Friday, January 6, 2012

Bitlocker Drive Encryption Operations Guide


Bit locker is an integral security feature in Windows Vista, 7, 2008 and 2008 R2 that helps protect data stored on fixed and removable data drives and operating system drives.

Bit Locker helps ensure that users can read the data on the drive and write data to the drive only when they have either the required password, smart card credentials, or are using the data drive on a Bit Locker protected computer that has the proper keys. bit Locker protection on operating system drives supports two-factor authentication by using a Trusted Platform Module (TPM) along with a personal identification number (PIN) or startup key as well as single-factor authentication by storing a key on a USB flash drive or just using the TPM.

This option requires that the computer have a compatible TPM microchip and BIOS. A compatible TPM is defined as a version 1.2 TPM.

TPM: TPM is a chip installed on a system that stores cryptographic keys that protect information.
The TPM interacts with BitLocker operating system drive protection to help provide protection at system startup. This is not visible to the user, and the user logon experience is unchanged. However, if the startup information has changed, BitLocker will enter recovery mode, and you will need a recovery password or recovery key to regain access to the data.

To backup recovery keys in Active directory


We can backup recovery and TPM keys of a system in active directory using group policy. We need to extend the Active directory schema, set the required permissions for backing up TPM password information and configure group policy to enable backup of bitlocker and TPM recovery information.

Extending Active directory schema


We need to use ldifde command line tool to extend the schema on DC that serves as the schema operations master. The schema extension file is located at http://technet.microsoft.com/en-us/library/ee424299(WS.10).aspx

“ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "DC=test,dc=net" -k -j .”
This command should be entered as one line. The trailing period (.) is part of the command.

Set the permission for backing up TPM password information


A client computer running Windows 7 can back up BitLocker recovery information under the computer object's default permission. However, a client computer running Windows 7 cannot back up TPM owner information unless this additional ACE is added. The script is located at http://technet.microsoft.com/en-us/library/ee424299(WS.10).aspx

This script adds a single ACE to the top-level domain object. The ACE is an inheritable permission that allows SELF (the computer itself) to write to the ms-TPM-OwnerInformation attribute for computer objects in the domain.
Go to the command prompt and type cscript Add-TPMSelfWriteACE.vbs

Configure group policy to backup bitlocker and TPM recovery information

 To backup recovery keys from computers running Windows 2008 R2 or Windows 7:

1.        Go to Group policy management, In the console tree under Computer Configuration\Policies\Administrative Templates\Windows Components, click BitLocker Drive Encryption

2.        In details pane, double click Fixed Data Drives double click “choose how BitLocker-protected fixed drives can be recovered” select enabled

3.        Make sure Allow data recovery agent, Save bitlocker recovery information to AD DS for fixed data drives and Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives is checked.

4.        Leave other fields as default.

5.        Now we have to repeat the same steps for Operating system drives i.e. step three and four.

6.        In the console tree under Computer Configuration\Administrative Templates\System, click Trusted Platform Module Services.

7.        Double-click Turn on TPM backup to Active Directory Domain Services and Click Enabled.

8.        The Require TPM back to AD DS check box is selected by default. When this option is selected, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup succeeds.

To backup recovery keys to a shared location:

  1. Go to Group policy management, In the console tree under Computer Configuration\Policies\Administrative Templates\Windows Components, click BitLocker Drive Encryption 
  2. Click on “”Choose default folder for recovery password” and enable it. Give the shared location below.
  3. It will backup bitlocker recovery key and TPM owner information.

How to Enable BitLocker

We will be using BitLocker with two-factor authentication as all our laptops are running on windows 7 and DC running on W2k8 R2. Majority of laptops in Cvent have TPM chip installed.
  • First, we need to enable TPM in BIOS. Go to System BIOSàSecurityàTPM SecurityàCheck the box “TPM Security”
  • To enable bitlocker, Go to Control PanelàBitLocker Drive Encryption and turn ON bitlocker for drive as per the requirement.
  • It will ask for restart after checking prerequisites. After restart, it will prompt to press F10 to enable TPM.
  •  It will ask you to save the recovery key. Click on “Save the recovery key to file”
  •  Check Run Bitlocker system check and restart it.
  •  The whole process requires 1.00 – 1.30 Hours

To view recovery keys in Active directory

In order to view bitlocker recovery password in AD console, we need to install BitLocker password recovery viewer using RSAT in windows 7/windows 2K8.
Posted by at 3 comments:

Thursday, August 18, 2011

Event ID 12306 FSRM SMTP cannot send email

File Server Resource Manager - SMTP cannot send email to Exchange Server 2010

Problem:
Event ID: 12306
Event Source: SRMSVC

Event Viewer Application logs:
A File Server Resource Manager Service email action could not be run.

Error-specific details:
Error: IFsrmEmailExternal::SendMail, 0x8004531c, Mailbox unavailable. The server response was: 5.7.1 Client does not have permissions to send as this sender.
Solution:
As of WS08 R2, FSRM attempts to authenticate against an Exchange Server using the computer account (domain\computername$ format) account of the server.  This computer account must be granted send as permissions on the mailbox that you are trying to send as, or it will fail with this error (where the same configuration will work on WS03 R2 without failing, assuming your receive connectors are already configured correctly).

