Chapter 6: Post-Boot Protection-Code Integrity, New Code Signing Rules, and PatchGuard

Planning for BitLocker Deployment

We not sure that our editor will let us talk about what you need to do first as the last section in the chapter, but now that you know how BitLocker works, you're equipped to start planning how to use it. And, indeed, there should be some planning done as you roll out Vista to your business.

While you don't want to be getting the call at 2 a.m. from your boss's boss wanting to know why your company's data is now for sale on the black market; you probably also don't want him calling because he fat-fingered his PIN when he created it and can never get back into his MP3 collection, either.

So, here are things to consider in your planning:

• Hardware requirements. Some business are finding BitLocker to be valuable enough to warrant accelerated purchases of TPM-equipped computers, while others are phasing them in over a longer time. Even without a TPM, though, a computer must have a compatible BIOS to use BitLocker with a startup key.

• Review existing infrastructure and processes. How do you configure new machines as they are received now? Do you want to script BitLocker disk conversion as part of a scripted Windows Vista install?

• Key TPM logistics. Has the EK been set by the computer manufacturer? Who will take ownership of the TPM? How will you address physical presence requirements? Is the TPM enabled and activated, or is it "hidden" by some strange BIOS setting.

• Talk with your hardware supplier or manufacturer. Find out how they propose to address these TPM logistics. Do they build computers with custom images for your company? Will the computers be Vista-logo-compliant? Are the disks being partitioned at the factory in a BitLocker-supported way? What is their plan for all those computers you bought just last year?

• Define BitLocker configuration and key protectors. What protectors will you use? Where will recovery information be stored, how will it be managed? Which computers, users, or types of data require PINs or startup keys?

• Define security and recovery policies. What will you do when a computer enters recovery mode…at headquarters? on the road? What is the response time for getting recovery information out of Active Directory Domain Services? Who will have access to the AD DS information? How will you determine root cause? Don't forget to plan to re-create new keys and recovery material if you've had to recover a computer in the field or give them to a third party.

• Define a computer retirement/decommissioning policy. What level of sanitizing is required? Are internal transfers of equipment subject to the same rules as ultimate disposal?

• Plan and then configure Active Directory Domain Services. You should be using a change management process with your production Active Directory Domain Services installation. Who needs permissions to read recovery data to help users? Do you have multiple forests? (Then you have multiple schemas.) Determine what needs to be changed, and acquire and test any required scripts before implementation.

• Configure Group Policy. Again, change management is your friend. Avoid any surprises by selecting and testing the Group Policy settings. Remember that changes to the encryption setting must be made before you start encrypting disks.