In this article, you will learn everything you need to know about the Client Management functionalities: BitLocker and Scripting.
1. BitLocker
2. Scripting
3. USB Management
BITLOCKER
BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the device's hard drive to a different device. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, rendering data inaccessible when BitLocker-protected devices are decommissioned or recycled. BitLocker provides maximum protection when used with a Trusted Platform Module (TPM), which is a common hardware component installed on Windows devices. The TPM works with BitLocker to ensure that a device hasn't been tampered with while the system is offline. In addition to the TPM, BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device that contains a startup key. These security measures provide multifactor authentication and assurance that the device can't start or resume hibernation until the correct PIN or startup key is presented. On devices that don't have a TPM, BitLocker can still be used to encrypt the operating system drive. This implementation requires the user to either:
- use a startup key, which is a file stored on a removable drive that is used to start the device, or when resuming from hibernation;
- use a password. This option isn't secure since it's subject to brute force attacks as there isn't a password lockout logic. As such, the password option is discouraged and disabled by default.
Both options don't provide the preboot system integrity verification offered by BitLocker with a TPM.
System requirements
BitLocker has the following requirements:
- For BitLocker to use the system integrity check provided by a TPM, the device must have TPM 1.2 or later versions. If a device doesn't have a TPM, saving a startup key on a removable drive is mandatory when enabling BitLocker;
- A device with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the preboot startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware;
- The system BIOS or UEFI firmware (for TPM and non-TPM devices) must support the USB mass storage device class, and reading files on a USB drive in the preboot environment;
-
The hard disk must be partitioned with at least two drives:
a. The operating system drive (or boot drive) contains the OS and its support files. It must be formatted with the NTFS file system;
b. The system drive contains files required to boot, decrypt, and load the operating system. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive:
- must not be encrypted;
- must differ from the operating system drive;
- must be formatted with the FAT32 file system on computers that use UEFI-based firmware, or with the NTFS file system on computers that use BIOS firmware;
- it's recommended that it be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space; - When you encrypt the OS Volume with the TPMandPIN method, you need to make sure that Require additional authentication at startup policy is enabled in the Local Computer Policy (Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives), because the HEIMDAL Agent does not perform any changes in the Local Policies.
BitLocker is supported on Windows 10 1607 (and later versions), Windows Server 2012 (and later versions) and can be enabled on the following editions: Windows Pro, Windows Enterprise, Windows Pro Education/SE, Windows Education, Windows Pro/Pro Education/SE, Windows Enterprise.
IMPORTANT
The BitLocker feature is not automatically enabled on Windows Server. However, it can be manually enabled from the Windows Features by an Administrator. After manually enabling BitLocker from the Windows Features, the Windows Server endpoint requires a reboot to get make the functionality available.
Encryption can take anywhere from few minutes to a couple hours depending on the amount of data that has been encrypted, the speed of the computer, and whether the process is interrupted by the computer being turned off or going to sleep. The BitLocker OS Drive encryption does not start until the computer is restarted. If work must be completed, it is safe to complete work and save it before restarting. If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. BitLocker resuming encryption or decryption is true even if the power is suddenly unavailable.
The BitLocker module does not automatically update the Recovery Key when it's modified. To refresh the information, you will need to decrypt and re-encrypt the endpoint. This will ensure that the latest data is transferred to the Dashboard.
BitLocker Management view
The BitLocker Management view serves as a central hub for monitoring the BitLocker encryption across various devices. On the top, you see a statistic regarding the number of Active servers, the number of Active endpoints, the number of Fully Secured Devices, the number of Partially Secured Devices, the number of Unsecured Devices. and the number of Unavailable Recovery Keys Devices.
The collected information is placed in the Standard view, where you can see details referring to the Hostname, Username, Last Seen, Protection Status, Recovery Key, and Error status:
The Protection Statuses range between Fully Secured (all volumes on the devices are protected), Partially Secured (at least one volume on the device is not protected), and Unsecured (no volumes on the device are protected). The Recovery Key can be Backed up (the recovery key for all volumes is stored in our database), Partially Backed Up (the recovery keys for some volumes are missing in our database), and Unavailable (no recovery keys for any volume are stored in our database).
