Tuesday, March 31, 2015

Securing Drives using Bitlocker in Windows Server 2012 R2

BitLocker is a drive encryption technology that enables a user to encrypt an entire hard drive to protect it from unauthorized access attempts. 
BitLocker was introduced in Windows Vista and Windows 2008. BitLocker is available on select versions of the Windows operating system.
BitLocker has the following characteristics.
  • BitLocker can encrypt an entire hard drive or only the utilized parts of a hard drive.
  • BitLocker can be combined with EFS.
  • BitLocker protects the integrity of the Windows startup process.
  • Some BitLocker features usable when Trusted Platform Module (TPM) is available on the computer.
In this demo, i will go through a step by step how to secure your data drives using Bitlocker in Server 2012 R2
In our 1st step, we need to deploy group policy before we start implementing Bitlocker
1 – On your Domain Server, in my case, i will be using my OSI-ADDS01 Domain Server in which is located in my Hyper-V.
Open Group Policy Management, expend osi.local, right-click the Default Domain Policy, and then click Edit
1
2 – In the Group Policy Management Editor console, under Computer Configuration, expand Policies, expand Administrative Templates, expandWindows Components, expand BitLocker Drive Encryption, and then click Fixed Data Drives.
Then in the right pane, double-click the Choose how BitLocker-protected fixed drives can be recovered setting…
2
3 – In the Choose how BitLocker-protected fixed drives can be recoveredinterface, click Enabled.
Click the checkbox next to the Save BitLocker recovery information to AD DS for fixed data drives, then click the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option, and then click OK
3
4 – Next, log in to another Server, which is my case i will log in to my previous OSI-NPS Server (for those who follow my blog you all should remember that my OSI-NPS Server i used for my NAP deployment…)
Before we start enable the Bitlocker, on the OSI-NPS please run the gpupdate /force command
Then, open Server Manager, click Manage, and then click Add Roles and Features, click Next until you get Select features interface
In the Select features interface, click BitLocker Drive Encryption and then clickNext
4
5 – In the Confirm installation selections interface, click Install, wait for few minutes then Restart your Server…
5

6 – Once your Server restart, open This PC explorer and right click F: Drive (any partition that you want to enable Bitlocker), then on the Menu click Turn on Bitlocker
6
7 – In the Choose how you want to unlock this drive interface, click Use a password to unlock the drive, then type your password and then click Next.
7
8 – In the How do you want to back up your recovery key interface, click Save to a file
8
9 – In the Save BitLocker recovery key as window, navigate to Desktop, and then click Save
9
10 – In the BitLocker Drive Encryption dialog box, click Yes to save the recovery key to the computer…
10
11 – On the Are you ready to encrypt this drive window, click Start encrypting
11
12 – Click Close when the encryption is complete…
12
13 – Next open PowerShell and the type manage-bde -status, verify that F: volume should show “Protection On” as the protection status…
13
14 – Next what i’m going to is to move my F: Drive in OSI-NPS Server to my OSI-ADDS01 domain Server (the purpose is to simulate the Bitlocker function)…
Since this demo running on the Hyper-V, open Hyper-V console, under Virtual Machines, right click OSI-NPS vm then click Settings
14

15 – In the left pane of the Settings interface, click SCSI Controller then clickRemove
15
16 – the click OK
16
17 – Next, go to OSI-ADDS Hyper-V Settings, click SCSI Controller, then on the right pane click Hard Drive the click Add
17
18 – next click Browse
18
19 – then locate Bitlocker.vhdx (which is this VM refer to F: Drive on the OSI-NPS Server), and then click OK
19
20 – Next, open Server Manager on the OSI-ADDS01 Server, click Tools and clickComputer Management
20
21 – In the Computer Management interface, click Disk Management, in the list of disks, right-click Disk 1, and then click Online
21
22 – Next, open This PC explorer on the OSI-ADDS01 server, you should have Local Disk (F:) on the explorer, then right click F: and choose Unlock Drive…
22
23 – on the Bitlocker (F:) menu, under Enter password to unlock this drive:, clickMore Options
23
24 – Next, on the OSI-ADDS01 server, open Active Directory Users and Computers, click View, and then click Advanced Features
24
25 – right click osi.local, and then click Find
25
26 – In the Find Users, Contacts, and Groups interface, select Computers from the Find drop-down menu, in the Computer name field, type NPS, and then click Find Now and double-click NPS
26
27 – On the NPS Properties, Click Bitlocker Recovery tab, notice the Password ID…
27
28 – Under details, copy the whole set of password
28
29 – then in the Bitlocker (F:) windows, paste the 48-digit recovery password that we copied just now into the recovery key field, and then click Unlock
29
30 – Go back to the This PC explorer and note that the drive F has an unlocked icon. The drive is now unlocked and data can be recovered.
30
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)