M any of the security features built into the Windows operating system are designed to protect a computer from attacks by individuals accessing the computer over the network or from the Internet. But what about when individuals have direct physi- cal access to a computer? When someone has direct physical access to a computer, many of Windows security safeguards don’t apply. For example, if someone can boot a computer—even if it is to another operating system they’ve installed—he or she could gain access to any data stored on the computer, perhaps even your organization’s most sensitive data. To protect a computer from individuals who have direct access to a com- puter, Windows Vista and Windows Server 2008 include the Trusted Platform Module Services architecture and BitLocker Drive Encryption. Together these features help protect a computer from many types of attacks by individuals who have direct access to a computer. Working with Trusted Platforms Windows Vista and Windows Server 2008 include the Encrypting File System (EFS) for encrypting fi les and folders. Using EFS, users can protect sensitive data so that it can only be accessed using their public key certifi cate. Encryption certifi cates are stored as part of the data in a user’s profi le. As long as users have access to their profi les and the encryption keys they contain, they can access their encrypted fi les. Although EFS offers excellent protection for your data, it doesn’t safeguard the com- puter from attack by someone who has direct physical access. In a situation where a user loses a computer, a computer has been stolen, or the attacker is logging on to a computer, EFS might not protect the data because the attacker might be able to gain access to the computer before it boots. He could then access the computer from another operating system and change the computer’s confi guration. He might then be able to hack into a logon account on the original operating system so that he can log on as the user or confi gure the computer so that he can log on as a local administrator. Either way, the attacker could eventually gain full access to a computer and its data. To seal a computer from physical attack and wrap it in an additional layer of protection, Windows Vista and Windows Server 2008 include the Trusted Platform Module (TPM) Services architecture. TPM Services protect a computer using a dedicated hardware Working with Trusted Platforms . . . . . . . . . . . . . . . . . . . 467 Managing TPM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 Introducing BitLocker Drive Encryption . . . . . . . . . . . . . 477 Deploying BitLocker Drive Encryption . . . . . . . . . . . . . . 478 Setting Up and Managing BitLocker Drive Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 CHAPTER 15 TPM and BitLocker Drive Encryption 467 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. component called a TPM. A TPM is a microchip that is usually installed on the moth- erboard of a computer where it communicates with the rest of the system using a hard- ware bus. Computers running Windows Vista or Windows Server 2008 can use a TPM to provide enhanced protection for data, to ensure early validation of the boot fi le’s integrity, and to guarantee that a disk has not been tampered with while the operating system was offl ine. A TPM has the ability to create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, referred to as wrapping or binding, pro- tects the key from disclosure. A TPM has a master “wrapping” key called the Storage Root Key (SRK). The SRK is stored within the TPM itself to ensure that the private por- tion of the key is secure. Computers that have TPM can create a key that has not only been wrapped but also sealed. The process of sealing the key ensures that the key is tied to specifi c platform measurements and can only be unwrapped when those platform measurements have the same values that they had when the key was created. This is what gives TPM- equipped computers increased resistance to attack. Because TPM stores private portions of key pairs separately from memory controlled by the operating system, keys can be sealed to the TPM to provide absolute assurances about the state of a system and its trustworthiness. TPM keys are only unsealed when the integrity of the system is intact. Further, because the TPM uses its own internal fi rmware and logical circuits for processing instructions, it does not rely upon the oper- ating system and is not subject to external software vulnerabilities. The TPM can also be used to seal and unseal data that is generated outside of the TPM, and this is where the true power of the TPM lies. In Windows Vista and Windows Server 2008, the feature that accesses the TPM and uses it to seal a computer is called BitLocker Drive Encryption. Although