Bitlocker notification or disablement

-

we trying roll out bitlocker on company laptops. problem, though our gpo seems not allow it, individual users able disable bitlocker. have problem this, dont want our workers in field, hold client data, able disable encryption. or if do, havent found way show notification bitlocker has been disabled know it. has faced issue, or know doing wrong stop this? thanks.

i asked same question microsoft -- responded can use applocker policies block execution of bitlocker "manage-bde.exe" tool.

note block execution of tool itself, regardless of command line switches.  have not been able figure out how selectively block specific switches (for example, allow "manage-bde.exe -status" current encryption status deny "manage-bde.exe -off" decrypts , disables bitlocker).  because of limitation opted use 3rd-party tool (beyondtrust privilege manager) accomplish this.

this link technet's article on applocker:
http://technet.microsoft.com/ja-jp/library/ee619725%28ws.10%29.aspx

given that, if think applocker may enough you, here steps enable rules:

1: open services control manager (services.msc) , start "application identity" service.

2: open security policy editor (secpol.msc).

3: expand application control policies, click applocker

4: click "configure rule enforcement" , choose whether want enforce or audit executable rule. (do audit first can understand behavior , don't accidentally blow machine).

5: right-click on executable rules , create default rules.  these 3 rules allow users execute files in programfiles , windows folders (and allows local admins execute program regardless of location).   important create default rules because application not explicitly addressed applocker rules prohibited running.  theoretically lock out , render windows inoperative if don't configure rules correctly.

6: right click on executable rules , create new rule deny access on "manage-bde.exe" group (default).

7: reboot, log in , if open command prompt , try run "manage-bde –status" should message command blocked group policy.


notes:

* these steps testing on single pc; setting application identity , applocker rules on domain should done group policies.  tutorial that: http://www.windowsnetworking.com/articles_tutorials/introduction-applocker-part1.html

* deny rules take precedence on allow rules, why explicitly denying manage-bde.exe run after 3 default allow rules allows users execute applications.

* view results of applocker rule, check security logs in event viewer

* use path rule block c:\windows\system32\manage-bde.exe if user copied file c:\temp, you're screwed.  hash rule more useful because hash of file never changes regardless whether user renames file or moves different folder (this weakness of hash rule because if microsoft ever patches manage-bde.exe, in service pack or security update, hash no longer valid , rule break).

* of course, you'll need protect user killing application identity service (appidsvc), without applocker rules cannot enforced.   i'll leave exercise reader.  ;-)

roland thomas

 

life motto #1: "live life give damn."


Windows Server  >  Security



Comments

Post a Comment

Popular posts from this blog

Cannot access Anywhere Access using domain name?

-
after installing anywhere access in windows server 2012 essentials r2, cannot use anywhere access using setup domain name in wizard such remote.mydomain.com? if enter public ip address, example, 72.2.34.5 works. before set anywhere access, created a record pointing public address...pinged , worked...so not sure doing wrong?  is wizard supposed create record etc , make remote.mydomain.com work? if enter public ip address while on lan, takes me router webpage.  shouldn't work on lan if accessed via public ip? thank you, tim. the wizard can configure remote.microsoft_names.com  remote.remotewebaccess.com but cannot configure domains purchased outside wizard.  depends on how domain configured if wildcard.yourdomain.com should work  if try ping remote.your_domain.com afar , not give proper  public ip, need add record mariette said. much have record domain.com www.domain.com , if have website somewhere else www.domain.com , need re...
Read more

server manager error: ADAM.events.xml could not be enumerated.

-
firewall off isnt it. rerun ldap wizard:?  why?  will screw exchange server running on machine?  ldap wizard asks questions don't understand. please dont send generic links to: http://social.technet.microsoft.com/wiki/contents/articles/13444.windows-server-2012-server-manager-troubleshooting-guide-part-ii-troubleshoot-manageability-status-errors-in-server-manager.aspx thanks, john hi john, >> ok. server manager app. these questions refer this. nothing else 2.  do need create app dir or not?  this server manager, shouldnt done? (why did break in first place?) how check if app dir exists server manager or not. 3.  if "lightweight" implementation of anything, sure hate see "heavyweight" version. the waring events can't enumerated. , cause not completing configuration of ad lds. ad lds not related server manager. used provide flexible support directory-enabled applications. if not implementing such application...
Read more

send messages to users

-
i have domain server windows 2000 sp4. my clients using win xp , win 98. when send messages computer management-shared folders-rightclick-all task-send message connected users, message received clients using winxp but not in  win 98 .how send them without winpopup  , net meeting. this forum windows server 2008.   check messenger service running on win98-clients. (haven't seen win 98 in while might not available...) Windows Server  >  Directory Services
Read more