Securing Windows Server 2008: BitLocker authentication and configuration

Aaron Tiensivu covers BitLocker architecture, configuration and authentication modes and explains when to use BitLocker on a Windows Server 2008 machine in this chapter excerpt.

Service provider takeaway: This section of the chapter excerpt titled "Microsoft Windows Server 2008: Data Protection" is taken from the book Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization. The chapter excerpt teaches how to configure BitLocker and describes the different authentication modes.

Download the .pdf of the "Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization" chapter here.

BitLocker Architecture

Once Integrity verification is successful, a filter driver encrypts and decrypts disk sectors transparently as data is written or read from the protected volume. The filter driver is a component of Windows Server 2008 or Vista and is inserted into the file system stack during BitLocker installation, thus requiring a system restart. After the initial encryption of the volume is completed, BitLocker operation is completely transparent to the user.

Keys Used for Volume Encryption

Volume encryption does not simply create a single key, which it will use to encrypt the volume. In fact, a full volume encryption key is used to encrypt the entire volume. This key is a 256-bit Advanced Encryption Standard (AES) key. BitLocker encrypts the full volume key with a volume master key. The volume master key is also 256-bit AES. Finally, the volume master key is encrypted with the Trusted Platform Modules (TPM) endorsement key. As mentioned before, the endorsement key is a RSA key.

Hardware Upgrades on BitLocker Protected Systems

Thanks to the use of volume master key, upgrades of hardware such as CPU, motherboard, and such are not very time consuming. To do so you have to disable BitLocker. Disabling BitLocker will not decrypt protected volumes. Instead, the volume master key will be encrypted with a symmetric key, which is stored unencrypted on the hard drive. Moving the disk to another BitLocker-enabled system and activating the volume is possible without any additional steps. Because the encryption key for the volume master key is stored unencrypted on the disk, administrators can boot the system and the re-enable BitLocker.

By re-enabling BitLocker the unencrypted key is removed from the disk, the volume master key is keyed and encrypted again, and BitLocker is turned back on.

BitLocker Authentication Modes

After Installation BitLocker can be configured to seamlessly integrate into the boot process (TPM only) -- therefore being transparent to the user -- or can require additional information in the form of a PIN or a startup key to initiate the boot process (TPM with PIN or startup key). The later scenarios add an additional layer of security through the use multifactor authentication options. TPM with PIN requires something the user knows (e.g., the PIN), TPM with startup key requires something the user has (e.g., a USB device).

TPM Only

In this scenario, you enable BitLocker with a TPM only. No additional authentication options are used. BitLocker operation is completely transparent to the user and requires no interaction during the boot process.

TPM with PIN Authentication

Using TPM with PIN authentication, the administrator sets up a PIN during BitLocker initialization. The PIN is hashed using SHA-256 and the first 160 bits of the hash are used as authorization data for the TPM. The TPM uses the PIN data to seal the volume master key. Both the TPM and the PIN now protect the volume master key. During system startup or resume from hibernation, the user has to input the PIN to unseal the volume master key and initiate the boot process.

TPM with Startup Key Authentication

In this scenario the administrator creates a startup key during BitLocker initialization and stores it on any USB device that can be enumerated by the computer BIOS. During system startup or resume from hibernation, the user must insert the device. The device can be removed after the system has successfully booted.

Startup Key-Only

In this scenario, the administrator enables BitLocker on a computer without a TPM module. The startup key for the computer is generated during initialization and is stored on a USB flash drive. The computer user has to insert the USB flash drive each time the computer starts or resumes from hibernation.

A system configured to use a startup key-only configuration will not provide the same level of security as a system using one of the TPM modes. It will not check the integrity of system startup components. Using this scenario, make sure you create a Backup copy of the startup key! You do this by using the Control Panel BitLocker applet. The system saves the startup key with a .bek extension.

When to Use BitLocker on a Windows 2008 Server

In shared or unsecured environments such as branch offices, BitLocker can provide an additional level of security to a server. By securing the startup process and encrypting the operating system volume and all data volumes, BitLocker protects data from unauthorized access.

The BitLocker feature is not installed by default on Windows Server 2008. You would install it using Server Manager. Setup and maintenance are performed either by GUI tools or from the command line using a script, which also allows for remote management. On Windows Server 2008, BitLocker also integrates with Extensible Firmware Interface (EFI) computers to support IA64 hardware platforms. EFI is a newer, more flexible alternative to classical BIOS implementations. You should not install and enable BitLocker on a Windows Server 2008 Cluster machine, as it is a non-supported scenario.

Encryption of data volumes on Windows Server 2008 is also supported. Data volumes are encrypted the same way as operating system volumes. Windows Server 2008 will automatically mount and decrypt these volumes on startup when configured to do so.

Support for Multifactor Authentication on Windows Server 2008

Multifactor authentication extends the security of BitLocker protected drives, although there are some constraints that you should think about when you plan to implement it.

PIN Authentication

Although it might not be desirable to use BitLocker with multifactor authentication on a Server, PIN authentication is a supported scenario on Windows Server 2008. If you manage a server remotely and have to reboot, who would enter the PIN?

Of course, there are third-party solutions to overcome this limitation. Most of the modern server boxes offer a built-in remote management solution that is independent of the operating system. For example, Hewlett-Packard offers a so-called Integrated Lights Out (ILO) board to remotely connect to a server and transfer the screen to your desk.

If no remote management solutions were available, another possibility would be to instruct a trustworthy person at the branch office on how and when to enter the pin.

Startup Key Authentication

Of course, startup key support also is built into Windows Server 2008 BitLocker. All the facts mentioned for PIN support apply also to the startup key scenario, plus an additional one: startup keys protect the server only if the key is not left in the server after startup completes. Hence, there must be someone to insert and remove the USB device every time you reboot the server.

Enabling BitLocker

Due to its tight integration into the operating system, enabling BitLocker is straightforward. Before you begin installing and configuring, make sure that the machine you want to secure meets all software and hardware requirements. To enable BitLocker you must be a member of the local administrators group on your computer.

Partitioning Disks for BitLocker Usage

For BitLocker to work your system must have at least two partitions configured. The first, unencrypted partition is the system partition, which contains boot information. The second partition is the boot volume, which is encrypted and contains the operating system. Both partitions must be created before you install the operating system.

If you forgot to partition your system accordingly, there's no way of reconfiguring your partitions. Therefore, you must repartition your hard disk and reinstall the operating system from scratch.

Creating Partitions for a BitLocker Installation

In this section we'll show you how to create partitions for a BitLocker installation.

1. Start the computer from the Windows Server 2008 Product DVD.
2. In the Install Windows screen, choose your Installation language, Time and currency format and Keyboard layout, and then click Next.
3. In the Install Windows screen, click Repair your Computer.
4. In the System Recovery Options dialog box, make sure no operating system is selected. Then click Next.
5. In the System Recovery Options dialog box, click Command Prompt.
6. At the command prompt type Diskpart and then type Enter.
7. Type select disk 0.
8. Type clean to erase all existing partitions.
9. Type create partition primary size=1500.This will create a primary partition with a size of 1.5 GB.
10. Type assign letter=B to give this partition drive letter B.
11. Type activate to set the partition as the active partition.
12. Type create partition primary to create a partition with the remaining space. Windows Server 2008 will be installed on this partition.
13. Type assign letter=c.
14. Type list volume to see a display of all the volumes on this disk.
15. Type exit.
16. Type format c: /y /f /fs:ntfs to format the C volume.
17. Type format b: /y /f /fs:ntfs to format the B volume.
18. Type exit.
19. Close the System Recovery Options window by clicking the close window icon in the upper right (do not click Shut Down or Restart).
20. Click Install now to install Windows Server 2008. Use the larger partition for installation.

About the book
"Securing Windows Server 2008: Prevent Attack from Outside and Inside Your Organization" will teach you how to configure Windows Server 2008 to secure your network, how to use Windows Server 2008 hand-in-hand with Active Directory and Vista and how to understand Server Core. This book also focuses on public key infrastructure management, virtualization, terminal services, Active Directory Domain security changes and certificate management.

Printed with permission from Syngress, a division of Elsevier. Copyright 2008. "Securing Windows Server 2008" by Aaron Tiensivu. For more information about this title and other similar books, please visit Elsevier.

Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization
  Securing Windows Server 2008: BitLocker data protection basics
  Securing Windows Server 2008: BitLocker authentication and configuration
  Securing Windows Server 2008: Installing and turning on BitLocker
  Securing Windows Server 2008: BitLocker information storage and administration

Dig Deeper on Storage Backup and Disaster Recovery Services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.