About James

I am an Infrastructure Systems Administrator in the Infrastructure Systems Group (ISG) within ISS. We are responsible for a number of the core services which support the IT Infrastructure of the University including Active Directory, Exchange, DNS, Central Filestore, VMware and SQL. I hold number of current Microsoft Certifications and am also a Symantec Certified Specialist (Netbackup) http://twitter.com/JamesAPocock

Windows XP x64 SP3…?

Something else I didn’t know!

With the release of XP SP3 I assumed there was an x64 version but…

It seems this is not the case as XP x64 already has the V5.2 kernel and (something else I didn’t know) the x64’s SP2 release was 3 years later than the x86 version so it is much more up to date.

Confusing but that’s why you won’t see any SP3 x64 builds (at least for a while)!

Configure Bitlocker on a TPM Enabled Machine

Introduction:

This guide is based on a detailed article from the Vista TechCenter tested and modified for use on CAMPUS.

BitLocker Drive Encryption is an integral new security feature in the Windows Vista operating system that provides considerable protection for the operating system on your computer and data stored on the operating system volume. BitLocker ensures that data stored on a computer running Windows Vista remains encrypted even if the computer is tampered with when the operating system is not running. This helps protect against “offline attacks,” attacks made by disabling or circumventing the installed operating system, or made by physically removing the hard drive to attack the data separately.

This guide demonstrates how to configure a basic installation of Bitlocker with a TPM Enabled machine and assumes you are performing a clean build on a new machine using a network based WDS build.

Important thinks to remember before you begin

  • Bitlocker is particularly reccomended to users of Laptops within the University.
  • Backups are more important than ever on enrypted disks as recovery will be all but impossible if the disks hardware fails.
  • Changing a systems hardware will cause the TPM to react and have the system lock down. This can easily be fixed by using the Bitlocker recovery key but only if you sill have it!

Prerequisites

A Machine with a TPM chip
Windows Vista DVD
Windows Vista Business, Enterprise or Ultimate Editions
A USB Key, preferably one you can dedicate to use with Bitlocker.
Access to a Printer

1. Copy the contents of

\\campus\software\ucs\SystemSW\Bitlocker to your USB Key.

2. Boot the new machine from the Windows Vista DVD. It is necessary to do this as the WDS build on the Campus Network will not allow access to the command prompt.

3. Select the locale; accept the license and call-up a command prompt by selecting SHIFT + F10.

4. At this point you can either manually run the DISKPART tool or use the script you copied on to the USB Key in Step 1.

For BitLocker to work, you must have at least two partitions on your hard disk. The first partition is the system volume and labeled S in this document. This volume contains the boot information in an unencrypted space. The second partition is the operating system volume and labelled C in this document. This volume is encrypted and contains the operating system and user data.

The script you copied to your USB key will automatically:

Select the first disk in the system (Disk 0)
Clean the partition table.
Create a 1.5GB System Partition, sets it as active and assign it the letters S.
Partition the rest of the disk and assigns it the letter C
Quick Format both volumes with the NTFS file system.

IMPORTANT: Running this script will destroy all data on the system.

To run the script, change drive to your USB Key and run bitprep.bat

5. When the script has completed, restart your machine and build the machine using WDS as normal installing Windows on drive C

6. Now would be a good time to enable your TPM in the BIOS if it is not already.. There does not seem to be any convention on how the TPM is referred to but with HP machines it is so as the ‘Embedded Security Device’

7. When your machine has finished building, installing software and is fully patched you can start to configure Bitlocker. Click Start > Control Panel > Security > BitLocker Drive Encryption.

8. On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume. If your TPM is not initialised, you will see the Initialize TPM Security Hardware wizard. Follow the directions to initialize the TPM and restart your computer.

9. On the Set BitLocker start-up preferences page, select the start-up option you want. You can choose only one of these options:

  • No additional security.
  • Require PIN at every start-up . You will see the Set the startup PIN page. Enter your PIN, confirm it, and then click Set PIN.
  • Require Startup USB key at every start-up . You will see the Save your start-up Key page. Insert your USB flash drive, choose the drive location, and then click Save.

In this scenario Bitlocker supports the following security permutations.

TPM only
TPM + PIN
TPM + PIN + USB Key
TPM + USB Key

BL0

BL1

10. On the Save the recovery password page, you will see the following options:

  • Save the password on a USB drive. Saves the password to a USB flash drive.
  • Save the password in a folder. Saves the password to a network drive or other location.
  • Print the password. Prints the password.

The recovery password will be required in the event the encrypted drive must be moved to another computer, or changes are made to the system startup information. This password is so important that it is recommended that you make additional copies of the password stored in safe places to assure you access to your data. You will need your recovery password to unlock the encrypted data on the volume if BitLocker enters a locked state. This recovery password is unique to this particular BitLocker encryption. You cannot use it to recover encrypted data from any other BitLocker encryption session. You should store recovery passwords apart from the computer for maximum security.

BL3

11. When you have finished backing up your recovery passwords you are ready to Encrypt the volume. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check check box is selected, and then click Continue.
Confirm that you want to restart the computer by clicking Restart Now. The computer restarts and BitLocker verifies if the computer is BitLocker-compatible and ready for encryption.

12. If the system passed the checks you will see a ‘Encryption in Progress’ notifier in the system tray.

BL5

13. You can now have an enrypted disk!

BL5

14. If you would like to add more volumes and encrypt them then create the volumes as normal and then turn on Bitlocker for that drive.

BL8

Vista is the next Windows ME? The numbers don’t agree…

Microsoft’s Annual Revenue Reaches $60 Billion
Fastest annual revenue growth since 1999 fuels 32% increase in earnings per share.

If you don’t think Vista is here to stay then think again.

This fiscal year marked the launch of Microsoft’s flagship server products: Windows Server 2008, SQL Server 2008 and Visual Studio 2008. Revenue growth was primarily driven by continued customer demand for all products, including Windows Vista, which has sold over 180 million licenses since launch, the 2007 Microsoft Office system, server software, and Xbox 360 consoles and games.

Full release here.

http://www.microsoft.com/…Q4earnings.mspx

RSAT Part 3: Mapping network drives with Group Policy and without Scripts!

One of most common scripts we write for users and groups of users is a simple drive map.

For example:

net use S: \\campus\software /persistent:yes

Now, Group Policy Preference Client Side Extensions & RSAT now allow for drive to be mapped without any extra work.

1. Create and name a new Policy.

2. User Configuration > Preferences > Windows Settings > Drive Maps

3. Right Click > New > Mapped Drive

Map1

4. Choose the behaviour (Create, Replace, Update or Delete) from the Action dropdown.

Map2

5. Enter a location e.g. \\campus\software\

6. Tick reconnect if you want the connection to persist (this replaces the /persistent:yes switch)

7. Choose a drive letter.

8. If you wish you can set the Connect as fields.

Map3

9. Make sure the permissions are correct for the target folder.

10. Save and apply your policy.