Windows Server 2008 Inside Out- P11

Chia sẻ: Thanh Cong | Ngày: | Loại File: PDF | Số trang:50

0
55
lượt xem
13
download

Windows Server 2008 Inside Out- P11

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'windows server 2008 inside out- p11', công nghệ thông tin, quản trị mạng phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:
Lưu

Nội dung Text: Windows Server 2008 Inside Out- P11

  1. CHAPTER 15 TPM and BitLocker Drive Encryption Working with Trusted Platforms . . . . . . . . . . . . . . . . . . . 467 Deploying BitLocker Drive Encryption . . . . . . . . . . . . . . 478 Managing TPM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 Setting Up and Managing BitLocker Drive Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 Introducing BitLocker Drive Encryption . . . . . . . . . . . . . 477 M any of the security features built into the Windows operating system are designed to protect a computer from attacks by individuals accessing the computer over the network or from the Internet. But what about when individuals have direct physi- cal access to a computer? When someone has direct physical access to a computer, many of Windows security safeguards don’t apply. For example, if someone can boot a computer—even if it is to another operating system they’ve installed—he or she could gain access to any data stored on the computer, perhaps even your organization’s most sensitive data. To protect a computer from individuals who have direct access to a com- puter, Windows Vista and Windows Server 2008 include the Trusted Platform Module Services architecture and BitLocker Drive Encryption. Together these features help protect a computer from many types of attacks by individuals who have direct access to a computer. Working with Trusted Platforms Windows Vista and Windows Server 2008 include the Encrypting File System (EFS) for encrypting files and folders. Using EFS, users can protect sensitive data so that it can only be accessed using their public key certificate. Encryption certificates are stored as part of the data in a user’s profile. As long as users have access to their profiles and the encryption keys they contain, they can access their encrypted files. Although EFS offers excellent protection for your data, it doesn’t safeguard the com- puter from attack by someone who has direct physical access. In a situation where a user loses a computer, a computer has been stolen, or the attacker is logging on to a computer, EFS might not protect the data because the attacker might be able to gain access to the computer before it boots. He could then access the computer from another operating system and change the computer’s configuration. He might then be able to hack into a logon account on the original operating system so that he can log on as the user or configure the computer so that he can log on as a local administrator. Either way, the attacker could eventually gain full access to a computer and its data. To seal a computer from physical attack and wrap it in an additional layer of protection, Windows Vista and Windows Server 2008 include the Trusted Platform Module (TPM) Services architecture. TPM Services protect a computer using a dedicated hardware 467
  2. 468 Chapter 15 TPM and BitLocker Drive Encryption component called a TPM. A TPM is a microchip that is usually installed on the moth- erboard of a computer where it communicates with the rest of the system using a hard- ware bus. Computers running Windows Vista or Windows Server 2008 can use a TPM to provide enhanced protection for data, to ensure early validation of the boot file’s integrity, and to guarantee that a disk has not been tampered with while the operating system was offline. A TPM has the ability to create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, referred to as wrapping or binding, pro- tects the key from disclosure. A TPM has a master “wrapping” key called the Storage Root Key (SRK). The SRK is stored within the TPM itself to ensure that the private por- tion of the key is secure. Computers that have TPM can create a key that has not only been wrapped but also sealed. The process of sealing the key ensures that the key is tied to specific platform measurements and can only be unwrapped when those platform measurements have the same values that they had when the key was created. This is what gives TPM- equipped computers increased resistance to attack. Chapter 15 Because TPM stores private portions of key pairs separately from memory controlled by the operating system, keys can be sealed to the TPM to provide absolute assurances about the state of a system and its trustworthiness. TPM keys are only unsealed when the integrity of the system is intact. Further, because the TPM uses its own internal firmware and logical circuits for processing instructions, it does not rely upon the oper- ating system and is not subject to external software vulnerabilities. The TPM can also be used to seal and unseal data that is generated outside of the TPM, and this is where the true power of the TPM lies. In Windows Vista and Windows Server 2008, the feature that accesses the TPM and uses it to seal a computer is called BitLocker Drive Encryption. Although BitLocker Drive Encryption can be used in both TPM or non-TPM configurations, the most secure method is to use TPM. When you use BitLocker Drive Encryption and a TPM to seal the boot manager and boot files of a computer, the boot manager and boot files can be unsealed only if they are unchanged since they were last sealed. This means you can use the TPM to vali- date a computer’s boot files in the pre–operating system environment. When you seal a hard disk using TPM, the hard disk can only be unsealed if the data on the disk is unchanged since it was last sealed. This guarantees that a disk has not been tampered with while the operating system was offline. When you use BitLocker Drive Encryption and do not use a TPM to seal the boot man- ager and boot files of a computer, TPM cannot be used to validate a computer’s boot files in the pre–operating system environment. This means there is no way to guaran- tee the integrity of the boot manager and boot files of a computer.
