There is an excellent FAQ on the Vista Tech Centre.
Monthly Archives: July 2008
Windows XP x64 SP3…?
Something else I didn’t know!
With the release of XP SP3 I assumed there was an x64 version but…
It seems this is not the case as XP x64 already has the V5.2 kernel and (something else I didn’t know) the x64’s SP2 release was 3 years later than the x86 version so it is much more up to date.
Confusing but that’s why you won’t see any SP3 x64 builds (at least for a while)!
Configure Bitlocker on a TPM Enabled Machine
This guide is based on a detailed article from the Vista TechCenter tested and modified for use on CAMPUS.
BitLocker Drive Encryption is an integral new security feature in the Windows Vista operating system that provides considerable protection for the operating system on your computer and data stored on the operating system volume. BitLocker ensures that data stored on a computer running Windows Vista remains encrypted even if the computer is tampered with when the operating system is not running. This helps protect against “offline attacks,” attacks made by disabling or circumventing the installed operating system, or made by physically removing the hard drive to attack the data separately.
This guide demonstrates how to configure a basic installation of Bitlocker with a TPM Enabled machine and assumes you are performing a clean build on a new machine using a network based WDS build.
Important thinks to remember before you begin
- Bitlocker is particularly reccomended to users of Laptops within the University.
- Backups are more important than ever on enrypted disks as recovery will be all but impossible if the disks hardware fails.
- Changing a systems hardware will cause the TPM to react and have the system lock down. This can easily be fixed by using the Bitlocker recovery key but only if you sill have it!
A Machine with a TPM chip
Windows Vista DVD
Windows Vista Business, Enterprise or Ultimate Editions
A USB Key, preferably one you can dedicate to use with Bitlocker.
Access to a Printer
1. Copy the contents of
\\campus\software\ucs\SystemSW\Bitlocker to your USB Key.
2. Boot the new machine from the Windows Vista DVD. It is necessary to do this as the WDS build on the Campus Network will not allow access to the command prompt.
3. Select the locale; accept the license and call-up a command prompt by selecting SHIFT + F10.
4. At this point you can either manually run the DISKPART tool or use the script you copied on to the USB Key in Step 1.
For BitLocker to work, you must have at least two partitions on your hard disk. The first partition is the system volume and labeled S in this document. This volume contains the boot information in an unencrypted space. The second partition is the operating system volume and labelled C in this document. This volume is encrypted and contains the operating system and user data.
The script you copied to your USB key will automatically:
Select the first disk in the system (Disk 0)
Clean the partition table.
Create a 1.5GB System Partition, sets it as active and assign it the letters S.
Partition the rest of the disk and assigns it the letter C
Quick Format both volumes with the NTFS file system.
IMPORTANT: Running this script will destroy all data on the system.
To run the script, change drive to your USB Key and run bitprep.bat
5. When the script has completed, restart your machine and build the machine using WDS as normal installing Windows on drive C
6. Now would be a good time to enable your TPM in the BIOS if it is not already.. There does not seem to be any convention on how the TPM is referred to but with HP machines it is so as the ‘Embedded Security Device’
7. When your machine has finished building, installing software and is fully patched you can start to configure Bitlocker. Click Start > Control Panel > Security > BitLocker Drive Encryption.
8. On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume. If your TPM is not initialised, you will see the Initialize TPM Security Hardware wizard. Follow the directions to initialize the TPM and restart your computer.
9. On the Set BitLocker start-up preferences page, select the start-up option you want. You can choose only one of these options:
- No additional security.
- Require PIN at every start-up . You will see the Set the startup PIN page. Enter your PIN, confirm it, and then click Set PIN.
- Require Startup USB key at every start-up . You will see the Save your start-up Key page. Insert your USB flash drive, choose the drive location, and then click Save.
In this scenario Bitlocker supports the following security permutations.
TPM + PIN
TPM + PIN + USB Key
TPM + USB Key
10. On the Save the recovery password page, you will see the following options:
- Save the password on a USB drive. Saves the password to a USB flash drive.
- Save the password in a folder. Saves the password to a network drive or other location.
- Print the password. Prints the password.
The recovery password will be required in the event the encrypted drive must be moved to another computer, or changes are made to the system startup information. This password is so important that it is recommended that you make additional copies of the password stored in safe places to assure you access to your data. You will need your recovery password to unlock the encrypted data on the volume if BitLocker enters a locked state. This recovery password is unique to this particular BitLocker encryption. You cannot use it to recover encrypted data from any other BitLocker encryption session. You should store recovery passwords apart from the computer for maximum security.
11. When you have finished backing up your recovery passwords you are ready to Encrypt the volume. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check check box is selected, and then click Continue.
Confirm that you want to restart the computer by clicking Restart Now. The computer restarts and BitLocker verifies if the computer is BitLocker-compatible and ready for encryption.
