration. This can be used in standalone mode or integrated into SCCM.
2.3.2 configure the Network Unlock feature
http://technet.microsoft.com/en-us/library/jj574173.aspx
requirements:
Windows 8 or 2012 with UEFI DHCP drivers
Bitlocker Network Unlock feature installed on 2012
a 2012 WDS server
a DHCP server, separate from WDS
If you already have a WDS server in your environment, you can leverage it by installing the network unlock feature. Otherwise, whichever server you install Network Unlock on will install the WDS service. It doesn't have to be configured beyond the initial WDS configuration(to allow the wdsserver service to run)
Install the Network Unlock feature by going to Server Manager. Skip to Features and click on Bitlocker Network Unlock(bitlocker-networkunlock). If WDS is not installed, WDS(WDS), WDS Deployment(wds-deployment) and Transport(wds-transport) will be installed. If you check "include management tools", the WDS Tools(wds-adminpack) will also be installed.
install-windowsfeature bitlocker-networkunlock
The wdsserver service must be running.
If you have a CA, request a new certificate
Use the "Network Unlock on the Domain controller" template
Create the certificate
Export the public key certificate to create a .cer - Select DER encoded X.509 and do not export private key
Export the public key with private key to create a .pfx - Select Yes to export private key
Ot you can create a self-signed certificate and use certreq to create a new certificate. Import into certmgr, then export the .pfx
On the WDS server, go to certmgr.msc and right click certificates - Bitlocker Drive Encryption Network Unlock, and Import. Choose the PFX file.
Now you need to setup group policy to deploy the public key certificate to clients:
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Bitlocker Drive Encryption Network Unlock Certificate
Add Netwok Unlock Certificate. Import the .CER file.
It's recommended you require TPM + startup pin on client computers: See 2.3.3
You can use a subnet access list to specify that only clients from certain subnets can network unlock. On the WDS server, create a bde-network-unlock.ini file in the same folder as the network unlock provider dll (nkpprov.dll in c:\windows\system32)
Extra Note: Client certificates for network unlock are stored in HKLM\Software\Policies\Microsoft\SystemCertificates\FVE_NKP
Extra Note: The first NIC on a compatible client must be configured for DHCP to use with network unlock
2.3.3 configure Bitlocker policies
add a Data Recovery agent for recovery - A DRA is an account who is authorized to recover Bitlocker drives with a certificate.
Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Bitlocker Drive Encryption
There are a number of other bitlocker policies that can be configured in
Computer Configuraton\Administrative Templates\Bitlocker Drive Encryption
Some good ones to know:
Bitlocker Drive Encryption:
Store Bitlocker recovery information in AD DS
Choose how users can recover Bitlocker-protected drives
Choose drive encryption method and cipher strength
Operating System Drives:
Allow network unlock at startup
Require additional authentication at startup
Allow Enhanced PINS for startup
Choose how Bitlocker-protected operating system drives can be recovered
Fixed Data Drives:
Configure use of passwords for fixed data drives
Choose how Bitlocker-protected fixed drives can be recovered
Removable Data Drives:
Control use of Bitlocker on removable drives
Configure use of passwords for removable data drives
Choose how Bitlocker-protected removable drives can be recovered.
2.3.4 configure the EFS recovery agent
EFS data recovery agent is configured through GP:
Computer\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting File System
2.3.5 manage
EFS and Bitlocker certificates including backup and restore
certificates can be exported using certmgr.msc from Personal
Export with private key.
.PFX - Give it a password
To restore, just import the PFX file to Personal and supply the password
Bitlocker certs can also be exported using certmgr.msc
They can also be stored in ADDS with the"Store Bitlocker recovery information in AD DS" GP option.
No comments:
Post a Comment