anion Group Policy Contral Group Policy Central Best Practices, Turorials, News, Tips and Trick for all your Group Policy needs... Posts tagged ‘USB’ Best Practice: How to use Group Policy to disable USB drives on Windows XP 17/02/2010, 1:00 am In my previous article “How to use Group Policy to make USB drives read only on Windows XP” I showed you you could configure Windows XP to prevent users from writing to USB block level devices. However for some organisations just making drives read only is not enough I have heard stories of them having to resort to using hot glue guns to prevent people using USB storage devices. Update: I just found this article explains how use native Group Policy to disable you USB drives. Microsoft Support: HOWTO: Use Group Policy to disable USB, CD- ROM, Floppy Disk and LS-120 drivers Thankfully there is also a registry key in Windows XP that allows you to block the use of USB storage devices, Now there are two ways to prevent USB storage devices so you may want to implement either or both methods in your organisation. First method prevents computers that have already had USB devices installed and the second prevents any new USB devices from installing How to block existing USB Storage Devices To implement this edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Preferences >Windows Settings > Registry. Then click on Action > New > Registry Item type SYSTEM \CurrentControlSet\Services\UsbStor into the Key Path field then type Start into the Value Name field and 4 in the Value Data field and click OK. wn grouppoliey biztagiusbi +40anion Group Palicy Contral xi General | Common | 2> OP sero firme SSCS ve: Jnerocamome SCY Key Path: | HKLM\SYSTEM \CurrentControlset\Services\Us! If you want to prevent the installation of USB storage device then we use Group Policy to set the security on the driver files to prevent then from installing. Key: HKLM\SYSTEM\CurrentControlSet\Services\UsbStor Value: Start Data: 4 (hex) Data: 3 (hex) Disabled Enabled How to block new USB Storage Devices This time edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Policies > Windows Settings > Security Settings > File System. Then click on “Action” menu and then “Add File”. Navigate to C:\Windows\inf and select "Usbstor.inf” and press “OK”. Now click on “Users” in the security tab and then click in the “Deny” “Full Control” tick box then click OK. www grouppoliey biztaglusbt 2140anion Group Paty Contral 82, Administrators (CONTOSO\Administrators) (88, Users (CONTOSO\Users) 1. Remove emissions for Users ow Deny Full Control Q Mody a Read and Execute Q List Folder Contents Qg Read Qa x For special pemissions or advanced settings, click Advanced. [Acro a) Leam about access cortrol and pemissions Note: Alternatively you could just add the name of the user or group you want to prevent from using USB storage devices. Click “Yes” to the security warning. You are setting a deny permissions entry. Deny enties take precedence over allow entries. This means that if auser isa member of two groups, one thatis allowed a permission and ‘another thatis denied the same permission, the user is denied that permission. Do you want to continue? a Then click OK. Note: Remember that deny permission take precedence so inherited permission will not have any affect and that we are applying the permission directly to a file so we don’t need to worry about inheritance from this object. www grouppoliey biztaglusbt saoanion ‘Group Policy Central [Add Object a “%6SystemRoot®\inf \usbstor inf © Corfu tis fe orielder thes © Propagate inhertable permissions to all subfclders ancifles © Replace existing pemissions on all subfolders and fies with inhertable pemissons © Donot allow permissions on this file or folder to be replaced [ok] _cones_ Now repeat the steps above and this time select “C:\Windows\Inf\Usbstor.pnf” You should see something like the images below in your group policy. = Action View Help @ >| #ilralls || oa ‘Workstatiors [WSUS CONTOSO.LOCAL] Poicy a] [Object Name = 5 Computer Configuration [El %SystemRoot?2\nFlusbstor inf 5 GE Poles Bi %systemRoot®\influsbstor.PNF [El Software Settings Now either way when users plug in a USB Storage devices into a computer it will prevent OS from seeing the device thus preventing the users from reading and writing to removable media. See the Microsoft article about this option at http://support.microsoft.com/kb/823732 HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers wn grouppolicy biztaglusbyanion Group Policy Contral share Tags: Bitlocker to Go, Intermediate, Popular, USB, Windows XP Category: Best Practice, Tutorials | 11 Comments Best Practice: How to use Group Policy to make USB drives read only on Windows XP 11/02/2010, 9:05 pm One of the great new features with Windows 7 was Bitlocker to Go that enabled IT Administrators to ensure that all data written to USB drives is encrypted. In conjunction with this new feature Microsoft also added another option called “Deny write access to removable drives not protected by BitLocker” which allowed user to still read the files off USB drives that were not encrypted The problem with this policy setting is that it is only