12. If the system passed the checks you will see a ‘Encryption in Progress’ notifier in the system tray.
13. You can now have an enrypted disk!
14. If you would like to add more volumes and encrypt them then create the volumes as normal and then turn on Bitlocker for that drive.
Limiting software usage through GP delegation
To apply a group policy to just a few selected computers in an OU containing many other computers, you can use Group Policy delegation. There are a couple of ways of doing this: one involves Denying access to a group of computers and the other involves Allowing access to a group of computers. It really depends on your local OU structure and what you want to achieve as to which method you use.
First of all, create a security group of computers (call it something meaningful) and add the PCs that you *don’t* want to get the policy.
Run the Group Policy Management Console/Snapin, and browse to the group policy in question. Click/double-click it so that you see the tabs Scope, Settings, Detail and Delegation in the right-hand pane.
Click on the Delegation tab.
Click Add and enter the name of the group of computers. (If you just want to specify a single computer name, that’s okay, but you’ll need to click on Object types first and check the Computers box – groups are easier to maintain though).
Once you’ve added the computer/group of computers to the ACL, you’ll need to check the *DENY* on Apply Group Policy. In this example, I’ve denied rights to UCS Cluster Computers to apply the policy 3 Central 7-zip 4.42:
This is more or less the same procedure. Create a group of computers that you *do* want to get the policy. Click on Delegation… Advanced so that the Security box appears. Remove Authenticated users from the ACL, and add your group of computers. Ensure that Apply Group Policy is selected for this group. ISS use this method for securing the 5 Licensed software policies.
Now when you apply the group policy to an OU, only the PCs that are in the allow/deny group will be allowed/denied access to the software.
If you’re using the old Group Policy management tool (the one that’s integrated into Users and Computers), you can make the same changes by just right-clicking the Group Policy, selecting Properties, and then the Security tab.
You can use this method to secure any Group Policy regardless of its purpose, the policy doesn’t necessarily need to be a software policy. For example you can limit application of a policy that adds users to a local machine admin group.
Something to note
To change delegation on a group policy, you must have rights to modify the policy security.
The “Mojave Experiment” – dispelling Vista misconceptions
Microsoft has launched a new site for The “Mojave Experiment”, where they demonstrated the next version of Windows, “codename Mojave” to a set of people and asked them to rate what they’d seen in comparison to their preconceived ideas of Vista. Then it’s revealed that what was demonstrated was Vista all along.
An area that Microsoft have massively improved upon is their documentation for the Office suite. Office Online and the online version of the help within the Office 2007 applications is very impressive these days.
Sometimes it feels like reinventing the wheel for us to produce some forms of documentation as Microsoft have already produced demos, training and how-to documents to a high standard. It is surprising that it is not first port of call for needing to know how to do something within Office, perhaps it is because the Paperclip man (Office Assistant) from old versions of Office was so annoying.
I would in particular recommend the Outlook documentation at Office Online here.
The Snipping Tool
One of my favourite features (I’m easily pleased) of Windows Vista is the Snipping Tool. Fed up with the old print-screen/MS Paint/crop method of getting screen/window grabs and not wanting to use a 3rd party graphics application, I was happy to see that Microsoft introduced their Snipping Tool into Vista. It had previously only been available as a add-on for tablet PCs. You can find it under Accessories in Vista.
It seemlessly allows the creation of Window, Free-Form, rectangular or entire screen grabs that can be annotated and highlighted. It works with multiple monitors and remote desktop sessions and eases the creation of documentation or showing someone something. After all, a picture is supposed to speak a thousand words.
The issue of Encryption is coming up more and more. Next week I will post a step-by-step guide on how to configure Bitlocker, the Encryption feature built-in to Vista Business, Enterprise and Ultimate editions as well as Server 2008.
If you do nto have these versions of Vista or do not use Windows then you may like to look at T r u e C r y p t.
Vista is the next Windows ME? The numbers don’t agree…
Microsoft’s Annual Revenue Reaches $60 Billion
Fastest annual revenue growth since 1999 fuels 32% increase in earnings per share.
If you don’t think Vista is here to stay then think again.
This fiscal year marked the launch of Microsoft’s flagship server products: Windows Server 2008, SQL Server 2008 and Visual Studio 2008. Revenue growth was primarily driven by continued customer demand for all products, including Windows Vista, which has sold over 180 million licenses since launch, the 2007 Microsoft Office system, server software, and Xbox 360 consoles and games.
Nice Sidebar Gadget: System Control
I found a nice Sidebar Gadget for Vista users.
“System Control is much more than your average shutdown gadget. Aside from the normal Shutdown, Restart, Lock, and Sleep / Hibernate, we give you Switch User, Log Off, Task Manager, Run Window, and Command Prompt. All of those buttons can be re-ordered or disabled / enabled.”