  3. Managing TPM 469 Managing TPM A computer running Windows Server 2008 must be equipped with a compatible TPM and compatible firmware to take advantage of TPM. Both Windows Vista and Windows Server 2008 support TPM version 1.2 and require Trusted Computing Group (TCG)– compliant firmware. Firmware that is TCG-compliant is fi rmware that supports the Static Root of Trust Measurement as defined by the Trusted Computing Group. In some configurations of TPM and BitLocker Drive Encryption, you’ll also need to make sure the firmware supports reading USB flash drives at startup. Understanding TPM States and Tools The TPM Services architecture in Windows Vista and Windows Server 2008 provides the basic features required to configure and deploy TPM-equipped computers. This architecture can be extended with a feature called BitLocker Drive Encryption, which is discussed in “Introducing BitLocker Drive Encryption” on page 477. Before you can use TPM, you must turn on TPM in fi rmware and initialize the TPM for Chapter 15 first use in software. As part of the initialization process, you’ll set the owner password on the TPM. After TPM is enabled, you can manage the TPM configuration. In some cases, computers that have TPM might ship with TPM turned on. However, in most cases, you’ll find TPM is not turned on by default. You turn on TPM in firmware. With my servers, I needed to: 1. Start the computer. Press F2 during startup to access the firmware. In the firmware, I accessed the Advanced screen and then the Peripheral Configuration screen. 2. On the Peripheral Configuration screen, Trusted Platform Module was listed as an option. After scrolling down to highlight this option, I pressed Enter to display an options menu. On the options menu, I selected Enable and then pressed Enter. 3. To save the setting change and exit the fi rmware, I then pressed F10. When prompted to confirm that I wanted to exit, I pressed Y and the computer then rebooted. Windows Vista and Windows Server 2008 provide several tools for working with TPM, including: Trusted Platform Module Management An MMC console for configuring and managing TPM. You can access this tool by clicking Start, typing tpm.msc in the Search box, and then pressing Enter. Initialize The TPM Security Hardware A wizard for creating the required TPM owner password. You can access this tool by clicking Start, typing tpminit in the Search box, and then pressing Enter. When you are working with Trusted Platform Module Management, you’ll be able to determine the exact state of the TPM. If you try to start Trusted Platform Module
  4. 470 Chapter 15 TPM and BitLocker Drive Encryption Management without turning on TPM, you’ll see an error like the one shown in the fol- lowing screen: Similarly, if you try to run Initialize The TPM Security Hardware without turning on TPM, you’ll see an error like the one shown in the following screen. Chapter 15 Only when you’ve turned on TPM in firmware will you be able to access and work with the TPM tools. When you are working with the Trusted Platform Module Management console, shown in Figure 15-1, you should note the TPM status and the TPM manufac- turer information. The TPM status indicates the exact state of the TPM (see Table 15-1). The TPM manufacturer information shows that the TPM supports specification version 1.2. Support for TPM version 1.2 or later is required. Table 15-1 TPM Status Indicators and Their Meanings Status Indicator Meaning The TPM is on and ownership has The TPM is turned on in firmware but hasn’t been not been taken initialized yet. The TPM is on and ownership has The TPM is turned on in firmware and has been been taken initialized. The TPM is off and ownership has The TPM is turned off in software but hasn’t been not been taken initialized yet.
  5. Managing TPM 471 Chapter 15 Figure 15-1 Use the Trusted Platform Module Management console to initialize and manage TPM. Initializing a TPM for First Use Initializing a TPM configures it for use on a computer. The initialization process involves turning on the TPM and then setting ownership of the TPM. By setting owner- ship of the TPM, you are assigning a password that helps ensure that only the autho- rized TPM owner can access and manage the TPM. The TPM password is required to turn off the TPM if you no longer want to use it and to clear the TPM if the computer is to be recycled. In an Active Directory domain, you can configure Group Policy to save TPM passwords. To initialize the TPM and create the owner password, complete the following steps: 1. Start the Trusted Platform Module Management console. On the Action menu, choose Initialize TPM to start the Initialize The TPM Security Hardware wizard. Note If the Initialize The TPM Security Hardware wizard detects firmware that does not meet Windows requirements or no TPM is found, you will not be able to continue and should ensure that the TPM has been turned on in firmware. Otherwise, you’ll see the Create The TPM Owner Password page. 2. On the Create The TPM Owner Password page, shown in Figure 15-2, click Automatically Create The Password (Recommended).
