Delegating permissions to BitLocker recovery keys

BitLocker is a useful hard drive encryption tool supported by the Enterprise and Ultimate versions of Windows7. Recovery is handled through the use of 48-digit keys that are generated for each host running BitLocker. Best practice and common sense is to configure your environment so that the recovery keys are stored in Active Directory. There are a number of scenarios in which the use of these keys are required to gain access to the OS. By default only members of the Domain Admins group has access to these keys which is very inconvenient if you have a delegated support staff that are not domain admins. 

You can grant your support group full control to the AD container housing computers with BitLocker enabled and they will still not be able to see the recovery keys. Delegation of this access is done via a script. Just copy the text below, save it to a file with a .vbs extension, and run cscript whatever.vbs from a DC or workstation with a Domain Admin logged in. The only thing you need to change in this script is the second line: enter whatever your support AD group is called here. This all of course only applies to Server 2008/R2 and Windows7.

'To refer to other groups, change the group name (ex: change to "DOMAIN\Help Desk Staff")
strGroupName = "DOMAIN\Help Desk Staff" 

' --------------------------------------------------------------------------------
' Access Control Entry (ACE) constants
' --------------------------------------------------------------------------------

'- From the ADS_ACETYPE_ENUM enumeration
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT      = &H5  'Allows an object to do something

'- From the ADS_ACEFLAG_ENUM enumeration
Const ADS_ACEFLAG_INHERIT_ACE                = &H2  'ACE applies to target and inherited child objects
Const ADS_ACEFLAG_INHERIT_ONLY_ACE           = &H8  'ACE does NOT apply to target (parent) object

'- From the ADS_RIGHTS_ENUM enumeration
Const ADS_RIGHT_DS_CONTROL_ACCESS      = &H100 'The right to view confidential attributes
Const ADS_RIGHT_DS_READ_PROP                 = &H10  ' The right to read attribute values

'- From the ADS_FLAGTYPE_ENUM enumeration
Const ADS_FLAG_OBJECT_TYPE_PRESENT           = &H1  'Target object type is present in the ACE
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2  'Target inherited object type is present in the ACE

' --------------------------------------------------------------------------------
' BitLocker schema object GUID's
' --------------------------------------------------------------------------------

'- ms-FVE-RecoveryInformation object:
'  includes the BitLocker recovery password and key package attributes
SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION = "{EA715D30-8F53-40D0-BD1E-6109186D782C}"

'- ms-FVE-RecoveryPassword attribute: 48-digit numerical password
SCHEMA_GUID_MS_FVE_RECOVERYPASSWORD = "{43061AC1-C8AD-4CCC-B785-2BFAC20FC60A}"

'- ms-FVE-KeyPackage attribute: binary package for repairing damages
SCHEMA_GUID_MS_FVE_KEYPACKAGE = "{1FD55EA8-88A7-47DC-8129-0DAA97186A54}"

'- Computer object
SCHEMA_GUID_COMPUTER = "{BF967A86-0DE6-11D0-A285-00AA003049E2}"

'Reference: "Platform SDK: Active Directory Schema"

' --------------------------------------------------------------------------------
' Set up the ACE to allow reading of all BitLocker recovery information properties
' --------------------------------------------------------------------------------

Set objAce1 = createObject("AccessControlEntry")

objAce1.AceFlags = ADS_ACEFLAG_INHERIT_ACE + ADS_ACEFLAG_INHERIT_ONLY_ACE
objAce1.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce1.Flags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT

objAce1.Trustee = strGroupName
objAce1.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS + ADS_RIGHT_DS_READ_PROP
objAce1.InheritedObjectType = SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION

' Note: ObjectType is left blank above to allow reading of all properties

' --------------------------------------------------------------------------------
' Connect to Discretional ACL (DACL) for domain object
' --------------------------------------------------------------------------------

Set objRootLDAP = GetObject("LDAP://rootDSE")
strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com

Set objDomain = GetObject(strPathToDomain)

WScript.Echo "Accessing object: " + objDomain.Get("distinguishedName")

Set objDescriptor = objDomain.Get("ntSecurityDescriptor")
Set objDacl = objDescriptor.DiscretionaryAcl
 
' --------------------------------------------------------------------------------
' Add the ACEs to the Discretionary ACL (DACL) and set the DACL
' --------------------------------------------------------------------------------

objDacl.AddAce objAce1

objDescriptor.DiscretionaryAcl = objDacl
objDomain.Put "ntSecurityDescriptor", Array(objDescriptor)
objDomain.SetInfo

WScript.Echo "SUCCESS!"

Once the script has run successfully, the BitLocker Recovery tab will now be accessible in ADUC and ADAC.

 

Reference:

TechNet

No comments:

Powered by Blogger.