BitLocker Drive Encryption can be used in both TPM or non-TPM confi gurations, the most secure method is to use TPM. When you use BitLocker Drive Encryption and a TPM to seal the boot manager and boot fi les of a computer, the boot manager and boot fi les can be unsealed only if they are unchanged since they were last sealed. This means you can use the TPM to vali- date a computer’s boot fi les in the pre–operating system environment. When you seal a hard disk using TPM, the hard disk can only be unsealed if the data on the disk is unchanged since it was last sealed. This guarantees that a disk has not been tampered with while the operating system was offl ine. When you use BitLocker Drive Encryption and do not use a TPM to seal the boot man- ager and boot fi les of a computer, TPM cannot be used to validate a computer’s boot fi les in the pre–operating system environment. This means there is no way to guaran- tee the integrity of the boot manager and boot fi les of a computer. Chapter 15 468 Chapter 15 TPM and BitLocker Drive Encryption Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Managing TPM A computer running Windows Server 2008 must be equipped with a compatible TPM and compatible fi rmware to take advantage of TPM. Both Windows Vista and Windows Server 2008 support TPM version 1.2 and require Trusted Computing Group (TCG)– compliant fi rmware. Firmware that is TCG-compliant is fi rmware that supports the Static Root of Trust Measurement as defi ned by the Trusted Computing Group. In some confi gurations of TPM and BitLocker Drive Encryption, you’ll also need to make sure the fi rmware supports reading USB fl ash drives at startup. Understanding TPM States and Tools The TPM Services architecture in Windows Vista and Windows Server 2008 provides the basic features required to confi gure and deploy TPM-equipped computers. This architecture can be extended with a feature called BitLocker Drive Encryption, which is discussed in “Introducing BitLocker Drive Encryption” on page 477. Before you can use TPM, you must turn on TPM in fi rmware and initialize the TPM for fi rst use in software. As part of the initialization process, you’ll set the owner password on the TPM. After TPM is enabled, you can manage the TPM confi guration. In some cases, computers that have TPM might ship with TPM turned on. However, in most cases, you’ll fi nd TPM is not turned on by default. You turn on TPM in fi rmware. With my servers, I needed to: 1. Start the computer. Press F2 during startup to access the fi rmware. In the fi rmware, I accessed the Advanced screen and then the Peripheral Confi guration screen. 2. On the Peripheral Confi guration screen, Trusted Platform Module was listed as an option. After scrolling down to highlight this option, I pressed Enter to display an options menu. On the options menu, I selected Enable and then pressed Enter. 3. To save the setting change and exit the fi rmware, I then pressed F10. When prompted to confi rm that I wanted to exit, I pressed Y and the computer then rebooted. Windows Vista and Windows Server 2008 provide several tools for working with TPM, including:  Trusted Platform Module Management An MMC console for confi guring and managing TPM. You can access this tool by clicking Start, typing tpm.msc in the Search box, and then pressing Enter.  Initialize The TPM Security Hardware A wizard for creating the required TPM owner password. You can access this tool by clicking Start, typing tpminit in the Search box, and then pressing Enter. When you are working with Trusted Platform Module Management, you’ll be able to determine the exact state of the TPM. If you try to start Trusted Platform Module Managing TPM 469 Chapter 15 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Management without turning on TPM, you’ll see an error like the one shown in the fol- lowing screen: Similarly, if you try to run Initialize The TPM Security Hardware without turning on TPM, you’ll see an error like the one shown in the following screen. Only when you’ve turned on TPM in fi rmware will you be able to access and work with the TPM tools. When you are working with the Trusted Platform Module Management console, shown in Figure 15-1, you should note the TPM status and the TPM manufac- turer information. The TPM status indicates the exact state of the TPM (see Table 15-1). The TPM manufacturer information shows that the TPM supports specifi cation version 1.2. Support for TPM version 1.2 or later is required. Table 15-1 TPM Status Indicators and Their Meanings Status Indicator Meaning The TPM is on and ownership has not been taken The TPM is turned on in fi rmware but hasn’t been initialized yet. The TPM is on and ownership has been taken The TPM is turned on in fi rmware and has been initialized. The TPM is off and