Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, May 11, 2010 2:25 PM
We are trying to roll out Bitlocker on all the company laptops. My problem, even though our GPO seems to not allow it, individual users are able to disable Bitlocker. We have a problem with this, as we dont want our workers in the field, that hold client data, to be able to disable the encryption. Or if they do, we havent found a way to show notification that Bitlocker has been disabled so that we know about it. Has anyone faced this issue, or know what i am doing wrong to stop this? Thanks.
All replies (3)
Tuesday, May 18, 2010 7:16 PM ✅Answered
I asked the same question to Microsoft -- they responded that you can use AppLocker policies to block execution of the Bitlocker "manage-bde.exe" tool.
Note that this will block execution of the tool itself, regardless of any command line switches. I have not been able to figure out how to selectively block specific switches (for example, to allow "manage-bde.exe -status" to get current encryption status but to deny "manage-bde.exe -off" which decrypts and disables Bitlocker). Because of this limitation we opted to use a 3rd-party tool (BeyondTrust Privilege Manager) to accomplish this.
This link is to TechNet's article on AppLocker:
http://technet.microsoft.com/ja-jp/library/ee619725%28WS.10%29.aspx
Given all that, if you think AppLocker may be good enough for you, here are steps to enable the rules:
1: Open the Services Control Manager (services.msc) and start the "Application Identity" service.
2: Open the Security Policy editor (secpol.msc).
3: Expand Application Control Policies, then click AppLocker
4: Click "Configure Rule Enforcement" and choose whether you want to Enforce or Audit the Executable Rule. (do Audit first so that you can understand the behavior and don't accidentally blow up your machine).
5: Right-click on Executable Rules and create the DEFAULT rules. These 3 rules allow users to execute files in the ProgramFiles and Windows folders (and allows local admins to execute any program regardless of the location). It is VERY important to create the DEFAULT rules because any application that is not explicitly addressed by AppLocker rules is prohibited from running. So you could theoretically lock yourself out and render Windows inoperative if you don't configure the rules correctly.
6: Right click on Executable Rules and create a new rule to DENY access on "manage-bde.exe" to the Everyone group (default).
7: Reboot, log in and now if you open a command prompt and try to run "manage-bde –status" you should get a message that this command is blocked group policy.
SOME NOTES:
* These steps are for testing on a single PC; setting the Application Identity and Applocker rules on a domain should be done with group policies. This is a good tutorial for just that: http://www.windowsnetworking.com/articles_tutorials/Introduction-AppLocker-Part1.html
* DENY rules take precedence over ALLOW rules, which is why explicitly denying manage-bde.exe will run after the three default ALLOW rules that allows users to execute all applications.
* To view the results of an AppLocker rule, check the Security logs in Event Viewer
* You could use a path rule to block c:\windows\system32\manage-bde.exe but if a user simply copied the file to c:\temp, you're screwed. The hash rule is more useful because the hash of the file never changes regardless whether the user renames the file or moves it to a different folder (this is also the weakness of the hash rule because if Microsoft ever patches manage-bde.exe, say in a service pack or a security update, then the hash will no longer be valid and the rule will break).
* Of course, you'll need to protect the user from killing the Application Identity service (AppIDSvc), without which the AppLocker rules cannot be enforced. I'll leave that as an exercise to the reader. ;-)
Roland Thomas
Life Motto #1: "Live your life like you give a damn."
Thursday, May 13, 2010 7:57 PM
Are the users administrators of the computers? if they are they can probably disable it, thats a shot in the dark.
Tuesday, May 18, 2010 2:31 PM
I have yet to find a way to not allow local admins the rights to disable it either