EMBASSY Remote Administration Server (ERAS) BitLocker Deployment Guide

EMBASSY Remote Administration Server (ERAS) BitLocker Deployment Guide BitLocker Deployment Guide Document Version 0.0.0.5 http://www.wave.com ERAS v 2.8 Wave Systems Corp. 2010

Contents Contents... 2 1. Introduction... 3 Additional Documentation... 3 Technical Support... 3 2. What do you need to know before deploying ERAS BitLocker?... 4 3. Mapping your environments how do you know which machines are TPM capable?... 5 4. Knowing BitLocker Group Policy Settings... 5 5. Different client capabilities in ERAS (TPM vs. Non-TPM)... 6 Recommended and minimal GPO settings before you deploy additional authentication or no TPM... 6 Enable BitLocker password GPO settings for OS volume authentication before you deploy... 7 Enable BitLocker GPO settings for TPM Core Root of Trust Measurements (CRTM)... 7 6. Required permissions for the local administrator group on client domain machines... 9 7. Choosing the best Bitlocker authentication method... 9 8. Outline of the 5 BitLocker authentication methods, and the mandatory and recommended GPO settings.... 10 A. TPM Only... 10 B. TPM + PIN (recommended)... 10 C. Startup Key... 10 D. TPM + PIN + Startup Key... 10 E. Smartcard... 10 Set BitLocker encryption and cipher GPO settings before you deploy.... 13 9. Authentication method flows: how to perform single machine vs. batch enrollment.... 14 Checking status and addressing errors.... 14 10. FIPS settings... 14 11. Locking down BitLocker from Local Admin... 14 Works Cited... 16 Contents 2 Contents Wave Systems Corp. 2010

1. Introduction This is a specific guide for assisting IT personnel in the planning and deployment of BitLocker utilizing ERAS. This is to act as a supplement to section seven, BitLocker Management of the ERAS Admin Manual. There are a number of details that are covered in this guide. BitLocker is a Microsoft featured full disk encryption that is provided with Ultimate and Enterprise versions of both Vista and Windows 7. Wave has made the decision to only support central management of BitLocker with Microsoft Windows 7 Ultimate and Windows 7 Enterprise systems. BitLocker is exclusively a Microsoft product and Wave has facilitated in leveraging Microsoft BitLocker and looks to continue to improve the BitLocker deployment experience. ERAS utilizes MMC snap-in for navigation containing management details and management tabs for the individual clients that simplify navigation and offer a means of central management of BitLocker OS and Data volumes. Intended Audience This document is intended for providing a specified audience of IT security personnel and system administrators as well as other information technology personnel responsible for installing, deploying and administering the ERAS software and minimal details of BitLocker GPO deployment. Additional Documentation If needed review the ERAS Installation Guide, the ERAS Admin Manual and the readme.txt file included with the software to provide the information you will need to configure and use ERAS. Also it may be important to be familiar with Microsoft documentation of Windows Server Products and BitLocker GPO settings beyond what is covered in this document. Technical Support Additional information, technical support and contact information for the ERAS can be found online: Refer to the Wave Systems website http://support.wavesys.com or E-mail your questions or issues to: support@wavesys.com Toll free: (800) WAVE-NET Tel: (413) 243-1600 Fax: (413) 243-0045 3 Introduction Wave Systems Corp. 2010

2. What do you need to know before deploying ERAS BitLocker? The following topics and items need be understood before deploying BitLocker: a) ERAS BitLocker will only allow remote management on Windows 7 Enterprise or Ultimate client machines that already have the extra ~100 MB partition created at the time of Windows 7 installation. b) Authentication method to be used for BitLocker must be determined before deployment. Where is the encryption key? OS Volume System SRK FVEK SRK (Storage Root Key) by way of a BEK (BitLocker Encryption Key) file allows for the FVEK (Full Volume Encryption Key) on the OS volume to decrypt. c) Client machines that will use TPM version 1.2 for the deployment of BitLocker must have the TPM turned on and enabled /activated. d) Client machines that will use a startup key will require an out-of-band method for providing flash drives with BEK files to appropriate end users. e) Client machines that require personal identification number (PIN) or Password at authentication must have an out-of-band method for their provision to appropriate end users. f) Administrator must be familiar with the minimum set of BitLocker policies necessary to meet the needs within their organization, such as but not limited to: a) Encryption strength b) Authentication method for OS volume and data volume c) Setting password versus PIN to OS volume (BitLocker policy) d) Each volume type has their own associated policies e) TPM usage and setting Core Root of Trust Measurements g) To facilitate deployment in a mixed environment of TPM and non-tpm machines, it is recommended to create separate OUs for each. h) Remote management from ERAS for BitLocker clients requires the ERAS Service Account to be added as a local administrator to each client within the domain. i) For foreign client machines, step h) is replaced by installing the ERASConnector.msi. 4 What do you need to know before deploying ERAS BitLocker? Wave Systems Corp. 2010