ownership has not been taken The TPM is turned off in software but hasn’t been initialized yet. Chapter 15 470 Chapter 15 TPM and BitLocker Drive Encryption Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Figure 15-1 Use the Trusted Platform Module Management console to initialize and manage TPM. Initializing a TPM for First Use Initializing a TPM confi gures it for use on a computer. The initialization process involves turning on the TPM and then setting ownership of the TPM. By setting owner- ship of the TPM, you are assigning a password that helps ensure that only the autho- rized TPM owner can access and manage the TPM. The TPM password is required to turn off the TPM if you no longer want to use it and to clear the TPM if the computer is to be recycled. In an Active Directory domain, you can confi gure Group Policy to save TPM passwords. To initialize the TPM and create the owner password, complete the following steps: 1. Start the Trusted Platform Module Management console. On the Action menu, choose Initialize TPM to start the Initialize The TPM Security Hardware wizard. Note If the Initialize The TPM Security Hardware wizard detects fi rmware that does not meet Windows requirements or no TPM is found, you will not be able to continue and should ensure that the TPM has been turned on in fi rmware. Otherwise, you’ll see the Create The TPM Owner Password page. 2. On the Create The TPM Owner Password page, shown in Figure 15-2, click Automatically Create The Password (Recommended). Note If the Initialize The TPM Security Hardware wizard detects fi rmware that does not meet Windows requirements or no TPM is found, you will not be able to continue and should ensure that the TPM has been turned on in fi rmware. Otherwise, you’ll see the Create The TPM Owner Password page. Managing TPM 471 Chapter 15 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Figure 15-2 Initialize the TPM. 3. On the Save Your TPM Owner Password page, shown in Figure 15-3, note the 48-character TPM owner password. Click Save The Password. Figure 15-3 Note the 48-character TPM owner password. 4. In the Save As dialog box, shown in Figure 15-4, select a location to save the password backup fi le and then click Save. By default, the password backup fi le is saved as ComputerName.tpm. Ideally, you’ll save the TPM ownership password to removable media, such as a USB fl ash drive. Chapter 15 472 Chapter 15 TPM and BitLocker Drive Encryption Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Figure 15-4 Save the TPM owner password. 5. On the Save Your TPM Owner Password page, click Print The Password if you want to print a hard copy of the password. Be sure to save the printout containing the password in a secure location, such as a safe or locked fi le cabinet. 6. Click Initialize. The initialization process may take several minutes to complete. When initialization is complete, click Close. In the TPM Management console, the status should be listed as “The TPM is on and ownership has been taken,” as shown in Figure 15-5. Figure 15-5 The status of an initialized TPM shows ownership has been taken. Turning an Initialized TPM On or Off Computers that have TPM might ship with TPM turned on. If you decide not to use TPM, you should turn off and clear the TPM. If you want to reconfi gure or recycle a computer, you should also turn off and clear the TPM. To turn off TPM, complete the following steps: 1. Start the Trusted Platform Module Management console. On the Action menu, choose Turn TPM Off. This starts the Manage The TPM Security Hardware wizard. Managing TPM 473 Chapter 15 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 2. On the Turn Off The TPM Security Hardware page, shown in Figure 15-6, use one of the following methods for entering the current password and turning off the TPM:  If you have the removable media onto which you saved your TPM owner password, insert it and click I Have A Backup File With The TPM Owner Password. On the Select Backup File With The TPM Owner Password page, click Browse and then use the Open dialog box to locate the .tpm fi le saved on your removable media. Click Open, and then click Turn TPM Off.  If you do not have the removable media onto which you saved your pass- word, click I Want To Type The TPM Owner Password. On the Type Your TPM Owner Password page, enter the TPM password (including dashes) and then click Turn TPM Off.  