Microsoft BitLocker Administration and Monitoring (MBAM)

To be honest, I hadn’t heard of this MBAM toolset until this morning; it’s tucked away in MDOP (Microsoft Desktop Optimization Pack).  In Microsoft’s words:

“Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface to BitLocker drive encryption (a feature included in Windows 7 Enterprise/Ultimate). MBAM lets you select BitLocker encryption policy options appropriate to your enterprise so that you can monitor client compliance with those policies and report on the encryption status of the enterprise in addition to individual computers. Also, you can access recovery key information when a user forgets their PIN or password, or when their BIOS or boot record changes”.

It includes:

  • Administration & monitoring server: here you have the admin console and a portal, apparently with self-service support for recovery.
  • Compliance and audit database: stores compliance data for managed clients.
  • Recovery & hardware database: stores recovery data for managed clients.
  • Compliance & audit reports: Use SQL Reporting Services to generate reports from the databases.
  • Group policy template: Configure managed clients using AD GPO.
  • Microsoft BitLocker Administration and Monitoring client agent: Used to manage and configure machines for BitLocker, and return data to the above administration components.

Documentation for MBAM can be downloaded from here.

Technorati Tags: ,,

The BitLocker “Crack”

Microsoft releases a new operating system and everyone wants to make a headline.  It happened 2 years ago and it’s happening again.

This time some people are claiming they’ve broken BitLocker.  Their attack vectors work two ways:

  1. Attack the machine while it’s running and a user is logged in.  That way they can scan the RAM for cached BitLocker keys.  If you have the machine while it’s logged in then you have access to the data.  Pointless.
  2. Gain access to the machine to attack the hardware.  Install something to capture the PIN as the machine boots up.  Then steal the machine or gain access to it again and use the captured data to access the hard disk data.

That last one would be a threat, admittedly.  It’s a far fetched one for laptops but it feasible.  I’m guessing that BitLocker with a Smart Card would beat that one assuming the smart card is not kept with the laptop.  We know how lazy people can be so – eek.  And potentially the latter approach is one to attack on-premises physical servers. 

I guess we’ll see.

Technorati Tags: ,