3. Mapping your environments how do you know which machines are TPM capable? Typically the TPM is turned off by default from the manufacturer. If that is the case, each client must have the TPM turned on and activated; this is usually done manually at the client in BIOS. This is a TCG requirement meant to ensure physical presence at the machine when changes to the TPM are made. However, there are some OEM manufacturers that provide tools to allow for turning on and enabling TPMs remotely. This requires an additional deployment of OEM specific software prior to using ERAS TPM management. If the TPM is already turned on then ERAS does have the ability to issue physical presence commands such as clear, enable and activate the TPM from Vista and Windows 7 clients and additional Wave software. This still requires someone at the machine to accept the changes to the TPM. ERAS deployment of BitLocker does not require any additional software added to the client machine. The ownership of the TPM is taken by ERAS upon initializing the BitLocker OS Volume and this information is store in the encrypted ERAS database. Full remote TPM management does require the use of additional Wave software on the client. 4. Knowing BitLocker Group Policy Settings BitLocker Group Policy settings can be found on Windows 7 and Windows 2008 R2 in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption. Further reference of the use of BitLocker Group Policy Settings can be found here: http://technet.microsoft.com/en-us/library/ee706521(ws.10).aspx It is also possible to fully manage Windows 7 Bitlocker using GPO with any version and functional level of AD DS starting with Windows Server 2003 R2. See below reference and link to download and install instructions for Windows 7 GPO ADM to install on pre Windows 2008 R2 AD. http://technet.microsoft.com/en-us/library/dd875529(ws.10).aspx Download the Windows 7 GPO administrative templates: http://www.microsoft.com/downloads/en/details.aspx?familyid=16f69ffe-d51b-4e02-9d02-3e57f3ccd490 5 Mapping your environments how do you know which machines are TPM capable? Wave Systems Corp. 2010

5. Different client capabilities in ERAS (TPM vs. Non-TPM) In this section we will discuss the differences in deploying ERAS BitLocker, with versus without a TPM. BitLocker by default seeks to work with a TPM. Securing the Bitlocker Encryption Key using a TPM is highly recommended as this also eliminates the need to use a flash drive startup key. In addition, other authentication parameters can be added such as a PIN/Password and also USB startup key along with TPM depending on desired authentication method chosen. Recommended and minimal GPO settings before you deploy additional authentication or no TPM As mentioned in the previous paragraph the TPM works by default with BitLocker. To add additional authentication to an OS volume along with using the TPM one must enable a BitLocker policy. Figure 1: Require additional authentication at startup The policy in Figure 1 is required for allowing different authentication methods to be used with the TPM. This policy is also mandatory for systems that do not have a TPM or compatible TPM. This will require one to check the box Allow BitLocker without a compatible TPM ; this will require the use of a flash drive for the startup key of the OS volume. 6 Different client capabilities in ERAS (TPM vs. Non-TPM) Wave Systems Corp. 2010

If no policy is selected then the TPM will be used for the startup of a BitLocker OS volume. If BitLocker detects that no TPM is available it will fail to deploy until the policy in Figure 1 is deployed (with Allow BitLocker without a compatible TPM selected) and applied and enforced on the domain or organizational unit. Enable BitLocker password GPO settings for OS volume authentication before you deploy In order to use passwords or an alphanumeric combination to unlock an OS volume, the Allow enhanced PINs for startup GPO must be enabled. This policy is located under a separate folder ( Operating System Drives ) under the BitLocker GPOs. Figure 2: Allow enhanced PINs for startup Enable BitLocker GPO settings for TPM Core Root of Trust Measurements (CRTM) The following policy is referred to in BitLocker as Configure TPM platform validation profile. This policy allows one to configure how TPM secures the BitLocker encryption key. This policy also allows one to set a platform validation profile which consists of Platform Configuration Registers or PCRs. The 7 Different client capabilities in ERAS (TPM vs. Non-TPM) Wave Systems Corp. 2010

default settings of PCRs allow for core root of trust measurements (CRTM) prior to the handing of the boot manager kernel to the Windows 7 kernel; this allows checking for root kits and viruses that can be present prior to booting into the system OS. If changes in the measurements are detected, the TPM will not provide the encryption key to unlock the drive. For more details read through the BitLocker policy help file located within policy. Figure 3: Configure TPM platform validation profile 8 Different client capabilities in ERAS (TPM vs. Non-TPM) Wave Systems Corp. 2010