The Download CSV functionality allows you to generate and download a CSV report that includes all the information displayed in the Standard view. The Filters functionality allows you to filter entries by Protection Status and/or Recovery Key.
BitLocker client specifics
The client specifics provide detailed information about the client's encryption status. The general TPM information displays the TPM Status (active or inactive), the TPM Manufacturer Name, and the TPM Manufacturer Version. The table below includes information related to the Username associated with the volume, the Volume Name, the Volume Type, the Protection Status, the Encryption Status, the Encryption, the Protector, the Auto-Unlock status, the Volume size, and the Recovery Key.
BitLocker settings
Enabling BitLocker Management will enable BitLocker on the endpoints applying the Group Policy.
BitLocker Management - turn ON/OFF the BitLocker product/service;
Force disk encryption - initiates the encryption process according to the following settings;
OS Volume - encrypts the System drive and displays the Encryption Method and the Key Protector Type that need to be configured;
- Encryption Method - allows you to choose between the encryption methods (XTS-AES 128-bit, XTS-AES 256-bit, AES-CBC 128-bit, AES-CBC 256-bit);
- Key Protector Type - allows you to select a Key Protector type (TPM and PIN or Passphrase).
Data Volumes - encrypts the data drive and displays the Encryption Method and the Key Protector Type that need to be configured;
- Encryption Method - allows you to choose between the encryption methods (XTS-AES 128-bit, XTS-AES 256-bit, AES-CBC 128-bit, AES-CBC 256-bit);
- Key Protector Type - comes with the Passphrase Key Protector type;
- Auto-Unlock - automatically unlocks volumes that don't host an operating system when the OS volume is unlocked. BitLocker uses encrypted information stored in the registry and volume metadata to unlock any data volumes that use automatic unlocking.
SCRIPTING
The Scripting feature will allow you to control the push Batch/PowerShell scripts through the Windows Task Scheduler under the NT Authority\System user, which is leveraged to launch scripts at pre-defined times or after specified time intervals.
Scripting view
The Scripting page displays all the information related to the scripts that are deployed through the HEIMDAL Agent. On the top, you see a statistic regarding the number of Available Scripts, Active Scripts, and the number of Scripts with errors.
The collected information is placed in the following views: Standard, and the Repository.
-
Standard
This view displays a table with the following details: Hostname, Username, Task Name, Trigger, Resolution, and Timestamp.
The Resolution values are Error (this means the script has run but threw an error code) and Completed (this means the script has run successfully).
In order to provide more granularity regarding the outcome of scripts’ deployment, we have implemented an Error log mechanism by updating the Standard view (+ Client Specifics corresponding view – post clicking a hostname) and adding the aforementioned mechanism, meant to assist customers in easily troubleshooting scripts with erroneous outcomes. Logged Errors can be reviewed by clicking the newly implemented “View details” button, present in the Resolution column. The corresponding icon is only displayed for entries with the “Error” resolution.
The actual error message is displayed in a pop-up window, as exemplified below. The resulting Error message (from the dashboard) is composed of the Error Logs generated in the Windows Event Viewer and the error generated by the script itself. The script error info is written in a log file stored in the Scripting directory.
The Scripting Error Log files are created in the (...\Heimdal\Scripting\Logs) directory, with the filename comprised of timestamp + PID, as showcased in the picture below.
- Repository
This view displays a table with the following details: Script Name, Script Description, Timestamp, and Action.
New scripts can be added by pressing the Add new script button.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard mode corresponding to each view. The Filters functionality allows you to filter entries by Resolution.
IMPORTANT
In order to be able to see the resolution of the Scripting product in the HEIMDAL Dashboard, you need to make sure that the Task Scheduler logging is enabled in the Event Viewer logs (Applications and Services Logs -> Microsoft -> Windows -> TaskScheduler -> Operational).
Scripting settings
Enabling Scripting will enable Scripting on the endpoints applying the Group Policy.
Scripting - turn ON/OFF the Scripting functionality;
Add Task - allows you to create a new task that will deploy one of the scripts that you select from the repository.
General - here you can set a Task Name and a Task Description:
Triggers - allows you to select how a script is being triggered and when (the trigger type can be set to: On a Schedule, At Log On, At Start Up, On Idle, On Workstation Lock, On Workstation Unlock);
Once a trigger has been set, remember to turn the trigger ON.
