BitLocker To Go
Many of today’s removable storage drives have the average storage capacity approaching that of most small and medium-size departmental-level file shares from ten years ago. This presents several challenges.
First, when a removable storage device is lost or stolen, a significant amount of organizational data can be compromised. And perhaps a bigger problem is that while users will quickly make the IT department aware of a missing laptop computer, they don’t feel the same urgency when a USB storage device that may contain gigabytes of organizational data has gone missing.
BitLocker To Go, a new feature introduced with Windows 7, lets you protect USB storage devices in a way similar to what BitLocker offers for operating-system and fixed drives. Through group policy, you can restrict computers in your organization so that they can only write data to removable storage devices protected by BitLocker To Go. This increases security by ensuring that if a user does lose a removable device, at least the data on it is encrypted and can’t be easily accessed by unauthorized third parties.
The relevant BitLocker To Go policies are located in the Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption | Removable Data Drives node of a group policy object. These policies include:
- Control use of BitLocker on removable drives. This lets you configure how BitLocker is used on removable drives, including whether ordinary users can enable or disable the facility on removable devices. For example, you may want to let specific users store data on removable drives already configured with the protection capability, but block them from configuring their own devices with it.
- Deny write access to removable drives not protected by BitLocker. This policy lets you restrict users so they can only write data to devices protected by BitLocker To Go encryption. When this policy is enabled, an unauthorized person can’t easily access data written to a removable device, as it will be protected by encryption.
- Choose how BitLocker-protected removable drives can be recovered. This policy lets you configure a data recovery agent or save BitLocker To Go recovery information within Active Directory. This policy is important, because if you choose to implement BitLocker To Go to protect data on removable devices, you should have a strategy to recover data for the inevitable case where a user forgets his or her BitLocker To Go password.
When you’ve configured BitLocker To Go for a removable storage device, a user must enter a password to unlock the device on another computer. When the password is entered, the user will have read/write access to the device on a computer running the Enterprise or Ultimate editions of Windows 7. You can also configure BitLocker To Go to allow the user read-only access to BitLocker To Go protected data on computers running other versions of Microsoft operating systems.
If your organization is going to use BitLocker To Go, you’ll need some sort of data recovery strategy in the event of lost or forgotten passwords. Configuring BitLocker To Go recovery is similar to configuring BitLocker recovery. In this case, you’ll have to set the Computer Configuration | Windows Settings | Administrative Templates | Windows Components | BitLocker Drive Encryption | Removable Data Drives | Choose How BitLocker-Protected Drives Can Be Recovered policy.
You can have the BitLocker To Go passwords backed up to Active Directory, where they’ll be available to administrators who have access to the Active Directory Users and Computers console and the computer account where the device was originally protected. You can also configure a policy so that data is protected with a DRA, allowing a user assigned the DRA certificate to recover data from the drives without necessitating the recovery of individual passwords.
Configuring AppLocker
No anti-malware utility can catch every malicious program. AppLocker can add another layer of protection. This technology lets you create a list of applications known to be safe and limit execution to those that are on the list. While this type of approach to securing a computer would be cumbersome to someone who regularly runs new and unusual software, most organizations have a standard system environment where changes to applications occur more gradually, so allowing the execution of only green-lighted applications is more practical.
You can extend this set of AppLocker authorization rules to include not only executable files but also scripts, DLLs, and files in MSI format. Unless the executable, script, DLL or installer is authorized by a rule, it won’t execute.
AppLocker makes creating the rule list for authorized applications simple with a wizard that automates the process. This is one of the significant improvements of AppLocker over software restriction policies, a technology in prior Windows versions that has similar core functionality.
AppLocker can also use rules that identify files using the file publisher’s digital signature, so you can create rules that include the current and future versions of the file. This saves administrators the chore of updating current rules after applying software updates. The revised executable file, script, installer or DLL will still be covered by the original rule. This wasn’t possible with software restriction policies, which forced admins to update rules when software configurations changed.
To create a reference set of AppLocker policy rules you can apply to other computers, perform the following steps:
1. Configure a reference computer running Windows 7 with all the applications you want to execute in your environment.
2. Log on to the computer with a user account that has local Administrator privileges.
3. Start the Local Group Policy Editor by running Gpedit.msc from the Search programs and files textbox.
4. Navigate to Computer Configuration | Windows Settings | Security Settings | Application Control Policies | AppLocker | Executable Rules of the local GPO. Right click on the Executable Rules node and then click automatically generate new rules. This will launch the Automatically Generate Executable Rules wizard.
5. In the textbox labeled Folder that contains the files to be analyzed, enter c:\. In the textbox labeled Name to identify this set of rules, enter All Executables and then click Next.
6. On the Rule Preferences page, select Create publisher rules for files that are digitally signed, and in case a file isn’t signed, also select File hash: rules are created using a file’s hash. Ensure that the option Reduce the number of rules by grouping similar files isn’t selected, and then click Next.
7. Rule generation will take some time. When they’ve been generated, click Create. When prompted as to whether you want to create the default rules, click No. You don’t have to create these—by creating rules for all executables on the reference computer, you’ve created the equivalent of more-comprehensive default rules.
8. If the computer has applications stored on multiple volumes, repeat steps 5 through 7, entering the appropriate drive letter when running the automatically generated executable rules wizard.
9. Once rules have been generated, you can export the list of allowed applications in XML format by right-clicking on the AppLocker node, then clicking on Export Policy. You can also import these rules into other group policy objects, such as those that apply to portable computers in your organization. By applying these rules through policy, you can limit the execution of applications so only those present on the reference computer are allowed.
10. When configuring AppLocker, you need to ensure that the Application Identity service is enabled through the services console and that executable rules are enforced through policy. If this service is disabled, AppLocker policies will not apply. Although you can configure service startup status within Group Policy, you must limit which users have local administrator access so that they are unable to circumvent AppLocker. You enable executable rule enforcement by right-clicking on the Computer Configuration | Windows Settings | Security Settings | Application Control Policies | AppLocker node and then clicking on Policies. Enable the Configured option under Executable Rules and then ensure that Enforce Rules is selected.
Hopefully this has helped you learn how to implement and recover BitLocker, to use BitLocker To Go and to configure AppLocker Policies. Using these technologies along with normal housekeeping tasks (such as ensuring that computers are kept current with updates, antivirus software and antispyware programs), will enhance the security of computers in your organization running Windows 7.
0 comments:
Post a Comment