6. Required permissions for the local administrator group on client domain machines In order to remotely manage BitLocker in a domain environment the ERAS Service Account must be added to the local administrator group of the client machines ideally in an organizational unit. This is done one of two ways either using restricted groups, make sure to use member of rather than members since members will not allow changes to the group when this is deployed. See http://support.microsoft.com/kb/279301 or another method from a Windows 2008 R2 server by configuring the local group using method outlined: http://technet.microsoft.com/enus/library/cc732525.aspx 7. Choosing the best Bitlocker authentication method It is highly recommended that you use the TPM whenever possible for authentication for the following reasons: a) This eliminates the need to rely on a flash drive to store a startup BEK file to access the OS volume. b) The TPM provides a secure platform base method for associating authentication when providing a PIN or password. c) In addition to establishing authentication when the proper BitLocker policy is configured and deployed, one can use the TPM to provide a boot manager kernel check before handoff to the Windows 7 kernel. In other words the TPM makes core root of trust measurements (CRTM) which is a way to thwart kernel root kits. This also allows for additional protection to the Bitlocker encryption key (BEK) if the measurements selected do not meet the satisfactory criteria. 9 Required permissions for the local administrator group on client domain machines Wave Systems Corp. 2010

8. Outline of the 5 BitLocker authentication methods, and the mandatory and recommended GPO settings. A. TPM Only This allows the TPM to release the key that unlocks the encrypted partition during the startup process. Because the keys needed to decrypt data require the BEK that is located on the TPM, it prevents one from reading the data by removing the hard disk and installing it on another computer. GPO settings: None required. The deployment of this authentication method does not require enabling any GPO settings for BitLocker. B. TPM + PIN (recommended) This method of authentication is preferred because it provides the same level of protection as described for TPM only but in addition allows the pairing of a PIN. The addition of the policy mentioned earlier to enhance the PIN, allows for the creation of alphanumeric passwords. This also allows for greater security and access control to the drive. GPO settings: The deployment of this authentication method requires enabling the BitLocker GPO setting Require additional authentication at startup ; it is recommended that you set all authentication to allow. C. Startup Key The startup key allows for storage of the BEK file on a flash drive, which is an external key that must be presented to the computer at startup. This provides a hand-off in the startup process to the Windows 7 kernel on the OS volume. Any method that uses a USB startup key makes the user vulnerable to a stolen or lost key. GPO settings: The deployment of this authentication method requires enabling the BitLocker GPO setting Require additional authentication at startup ; you will be required to check the box Allow BitLocker without a compatible TPM. D. TPM + PIN + Startup Key This method secures the volume's encryption key by using the TPM on the computer, enhanced by both a user-specified (PIN) and by an external key that must be presented to the computer at startup. GPO settings: The deployment of this authentication method requires enabling the BitLocker GPO setting Require additional authentication at startup ; it is recommended that you set all authentications to allow. E. Smartcard Smartcards / BitLocker cannot be set as an authentication method from ERAS. The link below contains information to allow smartcards to work with BitLocker. http://technet.microsoft.com/en-us/library/dd875530(ws.10).aspx There are two BitLocker policy settings that are associated with the use of smartcards. The first is the Validate smart card certificate usage rule compliance. This policy allows the association of an object identifier from a smart card certificate to a BitLocker-protected drive. 10 Outline of the 5 BitLocker authentication methods, and the mandatory and recommended GPO settings. Wave Systems Corp. 2010

Figure 4: Validate smart card certificate usage rule compliance Another BitLocker policy setting related to smart cards involves authentication to fixed data drives. The policy setting Configure use of smart cards on fixed data drives, once enabled, allows one to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer. 11 Outline of the 5 BitLocker authentication methods, and the mandatory and recommended GPO settings. Wave Systems Corp. 2010

Figure 5: Configure use of smart cards on fixed data drives. 12 Outline of the 5 BitLocker authentication methods, and the mandatory and recommended GPO settings. Wave Systems Corp. 2010

Set BitLocker encryption and cipher GPO settings before you deploy. Another optional but recommended BitLocker setting is the encryption and cipher level of the drives that will be deployed in your enterprise. By default the encryption setting of BitLocker is set to AES 128- bit with Diffuser. In order to change the default encryption setting one must enable the policy in Fig. 6. Figure 6: Choose drive encryption method and cipher strength This policy allows for the following encryption strength and cipher methods to be chosen: AES 128 Bit with Diffuser (default) AES 256 Bit with Diffuser AES 128 Bit AES 256 Bit 13 Outline of the 5 BitLocker authentication methods, and the mandatory and recommended GPO settings. Wave Systems Corp. 2010