  6. 472 Chapter 15 TPM and BitLocker Drive Encryption Figure 15-2 Initialize the TPM. Chapter 15 3. On the Save Your TPM Owner Password page, shown in Figure 15-3, note the 48-character TPM owner password. Click Save The Password. Figure 15-3 Note the 48-character TPM owner password. 4. In the Save As dialog box, shown in Figure 15-4, select a location to save the password backup file and then click Save. By default, the password backup fi le is saved as ComputerName.tpm. Ideally, you’ll save the TPM ownership password to removable media, such as a USB flash drive.
  7. Managing TPM 473 Figure 15-4 Save the TPM owner password. 5. On the Save Your TPM Owner Password page, click Print The Password if you want to print a hard copy of the password. Be sure to save the printout containing the password in a secure location, such as a safe or locked fi le cabinet. 6. Click Initialize. The initialization process may take several minutes to complete. When initialization is complete, click Close. In the TPM Management console, the status should be listed as “The TPM is on and ownership has been taken,” as shown in Figure 15-5. Chapter 15 Figure 15-5 The status of an initialized TPM shows ownership has been taken. Turning an Initialized TPM On or Off Computers that have TPM might ship with TPM turned on. If you decide not to use TPM, you should turn off and clear the TPM. If you want to reconfigure or recycle a computer, you should also turn off and clear the TPM. To turn off TPM, complete the following steps: 1. Start the Trusted Platform Module Management console. On the Action menu, choose Turn TPM Off. This starts the Manage The TPM Security Hardware wizard.
  8. 474 Chapter 15 TPM and BitLocker Drive Encryption 2. On the Turn Off The TPM Security Hardware page, shown in Figure 15-6, use one of the following methods for entering the current password and turning off the TPM: If you have the removable media onto which you saved your TPM owner password, insert it and click I Have A Backup File With The TPM Owner Password. On the Select Backup File With The TPM Owner Password page, click Browse and then use the Open dialog box to locate the .tpm fi le saved on your removable media. Click Open, and then click Turn TPM Off. If you do not have the removable media onto which you saved your pass- word, click I Want To Type The TPM Owner Password. On the Type Your TPM Owner Password page, enter the TPM password (including dashes) and then click Turn TPM Off. If you do not know your TPM owner password, click I Don’t Have The TPM Owner Password, and then follow the instructions provided to turn off the TPM without entering the password. Because you are logged on locally to the computer, you will be able to turn off the TPM. 3. In the TPM Management console, the status should be listed as “The TPM is off Chapter 15 and ownership has been taken.” Do not discard the TPM owner password file or printout. You will need this information if you want to turn the TPM back on. Figure 15-6 Click an option for turning off the TPM. After you’ve used the previously listed procedure to turn off the TPM in software, you can turn on the TPM in software by following these steps: 1. Start the Trusted Platform Module Management console. On the Action menu, choose Turn TPM On. This starts the Manage The TPM Security Hardware wizard.