If you do not know your TPM owner password, click I Don’t Have The TPM Owner Password, and then follow the instructions provided to turn off the TPM without entering the password. Because you are logged on locally to the computer, you will be able to turn off the TPM. 3. In the TPM Management console, the status should be listed as “The TPM is off and ownership has been taken.” Do not discard the TPM owner password fi le or printout. You will need this information if you want to turn the TPM back on. Figure 15-6 Click an option for turning off the TPM. After you’ve used the previously listed procedure to turn off the TPM in software, you can turn on the TPM in software by following these steps: 1. Start the Trusted Platform Module Management console. On the Action menu, choose Turn TPM On. This starts the Manage The TPM Security Hardware wizard. Chapter 15 474 Chapter 15 TPM and BitLocker Drive Encryption Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 2. On the Turn On The TPM Security Hardware page, use one of the following methods for entering the current TPM password and turning on the TPM:  If you have the removable media onto which you saved your TPM owner password, insert it and click I Have A Backup File With The TPM Owner Password. On the Select Backup File With The TPM Owner Password page, click Browse and then use the Open dialog box to locate the .tpm fi le saved on your removable media. Click Open, and then click Turn TPM On.  If you do not have the removable media onto which you saved your pass- word, click I Want To Type The TPM Owner Password. On the Type Your TPM Owner Password page, enter the TPM password (including dashes) and then click Turn TPM On.  If you do not know your TPM owner password, click I Don’t Have The TPM Owner Password, and then follow the instructions provided to turn on the TPM without entering the password. Because you are logged on locally to the computer, you will be able to turn on the TPM. 3. In the TPM Management console, the status should be listed as “The TPM is on and ownership has been taken.” Do not discard the TPM owner password fi le or printout. You will need this information if you want to manage the TPM. Clearing the TPM Clearing the TPM cancels the TPM ownership and fi nalizes the shutdown of the TPM. You should only clear the TPM when a TPM-equipped computer is to be recycled. To clear the TPM, complete the following steps: 1. Start the Trusted Platform Module Management console. On the Action menu, choose Clear TPM. This starts the Manage The TPM Security Hardware wizard. CAUTION ! Clearing the TPM resets it to factory defaults and fi nalizes its shutdown. As a result, you will lose all created keys and data protected by those keys. 2. On the Clear The TPM Security Hardware page, select a method for entering the current password and clearing the TPM:  If you have the removable media onto which you saved your TPM owner password, insert it and click I Have A Backup File With The TPM Owner Password. On the Select Backup File With The TPM Owner Password page, click Browse and then use the Open dialog box to locate the .tpm fi le saved on your removable media. Click Open, and then click Clear TPM.  If you do not have the removable media onto which you saved your pass- word, click I Want To Type The TPM Owner Password. On the Type Your CU O ! Managing TPM 475 Chapter 15 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. TPM Owner Password page, enter your password (including dashes) and then click Clear TPM.  If you do not know your TPM owner password, click I Don’t Have The TPM Owner Password, and follow the instructions provided to clear the TPM without entering the password. Because you are logged on locally to the computer, you will be able to clear the TPM. Changing the TPM Owner Password You can change the TPM password at any time. To change the TPM owner password, complete the following steps: 1. Start the Trusted Platform Module Management console. On the Action menu, choose Change Owner Password. This starts the Manage The TPM Security Hardware wizard. 2. On the Change TPM Owner Password page, select a method for entering the current password:  If you have the removable media onto which you saved your TPM owner password, insert it and click I Have A Backup File With The TPM Owner Password. On the Select Backup File With The TPM Owner Password page, click Browse and then use the Open dialog box to locate the .tpm fi le saved on your removable media. Click Open, and then click Create New Password.  If you do not have the removable media onto which you saved your pass- word, click I Want To Type The TPM Owner Password. On the Type Your TPM Owner Password page, enter your password (including dashes) and then click Create New Password. 3. On the Create The TPM Owner Password page, select Automatically Create The Password (Recommended) and then click Next. 4. On the Save Your TPM Owner Password page, note the 48-character TPM owner password. Click Save The Password. In the Save As dialog box, select a location to save the password backup fi le and then click Save. If you are saving the password backup fi le to the same location and name, click Yes when prompted to replace the existing fi le. 5. On the Save Your TPM Owner Password page, click Print The Password if you want to print a hard copy of the password. Be sure to save the printout containing the password in a secure location, such as a safe or locked fi le cabinet. 