9. Authentication method flows: how to perform single machine vs. batch enrollment. The enrollment for a BitLocker volume can be performed by way of the ERAS console (review section three, ERAS Console and section seven, BitLocker Management) or by a script (review section thirteen, Command line operations of the ERAS Admin Manual) using the ERAS command line interface. The left pane of the ERAS console can be used to select an entire organizational unit (OU) for deploying any authentication method and allows for successive or global setting of a PIN or saving of startup keys, if needed. Checking status and addressing errors. Before enrolling a client machine for those previously-mentioned authentication methods, take note of the following important information: a) The required BitLocker policy is set from the domain, or locally (optional) on the machine before initialization of the BitLocker volume. b) ERAS will generate an error at the process window reflecting that it was unable to initialize the BitLocker volume with the specified authentication method if the authentication policy setting was not deployed. c) ERAS is unable to remotely initialize any BitLocker OS volume that does not contain the required ~100 MB partition that was mentioned earlier in this document. Attempting to do this will result in a BitLocker Unknown status in ERAS. d) Remote management on the domain requires the ERAS Service Account to be assigned a local administrator on the client machine; this will also cause problems with initialization of the BitLocker volume. e) If the BitLocker volume to be initialized is a foreign client machine then one will be required to install the ERASConnector.msi. This connector will replace any requirement for assigning the ERAS Service Account as the local administrator on the client machine. For more information on the use of the ERASConnector.msi and Client-initiated Management, review the ERAS Admin Manual. 10. FIPS settings Federal Information Processing Standard (FIPS) Group Policy settings in Windows 7 to require FIPS compliance: Please keep in mind if your organization is FIPS-compliant, Bitlocker-protected removable drives cannot be opened by computers running Windows XP or Windows Vista. To use Bitlocker in a FIPS-compliant environment, you must enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, which can be found in the Local Group Policy Editor under: \Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, before turning on Bitlocker. 11. Locking down BitLocker from Local Admin BitLocker local management can be disabled by and made transparent by removal of the BitLocker icon in the control panel and configuring the Windows application control policies to block manage-bde.exe. In performing the tasks mentioned, one will remove the ability to perform any local management of BitLocker. For more details one can visit the source cited and view screenshots of the individual steps mentioned on the next page. 14 Authentication method flows: how to perform single machine vs. batch enrollment. Wave Systems Corp. 2010

Step 1: How to remove BitLocker Icon from Control Panel a) The domain administrator will need to create a User Group Policy to disable BitLocker icon from the Control Panel b) Open Group Policy Management Editor and expand the User configuration c) Under Administrative Templates, click on Control Panel d) Next click on Hide Specified Control Panel items and Enable this policy e) Click on Show List of disallowed Control Panel Items f) Add the Canonical Name for BitLocker which is Microsoft.BitLockerDriveEncryption See link below to get Canonical Names of Control Panel Items. http://msdn.microsoft.com/en-us/library/ee330741(v=vs.85).aspx g) After the domain administrator has created the group policy, to update the policy, run gpupdate /force. h) The above steps will remove BitLocker Drive Encryption Icon from Control Panel on the client machines. Step 2: How to use Application Control Policies (Applocker) to block manage-bde a) If the domain administrator wants to use Application Locker, he or she needs to make sure that Application Identity Service is running on the client machines. b) The administrator can also use a Group Policy object (GPO) setting that configures the Application Identity service startup type to Automatic. For information about using Group Policy, see Planning and Deploying Group Policy (http://go.microsoft.com/fwlink/?linkid=143689 ). c) Open Service control panel and start the Application Identity Service. d) On the computer, open the local security policy (secpol.msc). e) In the console tree, double-click Application Control Policies, and then double-click AppLocker. f) Expand Application Control Policies and Right click on Executable rules. g) Create a New Rule to deny access to manage-bde.exe to all users. h) Enforce the rules and then the policy is set. i) Run gpupdate /force to update the policy on the client. The policy will also update next time the client machine logs in again to the server. j) Now if one with local admin privileges open a command prompt and try to run manage-bde.exe you will get access denied and it will say that this policy is controlled by GPO (Tanner, 2010) 15 Locking down BitLocker from Local Admin Wave Systems Corp. 2010

Works Cited Tanner, S. (2010, September 14). How to Prevent Local Administrator from Turning OFF bitlocker. Retrieved November 18, 2010, from BitLocker Drive Encryption Team Blog: http://blogs.technet.com/b/bitlocker/archive/2010/09/14/how-to-prevent-local-administratorfrom-turning-off-bitlocker.aspx 16 Works Cited Wave Systems Corp. 2010