  9. Managing TPM 475 2. On the Turn On The TPM Security Hardware page, use one of the following methods for entering the current TPM password and turning on the TPM: If you have the removable media onto which you saved your TPM owner password, insert it and click I Have A Backup File With The TPM Owner Password. On the Select Backup File With The TPM Owner Password page, click Browse and then use the Open dialog box to locate the .tpm fi le saved on your removable media. Click Open, and then click Turn TPM On. If you do not have the removable media onto which you saved your pass- word, click I Want To Type The TPM Owner Password. On the Type Your TPM Owner Password page, enter the TPM password (including dashes) and then click Turn TPM On. If you do not know your TPM owner password, click I Don’t Have The TPM Owner Password, and then follow the instructions provided to turn on the TPM without entering the password. Because you are logged on locally to the computer, you will be able to turn on the TPM. 3. In the TPM Management console, the status should be listed as “The TPM is on and ownership has been taken.” Do not discard the TPM owner password file or Chapter 15 printout. You will need this information if you want to manage the TPM. Clearing the TPM Clearing the TPM cancels the TPM ownership and finalizes the shutdown of the TPM. You should only clear the TPM when a TPM-equipped computer is to be recycled. To clear the TPM, complete the following steps: 1. Start the Trusted Platform Module Management console. On the Action menu, choose Clear TPM. This starts the Manage The TPM Security Hardware wizard. C U O CAUTION ! Clearing the TPM resets it to factory defaults and finalizes its shutdown. As a result, you will lose all created keys and data protected by those keys. 2. On the Clear The TPM Security Hardware page, select a method for entering the current password and clearing the TPM: If you have the removable media onto which you saved your TPM owner password, insert it and click I Have A Backup File With The TPM Owner Password. On the Select Backup File With The TPM Owner Password page, click Browse and then use the Open dialog box to locate the .tpm fi le saved on your removable media. Click Open, and then click Clear TPM. If you do not have the removable media onto which you saved your pass- word, click I Want To Type The TPM Owner Password. On the Type Your
  10. 476 Chapter 15 TPM and BitLocker Drive Encryption TPM Owner Password page, enter your password (including dashes) and then click Clear TPM. If you do not know your TPM owner password, click I Don’t Have The TPM Owner Password, and follow the instructions provided to clear the TPM without entering the password. Because you are logged on locally to the computer, you will be able to clear the TPM. Changing the TPM Owner Password You can change the TPM password at any time. To change the TPM owner password, complete the following steps: 1. Start the Trusted Platform Module Management console. On the Action menu, choose Change Owner Password. This starts the Manage The TPM Security Hardware wizard. 2. On the Change TPM Owner Password page, select a method for entering the current password: Chapter 15 If you have the removable media onto which you saved your TPM owner password, insert it and click I Have A Backup File With The TPM Owner Password. On the Select Backup File With The TPM Owner Password page, click Browse and then use the Open dialog box to locate the .tpm fi le saved on your removable media. Click Open, and then click Create New Password. If you do not have the removable media onto which you saved your pass- word, click I Want To Type The TPM Owner Password. On the Type Your TPM Owner Password page, enter your password (including dashes) and then click Create New Password. 3. On the Create The TPM Owner Password page, select Automatically Create The Password (Recommended) and then click Next. 4. On the Save Your TPM Owner Password page, note the 48-character TPM owner password. Click Save The Password. In the Save As dialog box, select a location to save the password backup fi le and then click Save. If you are saving the password backup file to the same location and name, click Yes when prompted to replace the existing file. 5. On the Save Your TPM Owner Password page, click Print The Password if you want to print a hard copy of the password. Be sure to save the printout containing the password in a secure location, such as a safe or locked fi le cabinet. 6. To complete the process, click Change Password.
  11. Introducing BitLocker Drive Encryption 477 Introducing BitLocker Drive Encryption BitLocker Drive Encryption, a feature included in all editions of Windows Server 2008 and in the Ultimate and Enterprise editions of Windows Vista, is designed to protect the data on lost, stolen, or inappropriately decommissioned computers. Without Bit- Locker Drive Encryption, there are a variety of ways a user with direct physical access to a computer could gain full control and then access the computer’s data whether that data was encrypted with EFS or not. For example, a user could use a boot disk to boot the computer and reset the administrator password. A user could also install and then boot to a different operating system, and then use this operating system to unlock the other installation. BitLocker Drive Encryption prevents all access to a computer’s drives except by autho- rized personnel by wrapping entire drives in tamper-proof encryption. If a user tries to access a BitLocker encrypted drive, the encryption prevents them from viewing or manipulating the data in any way. This dramatically reduces the risk of an unauthor- ized person gaining access to confidential data using offline attacks. ! Chapter 15 CAUTION BitLocker Drive Encryption reduces disk throughput. Because of this, it should be used on an enterprise server only if the server is not in a physically secure location and requires additional protection. BitLocker Drive Encryption can use a TPM to validate the integrity of a computer’s boot manager and boot files at startup, and to guarantee that a computer’s hard disk has not been tampered with while the operating system was offl ine. BitLocker Drive Encryp- tion also stores measurements of core operating system files in the TPM. Every time the computer is started, Windows validates the boot files, the operating sys- tem files, and any encrypted volumes to ensure that they have not been modified while the computer was offline. If the files have been modified, Windows alerts the user and refuses to release the key required to access Windows. The computer then goes into Recovery mode, prompting the user to provide a recovery key before allowing access to the boot volume. The Recovery mode is also used if a BitLocker encrypted disk drive is transferred to another system. BitLocker Drive Encryption can be used in both TPM and non-TPM computers. If a computer has a TPM, BitLocker Drive Encryption uses the TPM to provide enhanced protection for your data and to ensure early boot file integrity. These features together help prevent unauthorized viewing and accessing of data by encrypting the entire Windows volume and by safeguarding the boot files from tampering. If a computer doesn’t have a TPM or its TPM isn’t compatible with Windows, BitLocker Drive Encryp- tion can be used to encrypt entire volumes and in this way protect the volumes from tampering. This configuration, however, doesn’t allow the added security of early boot file integrity validation.
