What's Your Backup Plan?
Backups in an Active Direcotry Environment.
Once upon a time at work one of our remote users, for whatever reason, triggered bitlocker and was prompted for a recovery key when starting up his laptop.
Prior to me joining the company I was working at, an MSP had taken care of the project of encrypting all of the laptops for remote users within the company.
Well here is where it gets interesting because they:
After waiting for a couple hours the MSP was able to dig up the decryption key but I was pretty unsatisfied with their approach, so I took this as opportunity to learn yet another way to harden machines joined to an Active Directory Environment.
Bitlocker allows us to plan for when a situation arises involving a lost/stolen/decomissioned corporate computers. Cyber Security insurance is becoming more and more prevalent in non government organizations which means that in order to stay insured a company has to follow recommended best practices and always be ready for an audit. Bitlocker allows us to enforce volume encryption and/or full disk encryption. This provides us a means of justifying the integrity of the Network to auditors.
Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer’s hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled. Microsoft
In the words of Microsoft bitlocker should protect against most attacks that aim to target the boot process.
The first thing we want to do is install the Bitlocker feature on windows server. We can do this in powershell:
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
This adds a tab to all computer objects containing a “BitLocker Recovery” tab where we can view the bitlocker decryption key:
Bitlocker Recovery Tab
This is a somewhat simplified version of the script I use at work to enable bitlocker. I run it as a one time scheduled task.
$tpm_data = Get-Tpm
$log_filename="bitlocker_status.txt"
$log_filepath = "C:\Windows\Temp"
If ( !(($tpm_data.TpmPresent -eq $true) -And ($tpm_data.TpmReady -eq $true)) ) {
Write-Host 'Invalid Tpm Status'
}
else {
if (!(Test-Path -Path "$log_filepath\$log_filename" -PathType leaf))
{
New-Item -path $log_filepath -name $log_filename -type "file" -value "Log Entry Begin: $(Get-Date)" -Force
Add-Content -path "$log_filepath\$log_filename" -value ($tpm_data | Format-List| Out-String)
} else {
Add-Content -path "$log_filepath\$log_filename" -value "Log Begin: $(Get-Date)"
Add-Content -path "$log_filepath\$log_filename" -value ($tpm_data | Format-List| Out-String)
}
<#
To save some time, you don't need to encrypt to entire volume. Just encrypting the used space is enough.
When new data is added, it will be encrypted immediately.
The command below will encrypt the used space only, skip the hardware test and store the recovery password in the Active Directory.
#>
Enable-Bitlocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector
$encryption_status = Get-BitLockerVolume
Add-Content -path "$log_filepath\$log_filename" -value ($encryption_status | Format-List | Out-String)
}
The policy has four components.
The entire policy
Forcing recovery from a local computer
manage-bde.exe -forcerecovery <BitLockerVolume>
Forcing recovery from a remote computer
manage-bde.exe -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>
Using either command above will force and infinite bitlocker loop which is good for testing/training/demonstration purposes.
In any case the solution is to temporarily suspend the bitlocker status and then re-enable it once configuration is complete.
We can suspend bitlocker with:
manage-bde –Protectors –Disable C: -RebootCount 0
We can enable bitlocker with:
manage-bde –Protectors –Enable C: -RebootCount 0
There are also the powershell native equivalents:
Suspend-BitLocker -MountPoint "C:" -RebootCount 0
Resume-BitLocker -MountPoint "C:"
We can request a new encryption key with:
Add-BitLockerKeyProtector -MountPoint c: -RecoveryPasswordProtector
As I said I’m not really sure why you would want to do this. Even if your devices numbered in the thousands it’s pretty easy to setup a script and permissions for support staff to be able to pull this information. Nevertheless as an example:
$SecurePassword = (Read-Host -AsSecureString)
Enable-Bitlocker -Mountpoint $DriveLetter -EncryptionMethod Aes256 -Password $SecurePassword -PasswordProtector -UsedSpaceOnly
It’s also interesting how to consider how we might enumerate the encryption status of a drive in a windows environment. Below are some of the methods I’ve found.
Powershell Native:
Get-BitLockerVolume
Using the bitlocker cli tools:
manage-bde -status
We can attempt to pull the decryption key by enumerating the key protectors.
Using powershell commandlets this would be:
$BLV = Get-BitLockerVolume -MountPoint "C:"
$BLV.KeyProtector.KeyProtectorId
Using the bitlocker cli tools:
manage-bde -protectors -get c: