Search
Bitlocker
8 min read

Bitlocker

Zinhart's Picture
Zinhart in work Active Directory Disk Encryption

Table of Contents

Bitlocker

Once upon a time at work one of our remote users, for whatever reason, triggered bitlocker and was prompted for a recovery key when starting up his laptop.
Prior to me joining the company I was working at, an MSP had taken care of the project of encrypting all of the laptops for remote users within the company.
Well here is where it gets interesting because they:

  • Encrypted all laptops with the same key, thus only one decryption key is needed to decrypt all of the laptops.
    • I can see this being easier from a management perspective but in terms of best practices why not have a unique decryption key for each endpoint?
  • Did not backup the recovery keys to Active Directory
    • Did not even enable the Bitlocker Feature on any servers in the domain, so if they went out of business good luck to us.
  • Left no documentation of where the decryption key may be.

After waiting for a couple hours the MSP was able to dig up the decryption key but I was pretty unsatisfied with their approach, so I took this as opportunity to learn yet another way to harden machines joined to an Active Directory Environment.

Goals

Cyber Insurance Compliance

CIS Control 03: Data Protection

Bitlocker allows us to plan for when a situation arises involving a lost/stolen/decomissioned corporate computers. Cyber Security insurance is becoming more and more prevalent in non government organizations which means that in order to stay insured a company has to follow recommended best practices and always be ready for an audit. Bitlocker allows us to enforce volume encryption and/or full disk encryption. This provides us a means of justifying the integrity of the Network to auditors.

Failsafe plan for lost and/or stolen Computers

Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer’s hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled. Microsoft

Ensuring Boot Integrity Mitigating Bootkits, Rootkits

In the words of Microsoft bitlocker should protect against most attacks that aim to target the boot process.

Installation

Active Directory Prep

The first thing we want to do is install the Bitlocker feature on windows server. We can do this in powershell:

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart

This adds a tab to all computer objects containing a “BitLocker Recovery” tab where we can view the bitlocker decryption key:

Bitlocker Recovery Tab

Powershell Install Script

This is a somewhat simplified version of the script I use at work to enable bitlocker. I run it as a one time scheduled task.

$tpm_data = Get-Tpm
$log_filename="bitlocker_status.txt"
$log_filepath = "C:\Windows\Temp"
If ( !(($tpm_data.TpmPresent -eq $true) -And ($tpm_data.TpmReady -eq $true)) ) {
  Write-Host 'Invalid Tpm Status'
}
else {
  if (!(Test-Path -Path "$log_filepath\$log_filename" -PathType leaf))
  {
    New-Item -path $log_filepath -name $log_filename -type "file" -value "Log Entry Begin: $(Get-Date)" -Force
    Add-Content -path "$log_filepath\$log_filename" -value ($tpm_data | Format-List| Out-String)
  } else {
    Add-Content -path "$log_filepath\$log_filename" -value "Log Begin: $(Get-Date)"
    Add-Content -path "$log_filepath\$log_filename" -value ($tpm_data | Format-List| Out-String)
  }
  <# 
  To save some time, you don't need to encrypt to entire volume. Just encrypting the used space is enough. 
  When new data is added, it will be encrypted immediately. 
  The command below will encrypt the used space only, skip the hardware test and store the recovery password in the Active Directory.
  #>
  Enable-Bitlocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector
  $encryption_status = Get-BitLockerVolume
  Add-Content -path "$log_filepath\$log_filename" -value ($encryption_status | Format-List | Out-String)

}

GPO Settings

The policy has four components.

  • Backing up TPM to Active Directoy
  • Enabling storage of recovery keys for disk decryption in AD.
  • Specifying the Key Strength.
  • Running the powershell script above, on startup.
    • By running the script on start as opposed to a one-time schedule task, we automatically rotate the Bitlocker recovery keys every time the computer is rebooted.

The entire policy

Testing

Forcing a secure boot

Forcing recovery from a local computer

manage-bde.exe -forcerecovery <BitLockerVolume>

Forcing recovery from a remote computer

manage-bde.exe -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>

Breaking out of the endless Decryption Key Prompt

Using either command above will force and infinite bitlocker loop which is good for testing/training/demonstration purposes.
In any case the solution is to temporarily suspend the bitlocker status and then re-enable it once configuration is complete. We can suspend bitlocker with:

manage-bde Protectors Disable C: -RebootCount 0

We can enable bitlocker with:

manage-bde Protectors Enable C: -RebootCount 0

There are also the powershell native equivalents:

Suspend-BitLocker -MountPoint "C:" -RebootCount 0

Resume-BitLocker -MountPoint "C:"

Rotating Decryption Keys

Generating New Decryption Keys

We can request a new encryption key with:

Add-BitLockerKeyProtector -MountPoint c: -RecoveryPasswordProtector

Using a Single Decryption Key

As I said I’m not really sure why you would want to do this. Even if your devices numbered in the thousands it’s pretty easy to setup a script and permissions for support staff to be able to pull this information. Nevertheless as an example:

$SecurePassword = (Read-Host -AsSecureString)
Enable-Bitlocker -Mountpoint $DriveLetter -EncryptionMethod Aes256 -Password $SecurePassword -PasswordProtector -UsedSpaceOnly

Red Team Perspective

It’s also interesting how to consider how we might enumerate the encryption status of a drive in a windows environment. Below are some of the methods I’ve found.

Enumeration Methods

Powershell Native:

  Get-BitLockerVolume

Using the bitlocker cli tools:

manage-bde -status

We can attempt to pull the decryption key by enumerating the key protectors.
Using powershell commandlets this would be:

$BLV = Get-BitLockerVolume -MountPoint "C:"
$BLV.KeyProtector.KeyProtectorId

Using the bitlocker cli tools:

manage-bde -protectors -get c:

You may also like

What's Your Backup Plan?
15 min read

What's Your Backup Plan?

Backups in an Active Direcotry Environment.

Zinhart's Picture
Zinhart in work Active Directory Backups
Hayward Lumber
7 min read

Hayward Lumber

Life of a Sysadmin

Zinhart's Picture
Zinhart in work system administration active directory windows
Prestaging Computer Objects In Active Directory
5 min read

Prestaging Computer Objects In Active Directory

An adventure using Dell's ProDeploy Service

Zinhart's Picture
Zinhart in work active directory group policy

Latest Posts

XXE Injections
1 min read

XXE Injections

Zinhart's Picture
Zinhart
Server Side Request Forgery
1 min read

Server Side Request Forgery

Zinhart's Picture
Zinhart

Explore Tags

Active Directory Backups Disk Encryption VM's active directory anti virus awae ciphers code code-analysis csrf devops embedded programing firewall evasion group policy jokes network pentesting networking notes offensive-security oscp oswe-notes payload-encoding pentesting pentesting methodology session-manipulation shells social engineering sqli ssh tunneling ssl-certificates ssrf system administration vagrant web development windows work xss xxe