supported on Windows 7 family computers so unless you are running a SOE that is 100% Windows 7 users could simply logon to XP or Windows Vista to get around this restriction. ne ee LE] Deny write access to removable dives not protected by BitLocker ee © Not Configured Comment: © Enabled © Disabled Luckily Microsoft added a new feature to Windows XP Service Pack 2 that allowed administrator to prevent writing to USB block storage devices (a.k.a memory sticks ) which can be implemented via a Group Policy Preferences registry key. Key: HKLM\System\CurrentControlSet\Control\StorageDevicePolicies Value: WriteProtect (REG_DWORD) Data: 0 = Disabled Data: 1 Enabled To implement this edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Preferences >Windows Settings > Registry. Then click on Action > New > Registry Item type System\CurrentControlSet\Control\StorageDevicePolicies into the Key Path field then type WriteProtect into the Value Name field and 1 in the Value Data field and click OK. wn grouppoliey biztagiusbi ioanion Group Palicy Contral Jrtey_LocaL_MACHINE: = Hive: key Path: rentControlset\Contral\StorageDevicePolces |. ‘Value name: T Default [wrteProtect Walue type: JRES_DwoRD ~ Value data: ‘00000002 Once the key is enabled this is the message the user will see when the try to write to a USB storage device. iret i Unable to create the folder New Felder’ ‘The meda is write protected. Note: This registry key will also work on Windows Vista Update: Seem that the MS articles had the wrong registry keys I got the correct key from http://www.howtogeek,com/howto/windows- vista/registry-hack-to-disable-writing-to-usb-drives/ For additional WRONG information on this feature see the links below: | support-microsoft.com/kb/555441 //support.microsoft.com/kb/823732 Tags: Bitlocker to Go, Intermediate, Popular, USB, Windows XP Category: Best Practice, Tutorials | 6 Comments www grouppoliey biztaglusbt 840Best Practice: How to configure Group Policy to use Data Recovery Agents with “Bitlocker to Go” drives - Part 2 09/01/2010, 11:09 pm As I previously mentioned in Part 1 “use Group Policy to save “How to use BitLocker to Go” recovery keys in Active Directory - Part 1” one of the cool new features in Windows 7 is the ability to encrypt removable storage devices to help prevent the loss of data within an organisation while storing a copy of the decryption key in Active Directory. Another way to encrypt the removable storage devices and still have the ability to recover a encrypted devices if the unlock key is lost is to use a Data Recovery Agent digital certificate Now before you begin you first need to have deployed you a PKI infrastructure in your organisation so that you can issue the data recovery certificate to your nominated recovery agents. So lets get started... How to configured Group Policy to use a Data Recovery Agent with “BitLocker to Go” drives Issuing the EFS Data Recovery Agent First you need to create/issue at least one account with the Data Recovery Agent certificate that will be used for when encrypting all the Bitlocker to Go drives, Step 1. Click Start, and then type certmgr.msc to open the Certificates snap-in Step 2. In the console tree, expand Personal, and then click Certificates. Step 2. Right click on Certificates and click on All Tasks and then Request New Certificate. wn grouppoliey biztagiusbi 740anion Group Policy Central (File Action View Favorites Window Help @9| a 0l esa Bl Console Root IssuedTo | * Issued By 4 Gil Certificates - Current User 4 1 Petsonal There are no items to show in this vi (Si Ceti » Gy Trusted Root C) > (il Enterprise Trus; > i Intermediate C| [Bl Active Director, NewWindow from Here > (Gl Trusted Publist View » Advanced Operations New Taskpad View.. > (Bl Third-Party Rol Refresh > El Trusted Peopl! Export List... > (BD Smart Cord Tr Help Step 3. Click Next to the first page of the Certificate Enrollment wizard and then then click on Active Directory Enrollment Policy and click Next Select Certificate Enrollment Policy Centficate enrollment policy enables envollment for certficates based on predefined certificate templates. Certificate enrollment policy may already be configured for you. Configured by your administrator Active Directory Enrollment Policy Configured by you Learn more about certificate enrollment policy Step 4. Tick the EFS Recovery Agent policy and then click Enroll wow groupply biahaglusanion Group Policy Central Request Certificates You can request the following types of certificates, Select the cerificates you want to request, and then click Enroll. |“Retive Directory Enrollment Policy WD STATUS: Available \D STATUS: Available WD STATUS: Available \D STATUS: Available /Show all templates Learn more about certificates Step 5. Click Finish once your account has enrolled as the EFS Recovery Agent certificate wn grouppolicy biztaglusbyanion Group Policy Centra! Certificate Installation Results ‘The folowing certificates have been enrolled and installed on this computer. sf STATUS: Succeeded You should now see the File Recovery Certificate in you Personal Certificate store. im Ele Acton Siew Faaites Window Help ee\2Hiolos\am i Conse