The TPM owner password —You define the TPM owner password in the TPM
initialization wizard, which you can start from the BDE Control Panel applet
(as Figure 3 shows). Vista requires
a TPM owner password for disabling/enabling the TPM, clearing the TPM, and recycling
BDE-encrypted volumes. Given the importance of these TPM functions, the TPM
owner password should be given to only a select set of administrators (e. g.,
members of the auditing or security team).
The BDE authentication PIN (optional)—Remember from the previous section
that BDE can support an authentication mode (TPM/PIN mode) that requires the
user to enter a PIN.
The recovery password (optional)— When enabling BDE protection, you
must also configure BDE recovery. Thanks to the BDE recovery feature, users
can still get access to their data on a BDE-protected volume after a PIN loss,
TPM errors, or boot file modification. The recovery password can be stored on
a USB token, or BDE users can simply write it down or remember it. This password
can be up to 48 digits long.
Microsoft provides tools to simplify BDE management in an Active Directory
(AD) environment. You can use AD to centrally store BDE recovery and TPM owner
passwords. In addition, you can use Group Policy Object (GPO) settings to configure
Vista clients for BDE (e. g., to specify the BDE encryption method or the authentication
mode).
These BDE management features require Windows Server 2003 SP1, because starting
in SP1, Microsoft supports the confidentiality bit in AD, which BDE leverages
for storing recovery keys. The BDE management features also necessitate specific
AD schema and configuration changes. These changes are documented in “Configuring
Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform
Module Recovery Information ” at http:://www.microsoft.com/downloads/details.aspx?FamilyID=3A207915-DFC3-4579-90CD-86AC666F61D4&displaylang=en.
The BDE management AD extensions will be included by default in the Longhorn
AD.
To manage and configure the TPM, Microsoft provides the Microsoft Management
Console (MMC)TPM Management snap-in (tpm. msc), which Figure
4 shows. From this snap-in, administrators can initialize the TPM, enable
or disable the TPM, clear the TPM, and change the TPM owner password. The snap-in
can be used for administering both the local and remote TPMs. As part of Vista
and Longhorn, Microsoft also provides extensions to manage the TPM by using
Windows Management and Instrumentation (WMI).
Deploy Wisely
Like UAC, BDE is an important “enhanced security ” motivator that
could drive enterprises to upgrade their Windows clients to Vista. BDE will
share market space with the volume encryption products of companies such as
Safe-Boot and Utimaco Safeware, which also offer these solutions for older Windows
systems.
A final piece of advice I want to give is that the security offered by BDE
will only be as strong as the nontechnical aspects of your BDE deployment. When
you deploy BDE, it’s equally important that you develop adequate BDE operational
procedures, disaster recovery plans, and user guidelines for important BDE topics
such as password and recovery key management. For a good set of BDE guidance
from Microsoft, read the documents available at http://www.microsoft.com/technet/windowsvista/security/bitlockr.mspx.
End of Article