  12. 478 Chapter 15 TPM and BitLocker Drive Encryption On computers with a compatible TPM that is initialized, BitLocker Drive Encryption can use one of three TPM modes: TPM-Only In this mode, only TPM is used for validation. When the computer boots, TPM is used to validate the boot files, the operating system fi les, and any encrypted volumes. As the user doesn’t need to provide an additional startup key, this mode is transparent to the user and the user logon experience is unchanged. However, if the TPM is missing or the integrity of files or volumes has changed, BitLocker will enter Recovery mode and require a recovery key or password to regain access to the boot volume. TPM and PIN In this mode, both TPM and a user-entered numeric key are used for validation. When the computer boots, TPM is used to validate the boot files, the operating system fi les, and any encrypted volumes. The user must enter a PIN when prompted to continue startup. If the user doesn’t have the PIN or is unable to provide the correct PIN, BitLocker will enter Recovery mode instead of booting to the operating system. As before, BitLocker will also enter Recovery mode if the TPM is missing or the integrity of boot files or encrypted volumes has changed. TPM and Startup Key In this mode, both TPM and a startup key are used for vali- Chapter 15 dation. When the computer boots, TPM is used to validate the boot files, the oper- ating system files, and any encrypted volumes. The user must have a USB fl ash drive with a startup key to log on to the computer. If the user doesn’t have the startup key or is unable to provide the correct startup key, BitLocker will enter Recovery mode. As before, BitLocker will also enter Recovery mode if the TPM is missing or the integrity of boot files or encrypted volumes has changed. On computers without a TPM or on computers that have incompatible TPMs, Bit- Locker Drive Encryption uses Startup Key Only mode. As the name implies, this mode requires a USB flash drive containing a startup key. The user inserts a USB flash drive in the computer before turning it on. The key stored on the fl ash drive unlocks the com- puter. If the user doesn’t have the startup key or is unable to provide the correct startup key, BitLocker will enter Recovery mode. BitLocker will also enter Recovery mode if the integrity of encrypted volumes has changed. Deploying BitLocker Drive Encryption Deploying BitLocker Drive Encryption in an enterprise changes the way both admin- istrators and users work with computers. A computer with BitLocker Drive Encryption requires user intervention to boot to the operating system—a user must either enter a PIN or insert a USB flash drive containing a startup key. Because of this, after you’ve deployed BitLocker Drive Encryption, you can no longer be assured that you can perform remote administration that requires a computer to be restarted without hav- ing physical access to the computer—someone will need to be available to type in the required PIN or insert the USB flash drive with the startup key.
  13. Deploying BitLocker Drive Encryption 479 Before you use BitLocker Drive Encryption, you should perform a thorough evaluation of your organization’s computers. You will need to develop plans and procedures for: Evaluating the various BitLocker authentication methods and applying them as appropriate Determining whether computers support TPM and thus whether you must use TPM or non-TPM BitLocker configurations Storing, using, and periodically changing encryption keys, recovery passwords, and other validators used with BitLocker You will need to develop new procedures for: Working with BitLocker encrypted drives Supporting BitLocker encrypted drives Recovering computers with BitLocker encrypted drives These procedures will need to take into account the way BitLocker encryption works Chapter 15 and the requirements to have PINs, startup keys, and recovery keys available whenever you work with BitLocker encrypted computers. After you’ve evaluated your organiza- tion’s computers and developed basic plans and procedures, you’ll need to develop a configuration plan for implementing BitLocker Drive Encryption. Note Two implementations of BitLocker Drive Encryption are available: the original BitLocker Drive Encryption as released with Windows Vista and the updated BitLocker Drive Encryption as released with Windows Server 2008. With the updated implementation, you can use BitLocker encryption on both system and data volumes. Because Windows Vista and Windows Server 2008 share the same core kernel and architecture, the updated BitLocker Drive Encryption should also become available in Windows Vista. BitLocker Drive Encryption requires a specific disk configuration. On a computer with a compatible TPM, you must create or make available a BitLocker Drive Encryption partition on your hard drive and then initialize the TPM as discussed previously under “Initializing a TPM for First Use” on page 471. On a computer without a compatible TPM, you only need to create or make available a BitLocker Drive Encryption partition on your hard drive. The way you create the BitLocker Drive Encryption partition depends on whether the computer has an operating system installed. If the computer doesn’t have an operat- ing system installed, follow the procedure discussed under “Creating the BitLocker Drive Encryption Partition for a Computer with No Operating System” on page 482. If the computer has an operating system installed, follow the procedure discussed under