Root 4G) Cartfcates-Cument Use 1 il Pezonat Bi Certeates (a Trusted Root Cetfeation uthoties [Enterprise Trust Isrmedate Coiation Autti Active Directory Use Objet (Trusted Pabshers Untruted Cetfctes [Tha Pary Root Cetmcaon sthonve 1 Trated People Smart Cad Trusted Roots Exporting the DRA Certificate You now need to export the DRA certification information to be used in the BitLocker Drive Encryption group policy in a future step. Step 1. Double-click the BitLockerDRA certificate to display the certificate properties sheet. wn grouppolicy biztaglusby 10140anion Group Policy Centra! Issued by: contoso-WSUS-CA Valid from 1/ 12/ 2009 to 4 32/ 2011, Youhave a private key that corresponds to this certificate. Issuer Statement Ce) Step 2. Click the Details tab wn grouppolicy biztaglusby 11180anion Group Policy Centra! 61.9c 14 7 00 00 00 00 00 08 shoRSA shat contoso-WSUS-CA, conteso, Thursday, 1 December 2011 Admivictratne LIcere_ canta erection) Lean more aout erate deals Step 3. Click Copy to File wn grouppolicy biztaglusby 12180anion Group Pali Contral Welcome to the Certificate Export Wizard This nizard helps you copy certificates, certificate rust lists and certificate revocation lsts from a certificate store to your disk. A cettfcate, nhich is issued by a certification authority, is 2 confirmation of your entity and contains information Used to protect data o: to establish secure network connections. A certificate storeis the system area where certicates are kept. To continue, dick Next Step 4. Click Next on the Welcome to the Certificate Export Wizard page www grouppoliey biztaglusbt 19140anion Step 5. Leave the No, do not export the private key selected and then click Next. wn grouppolicy biztaglusby Group Policy Central Welcome to the Certificate Export Wizard This nizard helps you copy certificates, certificate rust lists and certificate revocation lsts from a certificate store to your disk. A cettfcate, nhich is issued by a certification authority, is 2 confirmation of your entity and contains information Used to protect data o: to establish secure network connections. A certificate storeis the system area where certicates are kept. To continue, dick Next 14180anion Group Policy Central Export Private Key You can choose to export the private key withthe certificate Private keys are password protected. If you want to export the private key with the certificate, you must type a password on alater page. Do you want to export the private key with the certficate? Oves, export the private key Nerd not export the private key? Lear more about sxnartina private keys Step 6. On the Export File Format page, verify that DER encoded binary x.509 (.CER) is selected, and then click Next. wn grouppolicy biztaglusby 15140anion Group Policy Central Export FileFormat Certificates can be exported in a variety of fle formats. Select the format you want to use: © BER encoded bingy x 505 (CER) 3age-64 encoded X,509 (.CER) © Cryptographic Message Syntax Standard -PKCS #7 Certificates (.P7E) Include all certfcates in the certfcation path if possible Personal Information Exchange ~PKCS #12 (FX) ndlude all cerafcates in the ceraficaton path if possible Delete the private key if the export is successful Export all extended pronerties Microsoft Serialized Certificate Store (.SST) Step 7. On the File to Export page, click Browse to display the Save as dialog box. In File name, type BitLocker. In Save as type, verify that DER Encoded Binary X.509 (.cer) is selected, and then click Save to retum to the File to Export page. wn grouppolicy biztaglusby 16140anion Group Policy Centra! Reena Doce ~| #9 ])| Search Documents Pp ee e Wh Favorites Documents library Arangeby: Folder + Includes: 2 locations Name “ Date modified Type Noitems match your search. Pictures BE Videos 188) Computer Sa Select Recovery Agents Only uses who have recevery agent crficates canbe desiisted asrecovey agents. ‘Select the users you wantto designate as recovery agents. You may select the users directly from Active Directoy f the cerfcates are publshed inthe drectory. Otherwise, youneed certficate (cer)fles forthe users you wantto designate. Recovey agents: Uses Catficates Browse Directory... Step 6. Browse to the location you have a copy of the BitLocker.cer file that you exported in the previous procedure select the certificate and click Open www grouppoliey biztaglusbt 2180anion Group Paliy Contra [Hv tiraries = Boaments © yi Organize ¥ New folder Ye Favorites =} Documents library Be Desktop Induces: 2 locations Arrange by: Folder > Ji Downioads Name = Date modified q Recent Places we lbitocker 4/12/2009 10:52AM Security Cer CS liveries |) Documents od) Music BH Picuree BE videos 1 Computer & Local disk (C2) @ coowe ©) vrtu Ga network =f File name: |] =| [certificate Files (cen) x Step 7. Click EE = —=—l Select Recovery Agents | Gry on iphone eecver aget cess conbedesmitedasrcovey GR agents. aS ‘Select the users you wantto designate as recovery agents. You may select the users directly from Active Directoy f the cerfcates are publshed inthe drectory. Otherwise, youneed certficste (cer)fles forthe users you wantta designate, Recovey agents: Catficates ‘Administrator UNKN www grouppoliey biztaglusbt 22180snare Croup Poly Conta Note: You can repeat this process as necessary to add multiple data recovery agents. After all data recovery agent certificates you want to use have been specified, click Next. Note: The example above has USER_UNKNOWN because the DRA file was manually imported. Step 8, On the Completing the Recovery Agent Wizard page, click Finish to add the data recovery agent ee ee) Completing the Add Recovery Agent Wizard You have successfully completed the Add Recovery Agent wizard, © ‘The folowing users have been designated as recovery agents: Uses Catiicates USER_UNKNOWN, ‘Administrator Before this recovery policy can take effect the Configure BéLocker identfontion field in Group Policy must be enabled with a unique idenifier. Below is the BitLocker Drive Encryption setup with a DRA installed. Ener (Gy Atonate Cerscate Reiest Additional Group Policy Configuration BitLocker Identification Field You now need to configure the BitLocker Identification field on all the computers wn grouppolicy biztaglusby 22180anion Group Paty Contral you are going to use Bitlocker on as this helps identify what removable devices belong to your organisation. Step 1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER. Step 2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes. Step 3. In the console tree under Computer Configuration \ Administrative Templates \ Windows Components \Bitlocker Drive Encryption and then double click on Provide the unique identifiers for your organization om Ss : eo [zim oy Th windows Components ment or 1B Actve Deectory Federation Seve [Fed Data Doves 1 Actrod totter service 5h Operateg System ores 1 opleasen Compatbity Bh Removetle Oata Orves _ Sh huts Paks Store Bitocker recovery information in Active Drectory Domain$.... Notconfigured @ Sl exe [E)cheoee det fli fer recovery paconerd Netconfaied Ei Bonetis ea — Choose how users can recover Blocker gratected ives (Wn... Notconfgured 1 Creersal ser ierace DeeitonCadoate 1 estep Window Manager Reset Vaidate smart cardcertfiate wage re complance 5 vent Fornardng Step 3. Enter you specific Bitlocker identification name that you use to identify your Bitlocker encrypted devices in the BitLocker identification field Note: You can add additional Bitlocker identifiers from other trusted organisations in the Allowed BitLocker identification field www grouppoliey biztaglusbt 240anion EE] Provide the unique identifiers for your erganization Group Paliy Contra rovide the unique identifiers for your organization lolx! Previous Setting | Next Setting © Not Configured Comment: = © Enabled © Disabled i Supported on: [Windows 7 family = ied Options: Help: BitLocker identification field [contesel Allowed BitLocker identification fie This policy setting allows you to associate unique organizational, identifiers to @ new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate ‘a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected diives and can be updated on existing BitLocker-protected drives using the Manage-BDE command-line tool. An identification field is required for management of cettificate-baced data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the live matches the value configured in the identification field. In 2 similar manner, BitLocker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification fied. ‘The allowed identification field is used in combination with the "Deny write access to removable drives not protected by BitLocker’ policy setting to help control the use of removable chives in your organization. Its a comma separated list of Ea Enable Allow Data Recovery Agent Continuing on from above you will need to configure you computers to Allow the Data Recovery Agent option. Step 4 (cont.). In the console tree under Computer Configuration \ Administrative Templates \ Windows Components \Bitlocker Drive Encryption\Removable Data Drive and then double click on Choose how Bitlocker-protected removable drives can be recovered , then you will need to click Enabled and tick Allow data recovery agent then click OK Note: You still have the option of configuring the standard AD recovery keys in this window. The Allow Data Recovery Agent option as far as I can tell has no bearing of the other options www grouppoliey biztaglusbt 25140anion ‘Group Policy Central (= ae Taaaen | © prottes © Diasies ptons: PF Ato recovery ge cong wer eye ot en octer eee homeo IF Cnstrecovery options rem the Btecher setup wine Config trageotBtlecke coven information to AD OS: [Beckaprecover paerworde nd key packages =) Dont enable Locker uti recovey infomation ie stored to ADDS for remonoble data dives The poly sting allows you to contolhow Blocker protected emowabe [aI ita driver ore ecoverd nthe szence of he equedcredenbl Thi pic The Aw data recovery agent” check boris ured to peciy whether dats recover agent can be zed with Locker protected mmoveble Sta dive. Petre a dats recovery age canbe wsed runt be aed rom he Pubic Key Paces tem in ether e Group Policy Maragerent Console athe Local Group Pate Edtor. Cena he BaLocker rive Encryption Deplayment Guide on Mirorof TechNet for more