Using BitLocker to Encrypt Removable Media (Part 3)

by [Published on 6 May 2010 / Last Updated on 6 May 2010]

This article explains how you can store BitLocker Recovery keys in the Active Directory database.

If you would like to read the other parts in this article series please go to

Introduction

In my previous article, I talked about how to regulate the way in which BitLocker is used in your organization through the use of group policy settings. As I alluded to towards the end of that article though, one of the big problems with encrypted media is the potential for data loss.

As you know, BitLocker encrypted drives are protected by a password. The problem is that users are prone to forget passwords, and in doing so they could end up permanently locking themselves out of the encrypted drive. Even though the data on the drive is still present, data loss still effectively occurs because the data remains inaccessible to the user. If you really stop and think about it, encrypted data that can not be decrypted is really no different than corrupt data.

If you think back to the first article in this series, you will recall that when you encrypt a drive with BitLocker, Windows displays a message similar to the one that’s shown in Figure A, telling you that in the event that the password is forgotten, a recovery key can be used to access the drive. Not only does Windows automatically provide you with this recovery key, it forces you to either print the recovery key or save it to a file.


Figure A:
BitLocker protects users against data loss by providing them with a recovery key

Having a recovery key to fall back on is a good idea, but in the real world it is just not practical. How many users do you think will even remember that a recovery key even exists, much less where they put the print out? The loss of an encryption key can have catastrophic consequences in a corporate environment where data is often irreplaceable. Thankfully, you do not have to depend on the end users to keep track of their recovery keys. You can store the recovery keys in the Active Directory instead.

Preparing the Active Directory

Before we can configure BitLocker to store recovery keys in the Active Directory, we need to do a bit of prep work. As I’m sure you already know, BitLocker to Go was first introduced with Windows 7 and Windows Server 2008 R2. As such, it stands to reason that if you want to support BitLocker to Go key recovery at the Active Directory level, then you are going to need to run some of the Windows Server 2008 R2 code on your domain controllers.

Believe it or not, you do not have to upgrade all your domain controllers to Windows Server 2008 R2, unless you just want to. Instead, you can simply use a Windows Server 2008 R2 installation DVD to extend the Active Directory schema on the domain controller that is acting as the schema master for your Active Directory forest.

Before I show you how to extend your Active Directory schema, I need to warn you that this procedure assumes that all of your domain controllers are running Windows 2000 Server SP4 or above. If you have older domain controllers, then they must be upgraded before you will be able to perform the necessary schema extensions.

You should also perform a full system state backup of your domain controllers prior to extending the Active Directory schema. If something should go wrong during the extension process, it could have devastating effects on the Active Directory, so it is important to have a good backup that you can fall back on.

With that said, you can extend the Active Directory schema by inserting your Windows Server 2008 R2 installation DVD into your schema master. After doing so, open a Command Prompt window using the Run As Administrator option, and enter the following command (where D: represents the drive containing your installation media):

D:

CD\

CD SUPPORT\ADPREP

ADPREP /FORESTPREP

When the ADPrep utility loads, you will be asked to confirm that your domain controllers are all running the appropriate versions of Windows Server. Simply press the C key and then press Enter to start the schema extension process, as shown in Figure B. The entire schema extension should only take a couple of minutes to complete.


Figure B:
The Active Directory schema must be extended before BitLocker keys can be stored in the Active Directory

Configuring Group Policies

Simply extending the Active Directory schema alone does not force BitLocker to store recovery keys in the Active Directory. For that we are going to have to configure a few group policy settings.

Begin the process by loading the group policy that applies to your workstations into the Group Policy Management Editor. Now, navigate through the console tree to Computer Configuration | Policies | Administrative Templates: Policy Definitions | Windows Components | BitLocker Drive Encryption | Removable Data Drives. As you may recall, I talked about most of the individual policy settings in the previous article.

At this point, you should enable the Deny Write Access to Removable Drives Not Protected by BitLocker setting, as shown in Figure C. Actually, this isn’t an absolute requirement, but it does give you a way of forcing users to encrypt their USB flash drives. If you are going to force users to use BitLocker encryption, then you may also want to select the Do Not Allow Write Access to Devices Configured in Another Organization. Again, this isn’t a requirement, but it does help to improve security.


Figure C: If you want to force BitLocker encryption for removable drives, you must enable the Deny Write Access to Removable Drives Not Protected by BitLocker setting

The next step in the process is to enable the Choose How BitLocker Removable Drives Can Be Recovered setting. If you look at Figure D, you can see the dialog box that is displayed when you double click on the Deny Write Access to Removable Drives Not Protected by BitLocker setting. As you can see in the figure, there are a series of check boxes that can be selected when this group policy setting is enabled.


Figure D:
There are three options that you should enable

If your goal is to save a copy of each recovery key in the Active Directory, then there are three of these options that you must enable. First, you must select the Allow Data Recovery Agent option. This option should be selected by default, but since this option is what makes the entire key recovery process possible, it is important to verify that the option is enabled.

Next, you will have to select the Save BitLocker Recovery Information to AD DS for Removable Data Drives. As you have probably already figured out, this is the option that actually saves the BitLocker recovery keys to the Active Directory.

Finally, you should select the Do Not Enable BitLocker Until Recovery Information Is Stored To AD DS For Removable Data Drives option. This option forces Windows to confirm that the recovery has been written to the Active Directory before BitLocker is allowed to encrypt the drive. That way, you do not have to worry about a power failure wiping out the recovery key half way through the encryption process.

Although not a requirement, some administrators also like to enable the Omit Recovery Option From The BitLocker Setup Wizard option. This prevents users from saving or printing their own copies of the recovery key.

Conclusion

In this article, I have shown you how to configure the Active Directory to store BitLocker recovery keys for removable drives. In Part 4, I will show you how the recovery process works.

If you would like to read the other parts in this article series please go to

Featured Links