• State Suggested Answer
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 64 subscribers
  • Views 10800 views
  • Users 0 members are here
Options
Related

bitlocker management via ActiveRoles, anyone?

dyannic
over 7 years ago

We've switched a couple of times in my tenure between expensive and complex encryption products ... moving from one hot mess to another.

They get the job done, but each baby comes with it's own special formula and brand of diaper.

Now, we're looking at Bitlocker.    I've been asked to provide information on what ActivRoles features are available for managing access to bitlocker information for our helpdesk.  This forum has some posts, but nothing useful written in this century.   Does anyone use bitlocker in their environment -and use ActiveRoles to provide delegated access to host keys etc?   Do you have a link to additional quality information about how/what ARS provides along these lines.

I see the link in the web interface(s) ... and have followed the rabbit trail there, but I'm looking for some reading material.... or advice.

thanks

Parents
  • 0 over 7 years ago

    Hi,

    We're using this functionality - BitLocker stores the keys in AD and by default AR doesn't allow anybody to see any of that info. I then allow read + list access to the attribute "ms-FVE-RecoveryInformation" which exposes the information in the BitLocker tab of computer objects and allows delegated admins to copy the keys from the object page.

    I combine this access template with access to the LAPS attribute which we use for storing the computer's random/unique local Administrator password. In this way, certain delegated AR service desks can see both the local admin password of a machine and the bitlocker recovery keys. They cannot make any changes to either (that's what the machine does itself, directly in AD). Hope this chelps; cheers,

    Michiel

     

    Edit: Sorry, have to correct myself here - checked up on our setup and it's slightly different:

    • By default, when someone has permission to "Read all Properties" on all classes, they can see the BitLocker keys as well
    • To hide BitLocker keys for generic staff, I blocked access for all users to all properties for class "ms-FVE-RecoveryInformation" (so it's not an attribute for the computer object!)
    • To allow some people to see the keys, I again allow access to class "ms-FVE-RecoveryInformation"; this is what that allow policy looks like (top 2 values are for LAPS, bottom 2 for BitLocker):

  • 0 over 3 years ago in reply to Michiel

    Hi Michael,

    This is exactly I'm trying to achieve.

    How did you block all other users? I'M asking because using generic groups like Everyone or Domain Users blocks the access even from the intended readers, that are obviously also member of the generic group used for the deny rule.

    Are you applying the rules on the same OU or root level?

    Thanks,

    Donat

Reply
  • 0 over 3 years ago in reply to Michiel

    Hi Michael,

    This is exactly I'm trying to achieve.

    How did you block all other users? I'M asking because using generic groups like Everyone or Domain Users blocks the access even from the intended readers, that are obviously also member of the generic group used for the deny rule.

    Are you applying the rules on the same OU or root level?

    Thanks,

    Donat

Children
No Data