isfermation about adsing data ecovey Spe In Configur user storgeof BitLocker recovery infomation” elect whether irs are alowed requre, or ot lowed to generate 48-sighrecovery pissword ore 295-be eover hey, Sect “Oma recovery from the Btcker setup wizard to prevent ier from specifying cover oftions when they enable Bcler on a dive Ths means hat you il ot be ale te specty which covery epon to use nen you erable Bitocke, intend BitLocker recovery options fer the drive ae Setermined by the poly setting, You have now configured Group Policy to use a Data Recovery Agent certificate to [xan] Rees aa be used to encrypt all the "Bitlocker to Go” drives in your organisation. How to unlock a “BitLocker to Go” drive with a Data Recovery Agent Below are the instructions explaining how to use the Data Recovery Agent to unlock a BitLocker to Go encrypted drive Step 1. Put the drive into the computer you want to unlock. Step 2, Right Click on a Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes. Step 3 (optional). If you want to get information on the volume before you unlock it you can run manage-bde -status E: wn grouppolicy biztaglusby 2640sno Group Pali Contral BH Administrator, Command Prompt CoN RRC UEU Ee enone ree Pe ata BitLocker Drive Encryption: Configuration Tool version 6.1.76008 copyright (C) Microsoft Corporation. All rights reserved: (Petes ae ee Sere ews) Tove) Laan eee Windous onrerenuaer ett irre Lote e Censor cream Ly anny ees ea tc Re Co tated erereenny vee) esa se cain breed Identification Field: Unknown Automatic Unlock: DERSTaer come arrears pepeeree DOM ase Caer eet eC COLT) lc:\Users\administrator> Step 4. Now you need to get the “CertificateThumbprint” of the drive you want to unlock type the command manage-bde -protectors -get E: where E: is the volume you are trying to unlock BH Administrator, Command Prompt Jc:\Usenc\adminictratox>manage—hde —protectore -get E BitLocker Drive Encryption: Configuration Tool version 6.1.76008 copyright (C) Microsoft Corporation. All rights reserved: Ete ev SSCs All Key Protectors coeeeeat i STE rere eA Te aad PU EAR Coe ESC ear ITt Oy DECD-AB?F-42B2-962E-B1 E608482770> met ett PEC eee CCC ar >, : Take a note of the Data Recovery Agent (Certificate Based) Certificate Thumbprint (see circled in red). Tip: You could also mark the thumbprint by using the Edit > Mark option of the command prompt. wow grouppoliey biztaglush! 2risoanon Group Policy Contra BH Administrator, Command Prompt Cea et a car eee cea Move cryption: Configuration Tool version 6.1.7608 losoft Corporation. All rights reserved. Size te93 = Minimize 1 Maximize Pena Cea ace TET oe x Close , edit » Mark Defaults Co Properties Paste SelectAll Scroll Find Then select the thumbprint by clicking on the first character of the thumbprint and dragging to the last character. Id Select Administrator: Command Prompt Ic:\Users\administrator>manage-bde —protectors -get EF: BitLocker Drive Encryption: Configuration Tool version 6.1.76008 copyright (C) Microsoft Corporation. All rights reserved: ECE ce ay All Key Protectors STE rere eA Te aad PUR TRG oe ate t Newer eet Oy Teele eLearn eC Pea Se i ificate Thumbprin’ 8d07b78 7403156901 Zeeds 40zeGa09SF oUF 781] lc:\Users\administrator> Step 4. To unlock the drive, type the following command Manage-bde —unlock E: - cert -ct 88d07b2874031569e17eedf402e0a098fcOf7b81 eee 5 IC:\Users\administrator>manage-bde -unlock E: -cert -ct 88407b2874031569e17eedF 40} Aare BitLocker Drive Encryption: Configuration Tool version 6.1.7608 Copyright (C) Microsoft Corporation. All rights reserved- The certificate successfully unlocked volume E:. Ic:\Users\administrator> ww grouppoliey biataglusby 28140snare Group Poti Cota You have now successfully unlocked the drive using a Data Recovery Agent. Note: You will need to have the Data Recovery Agent Certificate (with the private key) installed in the Personal certificate store on the computer you are performing this task. Step 5 (optional). Try getting running the following command again to view more information about the drives encryption manage-bde -status E: eee 5 Pa permet ethers mre Copyright Microsoft Corporation. All rights r Trees Cooney EMSs Peete dous conrereniar et? ee Iesrounrce eet etre eee Ee 7 ess sa tim td it AES 128 with Diffuser Protection On iets Bete rey Automatic Unlock DEeetaer Key Protector pepeeree ONS ae CaCO ECC LSS eC Irneccsa (roa Form more information about BitLocker drive encryption with Data Recovery Agents see the following pages: * Microsoft TechNet: Configuring the BitLocker Identification Field (Windows 7) * Microsoft TechNet: Using a Data Recovery Agent to Recover Bitlocker-Protected Drives * Microsoft TechNet: Using Data Recovery Agents with Bitlocker Alan Burchill ‘Share Tags: Advanced, Bitlocker, Bitlocker to Go, Certificate, Data Recovery Agent, Group Policy, Security, USB Category: Best Practice, Security, Tutorials | 8 Comments Best Practice: How to use Group Policy to save “BitLocker to Go” recovery keys in Active Directory - Parti 09/01/2010, 11:03 pm wow grouppoliey biztaglush! 