I ran the following Powershell command on my Exchange 2010 server to grant the necessary permissions on the mailbox I was trying to send as, after which it began working:

Add-ADPermission -Identity "Mailbox Display Name" -user "Domain\ServerName$" -extendedrights "Send-as"

You can also substitute by using a domain group that contains the server computer accounts you want to allow.
Posted by at 7 comments:
Labels: ,

Thursday, August 4, 2011

0XC0000244 blue dump while rebooting system

I received an error while rebooting my server. This error occurs when maximum log size specified has been reached and and Event Log Wrapping is set for "Overwrite Events Older than (X) Days." This can also occur if "Do Not Overwrite Events" is selected. Because the Security Event Log is full, and the CrashOnAuditFail registry key is set, Windows generates a STOP 0xC0000244 blue screen error message and cannot log audit information.

For workaround click on this link: http://support.microsoft.com/kb/232564
Posted by at No comments:
Labels:

Friday, July 22, 2011

System beep codes

After repeated requests for beep codes i have decided to post them here maybe they could be pinned

Standard Original IBM POST Error Codes
Code Description

1 short beep System is OK
2 short beeps POST Error - error code shown on screen No beep Power supply or system board problem Continuous beep Power supply, system board, or keyboard problem Repeating short beeps Power supply or system board problem
1 long, 1 short beep System board problem
1 long, 2 short beeps Display adapter problem (MDA, CGA)
1 long, 3 short beeps Display adapter problem (EGA)
3 long beeps 3270 keyboard card

IBM POST Diagnostic Code Descriptions
Code Description

100 - 199 System Board
200 - 299 Memory
300 - 399 Keyboard
400 - 499 Monochrome Display
500 - 599 Colour/Graphics Display
600 - 699 Floppy-disk drive and/or Adapter
700 - 799 Math Coprocessor
900 - 999 Parallel Printer Port
1000 - 1099 Alternate Printer Adapter
1100 - 1299 Asynchronous Communication Device, Adapter, or Port
1300 - 1399 Game Port
1400 - 1499 Colour/Graphics Printer
1500 - 1599 Synchronous Communication Device, Adapter, or Port
1700 - 1799 Hard Drive and/or Adapter
1800 - 1899 Expansion Unit (XT)
2000 - 2199 Bisynchronous Communication Adapter
2400 - 2599 EGA system-board Video (MCA)
3000 - 3199 LAN Adapter
4800 - 4999 Internal Modem
7000 - 7099 Phoenix BIOS Chips
7300 - 7399 3.5" Disk Drive
8900 - 8999 MIDI Adapter
11200 - 11299 SCSI Adapter
21000 - 21099 SCSI Fixed Disk and Controller
21500 - 21599 SCSI CD-ROM System

AMI BIOS Beep Codes
Code Description

1 Short Beep System OK
2 Short Beeps Parity error in the first 64 KB of memory
3 Short Beeps Memory failure in the first 64 KB
4 Short Beeps Memory failure in the first 64 KB Operational of memory
or Timer 1 on the motherboard is not functioning
5 Short Beeps The CPU on the motherboard generated an error
6 Short Beeps The keyboard controller may be bad. The BIOS cannot switch to protected mode
7 Short Beeps The CPU generated an exception interrupt
8 Short Beeps The system video adapter is either missing, or its memory is faulty
9 Short Beeps The ROM checksum value does not match the value encoded in the BIOS
10 Short Beeps The shutdown register for CMOS RAM failed
11 Short Beeps The external cache is faulty
1 Long, 3 Short Beeps Memory Problems
1 Long, 8 Short Beeps Video Card Problems

Phoenix BIOS Beep Codes
Note - Phoenix BIOS emits three sets of beeps, separated by a brief pause.
Code Description

1-1-3 CMOS read/write failure
1-1-4 ROM BIOS checksum error
1-2-1 Programmable interval timer failure
1-2-2 DMA initialisation failure
1-2-3 DMA page register read/write failure
1-3-1 RAM refresh verification failure
1-3-3 First 64k RAM chip or data line failure
1-3-4 First 64k RAM odd/even logic failure
1-4-1 Address line failure first 64k RAM
1-4-2 Parity failure first 64k RAM
2-_-_ Faulty Memory
3-1-_ Faulty Motherboard
3-2-4 Keyboard controller Test failure
3-3-4 Screen initialisation failure
3-4-1 Screen retrace test failure
3-4-2 Search for video ROM in progress
4-2-1 Timer tick interrupt in progress or failure
4-2-2 Shutdown test in progress or failure
4-2-3 Gate A20 failure
4-2-4 Unexpected interrupt in protected mode
4-3-1 RAM test in progress or failure>ffffh
4-3-2 Faulty Motherboard
4-3-3 Interval timer channel 2 test or failure
4-3-4 Time of Day clock test failure
4-4-1 Serial port test or failure
4-4-2 Parallel port test or failure
4-4-3 Math coprocessor test or failure
Low 1-1-2 System Board select failure
Low 1-1-3 Extended CMOS RAM failure
Posted by at No comments:
Labels:

Monday, March 7, 2011

Windows 7 and Windows 2008 R2 SP1 released

Microsoft has released Windows 7 and Windows 2008 R2 Service pack 1 on February 22, 2011. Here are few links to research and to download Service pack from Microsoft website:

Deployment Guide: http://technet.microsoft.com/en-us/library/ff817650(WS.10).aspx#BKMK_beforedeploy

Download link: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c3202ce6-4056-4059-8a1b-3a9b77cdfdda

I am planning to deploy SP1 in my organization and will post the detailed steps on "How to upgrade Windows 7 and W2K8 machines to SP1" soon.
Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)