Actions - allows you to select the script that you want to deploy (from the Repository);
Conditions - allows you to trigger an action on Idle conditions (start the task if the endpoint is idle for a specific time, stop it if the endpoint ceases to be idle, or restart if the idle state resumes) or Power conditions (start the task only if the endpoint is on AC power, stop if the endpoint switches to battery power or wake the endpoint to run the task);
Settings - allows you to configure multiple settings: bypass execution protection (for PowerShell scripts), run the task as soon as possible after a scheduled start is missed, if the task fails, restart every time specified in the dropdown or if the task is running, then apply one of the selected rules.
Scripts are deployed by the HEIMDAL Agent and can be seen within the Task Scheduler (under Task Scheduler Library -> Heimdal folder):
IMPORTANT
Remember that the scripts that you run with the HEIMDAL Agent are running under the NT Authority\System user. If you are trying to run a script that handles user profiles, that might not work/run correctly. Another thing to know is the fact that the tasks created from the HEIMDAL Dashboard will not be visible to standard users due to the differences in privilege levels between the NT Authority\System account and regular user accounts. If tasks created by SYSTEM were visible to standard users, it would expose sensitive system-level information that could potentially be exploited. For example, a task running as SYSTEM may have access to protected resources and data that a standard user is not supposed to see or modify.
USB MANAGEMENT
USB Management allows you to control the way the USB ports work inside your company. They can be restricted or allowed, depending on your preferences
USB Management view
The USB Management page displays all the information related to the USB devices that are plugged in after enabling the USB Management service. On the top, you see a statistic regarding the number of USB Detections.
The collected information is placed in the Standard view.
- Standard
This view displays a table with the following details: Hostname, Username, Device name, Device ID, Hardware ID, Class ID, Action, and Timestamp. Selecting an entry will allow you to add the detected USB device to the Allowlist or to hide it from this view (by taking the Suppress action) and move it to the Show suppressed devices page. Adding a device to the Allowlist can be done based on the following criteria: Hardware ID, Class ID, or Device instance path. - Show suppressed devices
This view displays a table that includes the hidden USB devices and the following details: Hostname, Username, Device name, Device ID, Hardware ID, Class ID, Action, and Timestamp. The devices that are disconnected and plugged in again will switch back to the Standard view.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard mode corresponding to each view. The Filters functionality allows you to filter entries by Resolution.
USB Management settings
Enabling USB Management will enable the USB Management on the endpoints applying the Group Policy.
USB Management - turn ON/OFF the USB Management functionality;
Disable USB Ports - allows you to disable Removable Media Devices from being connected to a computer. A computer reboot is required to activate/deactivate this function;
USB restrictive mode - this functionality will disable ALL USB devices found on the computer, except the allowed list. A computer reboot is required to activate/deactivate this function. USB restrictive mode will allow you to add a device to an allowlist (based on either Class or Hardware ID), thus, allowing it to run;
USB Reporting mode - this functionality will monitor all the plugged-in USB devices without taking any action. All detected USB devices will be listed on the USB Management page;
USB Allowlist - allows you to whitelist a USB device based on Hardware ID, Class ID, or Device instance path. You can give a Friendly name to each entry and you can also import an Allowlist from a CSV file.
IMPORTANT
The Hardware ID is different based on the brand/model of the USB Device. The top one is the most specifically identified, as, shown below:
The Class ID is being shared by all USB Devices of the same type and this is how it can be found:
It's not enough to enable only a single hardware ID to enable a single USB thumb drive. The IT admin has to ensure all the USB devices that are preceding the target one aren't blocked (allowed) as well. In our case, the following devices have to be allowed so that the target USB thumb drive can be allowed as well:
- Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft) -> PCI\CC_0C03
- USB Root Hub (USB 3.0) -> USB\ROOT_HUB30
- Generic USB Hub -> USB\USB20_HUB
- USB Mass Storage Device
-
Generic Flash Disk USB Device
USB devices nested under each other in the PnP tree
These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't prevent any external/peripheral device from being installed on the machine. Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing his/her machine through HID devices.