29140snare Group Poti Cota One of the cool new feature in Windows 7 Ultimate and Enterprise is the ability to encrypt USB devices with a password to protect the data from falling into the wrong hands. One of the problem with this is that if a user were to ever forget the unlock key then they will need to remember where they kept the recovery file or paper print out of the 48 digit recovery key. Now for a consumer this feature this might be fine as you keep can keep the key ina fire proof safe or even a locked filing cabinet but if you are managing this in a corporate environment you might have to keep track of thousands or even ten’s of thousands of these devices to keep track of the recovery key. Well there is where group policy can be your saviour... of course! In Part 1 of this “how to” I am going to show you how to setup the recovery key archiving into Active Directory. In Part 2 I will show you how to use Group Policy with Active Directory Certificate Services to enable a Data Recovery Agent so that all your devices can be recovery using a single EFS recovery agent account. Part 1 Using group policy you can mandate that all encrypted removable device must first have the recover key stored in Active Directory before they start to encrypt. This ensures that for any USB encrypted devices in your organisation that you will always have the ability to unlock the data on the drive even in case that someone forgets the unlock password. Now before we begin there are a few pre-requisites that we need to cover to make sure this work. 1. You Active Directory must be running the Windows Server 2003 R2 scheme extensions. But I hear you say “you said that Group Policy Preferences doesn’t need schema changes to work” well yes... this is still true it is not a group policy requirement it is a BitLocker requirement. 2. You should install the "BitLocker Drive Encryption Administration Utilities” with Windows Server 2008 R2 or with the RSAT tools for Windows 7 (see image 1.) on at least one computer in your organisation. This computer can then be used to search for and view the recovery keys if you ever need them. This is a new tool with 2008 R2/Windows 7 and makes it MUCH easier to read the recovery keys than back in the 2003 R2/Vista days. wn grouppoliey biztagiusbi 0140sania Group Policy Contral = tour mere Image 1. Installing “BitLocker Drive Encryption Administration Utilities” How to configured Group Policy to save the Recovery Key? Now before I go on I will assume that you are already familiar with Group Policy so all I am going to cover is the key (pardon the pun) policies you need to ensure the recovery keys are backed up to AD DS for all your removable USB storage devices in your organisation. Step 1. Edit the group policy that you have applied to all your workstations and navigate to Computer > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives. Here the two policies you need to enable are “Deny write access to removable drives not protected by BitLocker” and “Choose how BitLocker-protected Removable drives can be recovered” (see Image 2). www grouppoliey biztaglusbt 3140anion aa SS ‘Ble Action View Help >| tiles 5 lieionl ‘Group Policy Central BS Computer Configuration 5 Polos ‘8 Sofware Setings 8 Windows Setings Adnnstrative Templates: Policy defritons 1 Bl Conwel Panel Bl Network Bi Prnters @ system 15 Windone Components Bo Active Directory Federatin Service LB Btlodar Drive Encryption (Fred Data Drives 1B Gheratng system Drives EEE Gh Credental User interface Sl Desktop Gadgets ‘Central use oF BiLocker on removable rves |E Configure use of smart cards on removable data drives |E Deny wite access to removable dives notprotectedby Bitocer| Configure use of passers fr removabledata crives |E| low access to Bttodier protected removable data drives rome... |E Choose how BitLocker protectedremovable dives can be recoe.. Net configured Net confgured Net configured Nt configured Image 2. Removable Data Drives BitLocker Drive Group Policy Step 2, When you Enable the “Deny write access to removable drives not protected by BitLocker” also tick the “Do not allow write access to devices configured in another organization” option (see Image 3). This setting is important as it will make any non-BitLocker encrypted devices from being written to in your organisation thus bypassing the whole reason to use BitLocker. wn grouppolicy biztaglusby 32140anion ‘Group Policy Central EE = ry Bath ocke Ey Dery wite access to removable ries nt protected by BALOCkeT pric seing | Mer Sting © Not Configures Comment zi © Enabled © Biabies a Speed on: ==) be opens ep je atllornteecemnteicncaahlll spy sing coligurs wher alee potion weaeor® another erganization computer tobe able towrte datato a removable datadrive you enable this policy setting, al removable data drives that are not Locker protected wil be mourted as red-only the driv i protected by BeLocke, twill be mounted with read andre neces be "Deny write aces to devices configured in another organization” option aselected nly dives with identification elds matching the computers sentation fields wil be given nite acest. When aremovabe data drive cers wil be checked for vid identification field and allowed entiation fess. There elds ae defined by the rovide the unique