BitLocker PIN Service

During the last few weeks I have been involved with a customer that needed a tool to control the boot-PIN for BitLocker as their security policy states that all hard drives must be encrypted, protected by PIN and they may not be administrators on their machines. The boot PIN cannot be set without administrative rights (local administrator) on the system, but at the same time something you need your users to know and to be in-control of. To mitigate issue/feature there is a tool floating around the net that’s called the BitLocker PIN Tool. This tool uses as DOS-console to get the user to enter a PIN. While this works great with people who has moderate-high computer knowledge some users struggle with using the tool (since it’s command line). So I decided to take some spare time to develop a tool for this. I call this the BitLocker PIN Service and have thrown some central-administration-support into the tool also.

The application consists of two parts. A administration service that runs in the context of the local system, and then a client to run in user-mode to give the user a GUI. The client and server is completely separated and does not live within the same dll or files in any way. All authentication, authorization and dirty-work is done within the service part of the application to ensure maximum security. The service will allow any user that is permitted (regardless if they are local admin or not) to change the boot-PIN. To get authorized you need to 1) be a member of a local group called BLPinAdmins or 2) be a member of a domain group in your default domain called BLPinAdmins_<machine name>. This ensures that you can either use local groups or domain based as you prefer. This is how the GUI looks like:

Pretty simple huh? Under protectors you can see what protectors there is. This tool only works with Demanding, and if it is not present the protector will be created. When you have hit the Change PIN >> button you will most hopefully get this dialog:

The application then terminates without any further dialogs. The application should be started from the Desktop or Start menu link if you need to change the boot PIN code. There is however some more advanced options available via group-policy (local or domain based) to ensure even better security and foremost more control of the PIN-code and enforcing how often it should be changed. First lets look at the settings:

Options are as follows:

  • Local BLPin Administrators group name = if you “need” to change the group name of the BLPin users on the local computer you can set a new name here.
  • Allow all users= let all users who have the logon-local privilege to set the code (shared computers perhaps?)
  • Start client on logon = Start the client on each logon. This should be used in conjunction with the Force PIN-change interval. Client will quit if it is not time to set a new PIN.
  • Force PIN-change interval= If the client is started and this amount of days have passed since last new PIN was set then remove the “Exit” and Control Box and then display the GUI. “Forcing” the user to change PIN.
  • Domain BLPin Administrators group name = If you “need” to change the group name of the BLPin users in Active-directory you can set a new name here.

If you think this sounds like a nice tool: I’m offering this tool free to anyone who needs it without warranties or support (except for this post).
If you like the tool, please, send me a email! If you find a bug, please, send me email!
If you need source code or need a supported version that also possible for a small fee.
When bugs are found, updates are avaliable or other important information I will send it by mail to all registered users.

SharePoint Connections Amsterdam 2011

I will be joining Steve Fox, Mirjam van Olst, Wouter Van Vugt, Asif Rehmani and many others presenting at the SharePoint Connections on Tuesday 22:nd and Wednesday 23:th in the Meervaart in Amsterdam. I have three full sessions listed below. See you there!

 

Visit the event website at http://nccomms-events.com/sharepointconnections/

 

Using Facebook, LinkedIn, MySpace or Live to sign in
SharePoint has become one of the most interesting platforms for building communities. A successful community must also have a secure and easy way of managing users and logins. By it’s native support for Claims SharePoint is able to utilize external authentication gateways or STS to perform authentication. To put it in simple words, you could login to SharePoint using Microsoft Live authentication, Facebook, LinkedIn and many more. During this presentation I will outline the components of Claims authentication by practical demos, and build a custom authentication gateway (STS) that connects to multiple external services like Live and Facebook to make it very easy for users to authenticate to SharePoint.

 

Demystifying Claims
With SharePoint 2010 administrators had the honor of being one of the first to administer software that had native support for Claims. Compared to NTLM, which many still use today, Claims is a giant leap and there is much new technology to learn. At the same time administrators have less and less time to learn new technologies. During this session we will uncover some of the great mysteries of Claims by simple examples and lots of demos.

PowerShell for non-programmers
SharePoint 2010 opened the doors for easy administration by using scripts in PowerShell, making the everyday task simple and easy to repeat. But it also opened the door on creating PowerShell functionality within SharePoint, to make a site or function easy to change, dynamic. In this session we will look at how you can use PowerShell to hook functionality in SharePoint and process data by using PowerShell.