Configuring Mobile Computing
How to configure mobile computers running Microsoft Windows 7, such as laptops and tables, with features such as BitLocker, DirectAccess, offline files, and VPN connections.
Configure BitLocker and BitLocker To Go policies
You need to be familiar with what you can and can't accomplish using the BitLocker related group policies.
BitLocker protects unauthorized parties from recovering data from computers using an offline attack. It accomplishes this by providing full volume encryption that is transparent to an authorized user of the computer. Data cannot be recovered from a volume encrypted using BitLocker unless the person attempting the recovery has the BitLocker recovery key or access to a specially configured data recovery agent (DRA). BitLocker also offers boot integrity protection, requiring a user to enter the BitLocker recovery key if the boot environment has been altered. BitLocker can be made more secure through the use of a Trusted Platform Module (TPM) chip, personal identification number (PIN), and a BitLocker startup key. A TPM chip is a special chip that can store the BitLocker encryption key and also can store boot integrity information. A startup key is a special cryptographically generated file that can be stored on a removable USB device. You can use these in the following combinations to secure a computer:
- TPM only mode: Does not require a PIN or startup key. User is unaware that BitLocker is functioning unless the boot environment is modified.
- TPM with startup key: Successful boot requires that the user must connect a USB device that hosts a preconfigured startup key to the computer powering on.
- TPM with PIN: Successful boot requires that users enter a PIN to successfully boot the computer. Group Policy can be configured to determine whether this is simply a four-digit number or if a password containing alphanumeric characters and symbols is required.
- TPM with PIN and startup key: Successful boot requires that the user connect a USB device that hosts a preconfigured startup key prior to boot and enters a PIN during boot.
- Startup key without a TPM: This combination provides hard disk encryption, but doesn't provide boot integrity protection. Successful boot requires that the user must connect a USB device that hosts a preconfigured startup key prior to the computer powering on.
BitLocker policies are located in the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption node. You should especially review the following policy:
- Provide The Unique Identifiers: For Your Organization You can specify an organizational ID. Use this ID with other policies to limit the use of BitLocker to drives encrypted within your organization.
Under this node, there are nodes for policies related to Fixed Data Drives, Operating System Drives, and Removable Data Drives. The policies available under each of these nodes are generally the same. The most important of these policies are as follows:
- Require Additional Authentication At Startup: You can specify startup authentication options including whether BitLocker must be used with a TPM, with a startup key, and with a TPM startup PIN.
- Allow Enhanced PINs for Startup: You can use alphanumeric passwords with symbols as TPM startup PINs.
- Configure Minimum PIN Length For Startup: You can specify the minimum length for the TPM startup PIN.
- Choose How BitLocker-Protected Operating System Drives Can Be Recovered: You can set a DRA, a 48-digit recovery password and a 256-bit recovery key as well as backup of password and keys to Active Directory.
- Deny Write Access To Fixed Drives Not Protected By BitLocker: Blocks users from writing data to drives (other than the operating system drive) not protected by BitLocker).
- Configure Use Of Password For Fixed Data Drives: Determines whether a password is required to unlock BitLocker-protected fixed data drives (as opposed to operating system drives). You can configure password complexity.
BitLocker To Go provides full volume encryption for removable volumes including flash drives and removable hard disk drives. BitLocker To Go is available to clients running the Enterprise and Ultimate editions of Windows 7. Computers running the other editions of Windows 7 can read and write data on BitLocker To Go protected drives, but cannot be used to configure a drive to use BitLocker To Go.
BitLocker To Go doesn't require a TPM chip or require that Group Policy be configured to require an authentication method such as a startup key. BitLocker To Go can be configured so that clients running the Windows Vista and Windows XP operating systems can read data from protected disks. Clients running Windows Vista and Windows XP can't be configured to write data to BitLocker To Go protected disks.
BitLocker To Go can be used with the following Group Policy items:
- Allow Access To BitLocker- Protected Removable Data Drives From Earlier Versions of Windows: Blocks or allows Windows Vista and Windows XP clients to read data from FAT-formatted, BitLocker-protected, removable drives.
- Choose How BitLocker-Protected Removable Drives Can Be Recovered: Configures a DRA or recovery password for BitLocker To Go protected removable drives.
- Configure Use Of Passwords For Removable Data Drives: Determines whether a password is required to unlock BitLocker To Go protected drives. Can be used to force password complexity policies to be applied.
- Configure Use Of Smart Cards On Removable Data Drives: You can enable or require the use of a smart card to authenticate access to a removable storage device.
- Control Use Of BitLocker On Removable Drives: You can control whether users can apply BitLocker protection to removable drives and whether users can remove BitLocker protection from removable drives.
- Deny Write Access To Removable Drives Not Protected By BitLocker: You can block users from writing data to any drive not protected by BitLocker. You can also limit the writing of data to drives to those protected by BitLocker that were configured within your organization.
Remember that computers running Microsoft Windows XP can read data only from drives configured with BitLocker To Go and then only under certain conditions.