ienttiers ter you engnaation” poy seting. you dable or do not conigue this policy setting al emovatle data dives the computer will be mounted with readand wetesecess. Note: This policy sting canbe everiddenby the policy stings under User, Configuration Adminitrative Templates Stem Removable Sterage Access. the “Removable Disks Deny write acest” policy settings enabled ths poy ting wil be ignored [ean] ese sey Image 3. Deny write access to removable drives not protected by BitLocker Step 3. Now Enable the “Choose how BitLocker-protected Removable drives can be recovered” and make sure that the “Save BitLocker recovery information to AD DS for removable data drives” and the “Do not enable BitLocker until recovery information is stored to AD DS for removable data drives” are both ticked (See image 4.). This setting ensures the computer has successfully saved recovery key into AD before encrypting a USB storage device. wn grouppolicy biztaglusby 3140anion ‘Group Policy Central [Ey Croschon Biteckerproctedremewblesinecan berverd eos Seting © Ne Sentgures Comment © trates B A Supponed on: Windows farnay 4 4 Options: Hep SS aneaeansay ee i oy wing alos youts csi bow Bec prescedrenevele dan fone eo oe net wercrend trou cee eer cedars Th yg crtgue er tenet cer coy oreo: epee eccnyerto enone | the-Alow dts covey oper chck boris ude peck whats tarry etcetera ah bec pete eno an Ses Bre s [aeatimenyig 3] ivtorageecerbeuntnodtesaastomareitctay haccinon [Snr Sp nage Coe eso oy Ear | Omit recovery options from the BitLocker setup wicard Consult the BtLocker Drve Encryption Deployment Guide on Microsett TechNet for py Seve tectar covery infermation OAD OS or amenable |) ert fermion about adding da recovery gents, ta ives in’ Configure wer strag f Baccher recover ifermaton’ select whether uses sr alowed equredcrrat lowedto generate 948 age recovery pasword er bbe recovery ty. Configure erage of Becker recovery ilemation AD DS: [Rociop ecorey perme sty pages sect “Oma recovery option fremthe BaLocer setup wed to prevent users tom Do net enabeBitecker unt recovery formation stored sgctying recovery opts when hey enable ocke on » ive. This means at to ADDS erremovebe ata cnet yeu wl not be abe to spect tick recovery epion eure when you erable BetockersutensBaLocer recover options ert dear etree’ by the pokey ting Image 4. Choose how BitLocker-protected removable drives can be recovered You may also want to consider ticking the “Omit recovery option form the BitLocker setup wizard” as this will prevent you users from saving the recovery key manually which might be desirable if you don’t trust them to store the key in a safe place. Because of the "Do not enable BitLocker until recovery information is stored to AD DS for removable data drives” option has been ticked if the user tries to encrypt a new USB storage device when not connected to the corporate network then they will get the following error message (see image 5). wn grouppolicy biztaglusby 440anion © & Bitocker Drive Energion) Starting encryption A, Do net nmove you dive uniencrption begin ee Image 5. Error saving recovery key If the user is out of the office they will need to establishing a VPN connection or enable BitLocker on the device the next time they are in the Office. This would not be a problem if you have configured Direct Access but this is a post for another time. Note: The loop hole to this is that if someone already had a BitLocker to Go encrypted device and plugs it into a computer they will be able to save information to the device. This does not mean the data will not be encrypted its just you wont have the recovery key if they forget the password to that particular device. To help with this problem you can set the BitLocker identification field on all the computers in the organisation so they will reject all encrypted devices that don’t have the same identification field value. This setting is under Computer > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption called “Provide the unique identifiers for your organization” (see image 6.). This might sound like you can mandate outside memory sticks can’t be used in your organisation but if someone has set the identification field to the same value this would get around option www grouppoliey biztaglusbt 540anion EE] Provide the unique identifiers foryour orgmization © NotConfigured _Conment: © rales © Diabies Supponed on: [index fam ‘Options: Help: ets oom Thi pac sting lows you to snot unaue ogonzotonal [a Fenton Allowed BitLocker dentition fk identiers toa ne drive tate enabled with EtLocker These identier are stored a the identfition fed and allowed ientcation field. The identification il allow you toarzociat ‘nique organizational identifier to BtLocker protected ives, The identiier is automaticoly added to new BitLocker protected dives dnd cin be upted on eting BitLocker protected eres using te Manage conmand-ine tol An dentition elds requred ormnogemert of ceifiete-besed deta recovery agents on BiLockerproteted sve: ond for potenti updates othe BtLocer ToGo Reader. tLockr wil only munage andupdnte dt recovey Poems when the dentin eld om te ave matcher the vel Cntigured inthe