Welcome to Sign in | Join | Help
in
Home Blog Forums

The Lazy Admin

Configuring BitLocker Options

Sponsor

BitLocker is one of the hot new security features in Windows Vista Enterprise and Ultimate editions.  It allows you to enable full volume encryption on the system drive (C:\) to protect your data in case you lose your notebook.  In order to use BitLocker you need a TPM 1.2 chip on the motherboard of the system.  This is because the decryption key is stored on the TPM chip in order to facilitate on the fly decryption.  There are a number of other features that can be configured for BitLocker via local or domain policies.

This first option allows us to enable backing up of the BitLocker key to Active Directory. In order to do this you need to extend your AD schema to support these extension. We will look at that in a future artilce.

If you do not use AD, or do not want to extend your schema you do have the option to back up the keys to a share on your network as well. I'd highly recommend creating a spreadsheet to match the key GUID with the computer name

One of the first things you can do to further secure BitLocker is to require a dongle or a PIN to release the BitLocker key from the TPM chip. It adds a layer of security by forcing a type of two-factor authentication but without it the comuter will start and decrypt the drive on the fly allowing for over the wire attacks to attempt system compromise.

BitLocker supports four different levels of AES encryption. The details of these different algorithms are too much to explain but you can find out more if you are interested or an insomniac.

Finally, for the really security concious, the option to overwrite memory on restart is available. This is actually enabled by default and prevents the computer from being restarted into an alternate OS and then having the contents of the memory dumped. During system operation the BitLocker key is stored in memory and the system cuold be compromised this way.

There are a few more options available but these are the key ones in my opinion. You can find them all under Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption. It should also be noted that the policy needs to be created and applied BEFORE BitLockering your PC.

 
Published Sunday, April 15, 2007 8:22 AM by rodney.buike
Filed under: ,

Comments

 

The Lazy Admin said:

We've done a few post on BitLocker around some of the more advanced features and controls. The one thing

September 22, 2007 12:15 PM
 

The Lazy Admin said:

We have talked about enabling BitLocker Active Directory integration in a previous post now we will take

July 21, 2008 2:17 PM
Anonymous comments are disabled

This Blog

Powered By

 

Syndication

Sponsors

  
Get a free 5GB e-mail account @isalazyadmin.com

Affiliates

Canadian IT Professionals

Canadian IT Managers

Certifications & Awards


All postings are provided "AS IS" with no warranties, and confer no rights.
Microsoft product screen shot(s) reprinted with permission from Microsoft Corporation.
Copyright TheLazyAdmin Inc. All Rights Reserved 2004-2008