  14. 480 Chapter 15 TPM and BitLocker Drive Encryption “Creating the BitLocker Drive Encryption Partition for a Computer with an Operating System” on page 482. You can use Local Group Policy and Active Directory Group Policy to help you manage and maintain TPM and BitLocker configurations. TPM Services Group Policy settings are found in Computer Configuration\Administrative Templates\System\Trusted Plat- form Module Services and include: Turn On TPM Backup To Active Directory Domain Services Configure The List Of Blocked TPM Commands Ignore The Default List Of Blocked TPM Commands Ignore The Local List Of Blocked TPM Commands BitLocker Group Policy settings are found in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption and include: Turn On BitLocker Backup To Active Directory Domain Services Chapter 15 Control Panel Setup: Configure Recovery Folder Control Panel Setup: Configure Recovery Options Control Panel Setup: Enable Advanced Startup Options Configure Encryption Method Prevent Memory Overwrite On Restart Configure TPM Platform Validation Profi le BitLocker policy settings apply to both Windows Vista and Windows Server 2008. Unlike Active Directory Domain Services for Windows Server 2003, Active Directory Domain Services for Windows Server 2008 includes the TPM and BitLocker recovery extensions for Computer objects. For TPM, the extensions define a single property of the Computer object called ms-TPM-OwnerInformation. When the TPM is initialized or when the owner password is changed, the hash of the TPM ownership password can be stored as a value of the ms-TPM-OwnerInformation attribute on the related Computer object. For BitLocker, these extensions defi ne Recovery objects as child objects of Com- puter objects and are used to store recovery passwords and associate them with specific BitLocker encrypted volumes.
  15. Setting Up and Managing BitLocker Drive Encryption 481 SIDE OUT Using TPM, BitLocker, and FIPS with AD DS To ensure that TPM and BitLocker recovery information is always available, you should configure Group Policy to require its backup. With Turn On TPM Backup To Active Direc- tory Domain Services, enable the policy and then use the setting Require TPM Backup To AD DS. With Turn On BitLocker Backup To Active Directory Domain Services, enable the policy and then use the setting Require BitLocker Backup To AD DS. For Federal Information Processing Standard (FIPS) compliance, you cannot create or save a BitLocker recovery password. So instead, you’ll need to configure Windows to create recovery keys. The FIPS setting is located in the Security Policy Editor at Local Policies\ Security Options\System Cryptography: Use FIPS Compliant Algorithms For Encryption, Hashing, And Signing. To do this, enable the security option System Cryptography: Use FIPS Compliant Algorithms For Encryption, Hashing, And Signing in Local Group Policy or Active Directory Group Policy as appropriate. With this setting enabled, users can save a recovery key only to a USB flash drive. Users will not be able to save a recovery password to AD DS, local folders, or network folders, and also will not be to use the BitLocker Drive Encryption wizard or other method to create a recovery password. Because recovery Chapter 15 passwords cannot be saved to AD DS when FIPS is enabled, Windows will display an error if AD DS backup is required by Group Policy. Setting Up and Managing BitLocker Drive Encryption With Windows Server 2008, you can configure and enable BitLocker Drive Encryption on both system volumes and data volumes. However, if you want to encrypt a server’s data volumes you must fi rst encrypt its system volume. When you use encrypted data volumes, the operating system mounts BitLocker data volumes as it would any other volume. The encryption key for a protected data volume is created and stored independently from the system volume and all other protected data volumes. To allow the operat- ing system to mount encrypted volumes, the key chain protecting the data volume is stored encrypted on the operating system volume. If the operating system enters Recovery mode, the data volumes are not unlocked until the operating system is out of Recovery mode. Setting up BitLocker Drive Encryption is a multistep process that involves: 1. Partitioning a computer’s hard disks appropriately and installing the operating system, if you are configuring a new computer. 2. Initializing and configuring a computer’s TPM (if applicable). 3. Installing the BitLocker Drive Encryption feature (as necessary).