6. To complete the process, click Change Password. Chapter 15 476 Chapter 15 TPM and BitLocker Drive Encryption Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... Encryption as released with Windows Vista and the updated BitLocker Drive Encryption as released with Windows Server 2008 With the updated implementation, you can use BitLocker encryption on both system and data volumes Because Windows Vista and Windows Server 2008 share the same core kernel and architecture, the updated BitLocker Drive Encryption should also become available in Windows Vista BitLocker... Method Prevent Memory Overwrite On Restart Configure TPM Platform Validation Profi le BitLocker policy settings apply to both Windows Vista and Windows Server 2008 Unlike Active Directory Domain Services for Windows Server 2003, Active Directory Domain Services for Windows Server 2008 includes the TPM and BitLocker recovery extensions for Computer objects For TPM, the extensions define a single property... and exFAT Features Feature FAT16 FAT32 exFAT File allocation table size 16-bit 32-bit 32-bit Minimum volume size See following Inside Out tip 33 MB 33 MB Maximum volume size 4 GB; best at 2 GB 2 TB; limited in or less Windows Server 2008 to 32 GB 2 TB; limited in Windows Server 2008 to 32 GB Maximum file size 2 GB 4 GB Same as volume size Supports small cluster size Yes No No Supports NTFS features No... Enabling BitLocker Drive Encryption With Windows Vista Ultimate and Enterprise, BitLocker should be installed by default With Windows Server 2008, you can install the BitLocker Drive Encryption feature using the Add Features Wizard Alternatively, on a server, you can install BitLocker Drive Encryption by entering the following command at an elevated command prompt: servermanagercmd -install bitlocker Either... for working with files and folders Windows Server 2008 provides the file allocation table (FAT) and NTFS file system (NTFS) as the basic file system types These fi le systems and their various extensions are discussed in this chapter Understanding Disk and File System Structure The basic unit of storage is a disk Regardless of the partition style or disk type, Windows Server 2008 reads data from disks and... partition must be at least 1.5 GB and set as the active partition On a computer running Windows Server 2008, Windows configures an available partition as the necessary BitLocker Drive Encryption partition during the BitLocker configuration process As long as the server has at least two partitions on one or more disks, Windows will configure one partition as the boot partition and another partition as the... media, such as floppy disks In FAT, disk sectors are 512 bytes By default Windows Server 2008 sets the size of clusters and the number of sectors per cluster based on the size of the volume Disk Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Chapter 16 Use on fixed disks 502 Chapter 16 Managing Windows Server 2008 File Systems geometry also is a factor in determining cluster size... steps: 1 Insert the Windows Installation disc for the hardware architecture and then boot from the installation disc by pressing a key when prompted If the server does not allow you to boot from the installation disc, you might need to change firmware options to allow booting from a CD/DVD-ROM drive 2 If Windows Setup doesn’t start automatically, select Windows Setup (EMS Enabled) on the Windows Boot Manager... recovery passwords cannot be saved to AD DS when FIPS is enabled, Windows will display an error if AD DS backup is required by Group Policy Setting Up and Managing BitLocker Drive Encryption With Windows Server 2008, you can configure and enable BitLocker Drive Encryption on both system volumes and data volumes However, if you want to encrypt a server s data volumes you must fi rst encrypt its system volume... the term FAT is used without an appended number, however, it always refers to FAT16 T Extended FAT or exFAT is a new version of FAT for removable media that is available with Windows Vista Service Pack 1 or later and Windows Server 2008 Chapter 16 Table 16-1 Default Cluster Sizes for FAT16, FAT32, exFAT, and NTFS Cluster Size Volume Size FAT16 FAT32 exFAT NTFS 7 MB to 16 MB 512 bytes Not supported Not . both Windows Vista and Windows Server 2008. Unlike Active Directory Domain Services for Windows Server 2003, Active Directory Domain Services for Windows Server. running Windows Server 2008 must be equipped with a compatible TPM and compatible fi rmware to take advantage of TPM. Both Windows Vista and Windows Server 2008