dentation fed na sme manne; Bocke willy updstethe Bocter To Ge Reader when theetfieben a en te crv matchesthe value configured forthe entiation fel The alowed identification field used in combination vith the “Deny write acres to removable drives not patected by il. ocker™ policy sting tohelp contol the ure of removable driven your brganzation. tis a comma separated lst of identification feds fem Image 6. Provide the unique identifiers for your organization How. So you have deployed BitLocker to your organisation and you have told everyone to be careful to remember the passwords but of course your manger has come to you saying that they have forgotten the password for his USB memory stick and it has the only copy of some really important files on it that he has have for a meeting tomorrow. What do you do? Step 1. First we need to identify the USB devices Recovery key identifier by plugging it into a computer running Windows 7 Ultimate/Enterprise. You can then find this identifier by clicking on the “I forgot my password” option (see image 7.) wn grouppolicy biztaglusby Bith word in Al 6140anion Group Policy Central This drive is protected by BitLocker Drive Encryption Type your password te urtock the dive I [Fi Show password characters Ite then Image 7. I forgot my password Step 2. Then write down the 8 characters of the recovery key identifier (See image 8.) Unlock this drive using your recovery key ‘you dont remenberyour passed rouse have you ema cardyoucan ue yor recovey leytoureccthe ave. ‘eurrecoey key wa crested when BtLoker ws i stu, The resovey key mit have been saved expe oyu mgt nando gat tom ur nut Sanne Gapenng you ‘onpary ecu 3) “eurrecovey key canbe Herth: BEIESTEE © Getthe key from a USB flash drive > Type the recovery key Image 8. Recovery key identifier wn grouppolicy biztaglusby s7isosnare Croup Poly Cental Step 3. Now go to the computer that you installed the “BitLocker Recovery Password Viewer” tool that I previously mentioned above launch “Active Directly Users and Computers” MMC snap-in with and account with Domain Admin privileges. Click on the domain name that will have the recovery key saved and then click “Action” and then “Find BitLocker Recovery Password...” (see image 9.). figs marae Tipe [Descisten I tin builtinDomain: Inputers Container Default container for upg... main Cont... Organizational Default container for dom. i, feionsearr.... Container Default container for secu SS ___hraged Ser... Container Default container for man.. » bole Organizations... > brs Container Default container for upgr... rkstations Organizational Image 9. “Find BitLocker Recovery Password...” Step 4. Now type the first 8 characters you wrote down in step 2. and click “Search” (See Image 10.). This will show you the Recovery Password in the Details pane that you will need to unlock the drive. | remo (et crocs [ESE eta Reaver Pasar Soe 9327 055011455097. ‘eioos-ses74-548 102179 conus: cescrrot.coosniocl ote zoo-10-28 ess +00 Pacers: BEDSTEE- BF 245-8 NEITAOSEIETS wn grouppolicy biztaglusby 8140anion ‘Group Policy Central Image 10. Find BitLocker Recovery Password...” Step 5. Now go back to the computer you have plugged the USB device into and click on “Type the recovery key” (see image 7.). Step 6. Now type the 48 digit Recovery Password into the text box and click “Next” (see image 11.) G 4e BitLocker Divetncryetion Enter your recovery key “Type your BtLocker recovery key ($054: SSSSET OSG ASOT ABIOSE TESTEATSTTON NODA ©) More Hfomation Image 11. Enter your recovery key Step 7. Click OK and you will now be able to read the required file off this drive (See Image 12.). Ay You cannot save files on this drive Because BitLocker was enabled on this drive on 2 computer outside of your company, your system administrator has blocked you fiom saving files on it. To save files on this drive, turn BitLocker off and then. back on again. Image 12. You cannot save file on this drive Note: If you want to restore the drive back to normal you will need to go to the control panel and go into the “Manage BitLocker” option to “Turn off BitLocker” (see Image 13.) on the device and then go back and select the option to “Turn On wn grouppolicy biztaglusby 39140sna ‘roup Paley Conta BitLocker” again. This will completely reset the recovery key on the device making the one you just recovered totally invalid. Cert Roel ee Help protect your fles and folders by encrypting your drives Ditech Dine Emerton help preset unatherzed acces any les tered ante ives own ‘edo. You ae able ue the computer normaly, bat unaahorzed usr cant ad or we you fies ‘hat should hnow abou BateckerDrivEnenption before ttn tont ‘Bitecker Oe Encryption - Had Dire @ Tumor Buecker wy fiteker Die tcyion- Biot To Go eee Nao) | @ TH Adminstration = 18 DatMngeret eat eur privacy statement Image 13. Control Panel BitLocker Drive Encryption option Part 2 can now be found here “How to configure Group Policy to use Data Recovery Agent to encrypt “Bitlocker to Go” drives - Part 2" Share Tags: Active Directory, Advanced, Bitlocker to Go, Group Policy, Security, USB Category: Best Practice, Security, Tutorials | 11 Comments wn grouppolicy biztaglusby 4040