  16. 482 Chapter 15 TPM and BitLocker Drive Encryption 4. Checking firmware to ensure that the computer is set to fi rst start from the disk containing the system partition and the Bitlocker partition, not the USB or CD/DVD drives. 5. Turning on and configuring BitLocker Drive Encryption. After you’ve turned on and configured BitLocker encryption, there are several tech- niques you can use to maintain the environment and perform recovery. Creating the BitLocker Drive Encryption Partition for a Computer with No Operating System BitLocker Drive Encryption requires two NTFS drive partitions, one for the system vol- ume and one for the operating system volume. The system volume partition must be at least 1.5 gigabytes (GB) and set as the active partition. On new hardware, you create the BitLocker Drive Encryption partition on a computer with no operating system. To do this, you start the computer from the installation media and then create two partitions on the computer’s primary disk: Chapter 15 The fi rst partition is the partition for BitLocker Drive Encryption. This partition holds the files required to start the operating system and is not encrypted. The second is the primary partition for the operating system and your data. This partition is encrypted when you turn on BitLocker. You can partition a drive with no operating system for BitLocker Drive Encryption by following these steps: 1. Insert the Windows Installation disc for the hardware architecture and then boot from the installation disc by pressing a key when prompted. If the server does not allow you to boot from the installation disc, you might need to change firmware options to allow booting from a CD/DVD-ROM drive. 2. If Windows Setup doesn’t start automatically, select Windows Setup (EMS Enabled) on the Windows Boot Manager menu to start Windows Setup. 3. On the Install Windows page, select the language, time, and keyboard layout options that you want to use. Click Next. 4. On the next Setup page, you have several options: If a Repair Your Computer link is available in the lower-left corner of the Install Windows page, click this option to start the System Recovery Options wizard. On the System Recovery Options page, click Command Prompt to access the MIN-WINPC environment. If a Repair Your Computer link is not available (such as when there is no current Windows Server 2008 or later operating system already installed), click Install Now. Proceed through the installation process until you get to the Where Do You Want To Install Windows page. At this point, press Shift+F10 to access a command prompt.
  17. Setting Up and Managing BitLocker Drive Encryption 483 5. In the Command Prompt window, type diskpart and press Enter. 6. Select the hard disk to use by typing select disk 0. 7. Erase the existing partition table by typing clean. This destroys all data on the disk. 8. Create the BitLocker partition by typing create partition primary size=1500. 9. Designate the partition as S: by typing assign letter=s. 10. Make the partition the active partition by typing active. 11. Format the partition using NTFS as the file system by typing format fs=ntfs. 12. Create the operating system partition using the rest of the available disk space by typing create partition primary. 13. Designate the partition as C: by typing assign letter=c. 14. Format the partition using NTFS as the file system by typing format fs=ntfs. Chapter 15 15. Quit the DiskPart application by typing exit. 16. Quit the command prompt by typing exit. 17. Return to the main installation screen by clicking Close. Proceed with the installation process. Install Windows Server 2008 on drive C. 18. If the computer has a TPM, you will need to initialize it as discussed under “Initializing a TPM for First Use” on page 471. Although you are working with firmware, you should also ensure that the computer is set to fi rst start from the disk containing the system partition and the Bitlocker partition, not the USB or CD/DVD drives. Creating the BitLocker Drive Encryption Partition for a Computer with an Operating System BitLocker Drive Encryption requires two NTFS drive partitions, one for the system vol- ume and one for the operating system volume. The system volume partition must be at least 1.5 GB and set as the active partition. On a computer running Windows Server 2008, Windows configures an available parti- tion as the necessary BitLocker Drive Encryption partition during the BitLocker config- uration process. As long as the server has at least two partitions on one or more disks, Windows will configure one partition as the boot partition and another partition as the active, system partition. The boot partition is the one containing the operating system files. The active, system partition is the one containing the boot manager and other files needed by BitLocker during startup. Because you will not be able to encrypt the active, system partition used by BitLocker, it is a recommended best practice that you size the first partition on the first available disk (typically disk 0) with BitLocker in mind.
  18. 484 Chapter 15 TPM and BitLocker Drive Encryption Specifically, this partition should be at least 1.5 GB in size and should not be used for other purposes, such as storing server data. On a computer running Windows Vista Ultimate or Windows Vista Enterprise, you can, in most cases, create the required BitLocker Drive Encryption partition without having to reinstall the operating system. To do this, use the BitLocker Drive Prepara- tion Tool (BdeHdCfg.exe), which you’ll find in the %ProgramFiles%\BitLocker folder. If the tool is not available, you should be able to download it from the Microsoft Down- load Web site. See Microsoft Knowledge Base article 930063 for more information (http://support.microsoft.com/kb/930063/en-us). The BitLocker Drive Preparation Tool automates the process of creating the BitLocker partition, moving the required files to this partition, and setting the partition as the active volume. There are many caveats to using this tool: The drive must be formatted as a basic disk with simple volumes. Although hard- ware RAID configurations can be implemented, no software spanning, mirroring, or other RAID configurations are supported. The partition must be a primary partition. Extended partitions and logical drives Chapter 15 are not supported. The partition must be formatted as NTFS and the fi le system must not be compressed. The partition cluster size must be less than or equal to 4 KB in size. You can perform four general operations with the BitLocker Drive Preparation Tool: Query Disk When you want to determine the current disk configuration, type bdehdcfg -driveinfo at the command prompt. The output shows the drive let- ter, total size, maximum free space, and partition type of the Windows Recovery Environment, operating system, and unallocated partitions. Create Partition When a disk has an area of unallocated space at least 1.5 GB in size, you can use this operation to automatically create the BitLocker partition, move the required files to this partition, and set the partition as the active volume. In the following example, you create a new S: partition in 1.5 GB of unallocated space: bdehdcfg –target unallocated –newdriveletter s: -size 1500 –quiet -restart Split Partition When a disk has a large operating system partition that you want to split to create the required BitLocker partition, you can perform a split opera- tion. For a split operation, at least 10 percent of the operating system partition must remain free after the partition is reduced by 1.5 GB to create the BitLocker partition. In the following example, you create a new S: partition by splitting the C: partition and using 1.5 GB of previously unallocated space on this partition: bdehdcfg –target c: shrink –newdriveletter s: -size 1500 –quiet -restart
  19. Setting Up and Managing BitLocker Drive Encryption 485 Merge Partition When a disk has a separate partition (that is not being used as the operating system partition) you can merge the required boot files into the partition and set the partition as the active partition for BitLocker using a merge operation. For a merge operation, the partition must have a total capacity of at least 1.5 GB and at least 800 MB of free disk space. In the following example, you merge BitLocker required fi les and settings into the existing D: partition: bdehdcfg –target d: merge -size 1500 –quiet -restart If the computer has a TPM, you will need to initialize it as discussed under “Initializing a TPM for First Use” on page 471. Configuring and Enabling BitLocker Drive Encryption As discussed previously, BitLocker Drive Encryption can be used in a TPM or non-TPM configuration. Both configurations require some preliminary work before you can turn on and configure BitLocker Drive Encryption. With Windows Vista Ultimate and Enterprise, BitLocker should be installed by default. With Windows Server 2008, you can install the BitLocker Drive Encryption feature Chapter 15 using the Add Features Wizard. Alternatively, on a server, you can install BitLocker Drive Encryption by entering the following command at an elevated command prompt: servermanagercmd -install bitlocker. Either way, you will need to restart the computer to complete the installation process. After you’ve installed BitLocker, you can determine the readiness status of a computer by accessing the BitLocker Drive Encryption console. Click Start, Control Panel, Secu- rity, and then BitLocker Drive Encryption. If the system isn’t properly configured yet, you’ll see a message similar to the one shown in the following screen. If you see this message on a computer with a compatible TPM, refer to “Understanding TPM States and Tools” on page 469 to learn more about TPM states and enabling TPM in firmware. If you see this message on a computer with an incompatible TPM or no TPM, you’ll need to change the computer’s Group Policy settings so that you can turn on BitLocker Drive Encryption without a TPM.
  20. 486 Chapter 15 TPM and BitLocker Drive Encryption You can configure policy settings for BitLocker encryption in Local Group Policy or in Active Directory Group Policy. For local policy, you apply the desired settings to the computer’s Local Group Policy object. For domain policy, you apply the desired set- tings to a Group Policy object processed by the computer. While you are working with domain policy, you can also specify requirements for computers with a TPM. To configure the way BitLocker can be used with or without a TPM, follow these steps: 1. Open the appropriate Group Policy object for editing in the Group Policy Object Editor or the Group Policy Management Editor. 2. Double-click the setting Control Panel Setup: Enable Advanced Startup Options in the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption folder. 3. In the Control Panel Setup: Enable Advanced Startup Options Properties dialog box, shown in Figure 15-7, defi ne the policy setting by selecting Enabled. Chapter 15 Figure 15-7 Choose an option for turning off the TPM. 4. If you want to allow BitLocker to be used without a compatible TPM, select the Allow BitLocker Without A Compatible TPM check box. This changes the policy setting so that you can use BitLocker encryption with a startup key on a computer without a TPM.
Đồng bộ tài khoản