vb.net barcode generator free 11: BitLocker and Mobility Options in VS .NET

Printing Denso QR Bar Code in VS .NET 11: BitLocker and Mobility Options

11: BitLocker and Mobility Options
Generate QR In Visual Studio .NET
Using Barcode printer for Visual Studio .NET Control to generate, create QR Code 2d barcode image in .NET framework applications.
www.OnBarcode.com
Decoding Denso QR Bar Code In Visual Studio .NET
Using Barcode recognizer for Visual Studio .NET Control to read, scan read, scan image in .NET framework applications.
www.OnBarcode.com
Overview Portable computers bring unique challenges to IT departments that these workers do not face with more traditional desktop computer deployments. One of these challenges is ensuring that a person using a portable computer is able to use the computer for a maximum amount of time when she is not able to connect to a power outlet. Another challenge is ensuring that a user is able to access important files even when she is unable to connect to the network. A third challenge is ensuring that no one outside the organization is able to recover confidential data on a misplaced or stolen portable computer. In this chapter, you learn about several technologies that assist you in addressing these challenges. BitLocker and BitLocker To Go provide full volume data encryption that protects data if the computer or storage device hosting it is stolen or lost. The Offline Files feature enables you to access data hosted on shared folders when a computer cannot connect to the shared folder host server's network. Windows 7 power plans allow you to balance system performance with battery life, allowing you to increase performance when energy consumption is less important and to switch over to preserving battery charge when you need to use a portable computer away from a power supply for an extended amount of time. Exam objectives in this chapter: Configure BitLocker and BitLocker To Go. Configure mobility options. Lessons in this chapter: Lesson 1: Managing BitLocker Lesson 2: Windows 7 Mobility Before You Begin To complete the exercises in the practices in this chapter, you need to have done the following: Installed the Windows 7 operating system on a stand-alone client PC named Canberra, as described in 1, "Install, Migrate, or Upgrade to Windows 7." Make sure you have access to a small removable USB storage device. This device should not host any data. Note that a Trusted Platform Module (TPM) chip is not required for the practice exercise at the end of this lesson.
Barcode Creator In .NET Framework
Using Barcode drawer for VS .NET Control to generate, create barcode image in .NET framework applications.
www.OnBarcode.com
Barcode Scanner In .NET
Using Barcode recognizer for .NET Control to read, scan read, scan image in VS .NET applications.
www.OnBarcode.com
REAL WORLD Orin Thomas Once, when I was working on a Self-Paced Training Kit, I received a chapter back from editing a few minutes before I was about to board a plane. Unfortunately, the plane I was about to board was going to take me from Melbourne, Australia, to Copenhagen, Denmark, with a stopoff for two hours in Bangkok, Thailand. This is one of those journeys that is within spitting distance of going literally halfway around the world. As I find it almost impossible to sleep on airplanes, I knew that I'd be unable to work after more than 24 hours in transit. Dealing with it now was better than dealing with it in a jet-lagged state on the other side of the world. Besides, I had never been to Copenhagen, and I didn't want to spend my first day there after I'd recovered from jet lag tapping away on my laptop in my hotel room. Given that you can buy a small car for the price of a first-class ticket from Melbourne to Copenhagen, I was in economy class without any way to power my laptop computer. Going through a chapter after editing can take some time, more time than usually afforded by my laptop computer's battery. My laptop wasn't a "newfangled, lasts for 8 hours on one battery" laptop, but one that would do three hours on a good day if I didn't push it hard. Unfortunately, I needed more than three hours to finish what I needed to do. This is where creating a custom power plan came in. I turned everything down. The screen gave off almost no light, the processor was restricted to a few percent of its maximum speed, and every non-critical device was switched off. The computer was sluggish, but it provided me with enough power that I was able to use it through the entire flight from Melbourne to Bangkok. This gave me enough time to complete my work on the chapter. When I arrived at Bangkok, I still had enough power to connect the laptop to the Internet through my mobile phone and send the revised chapter back to my editor. When I got to Copenhagen, I could concentrate fully on taking in a city I had never visited before. One day, when I get a new laptop that has a bit more battery life, I reckon I could configure a power plan that might get me all the way through a flight from Melbourne to Copenhagen. Until then, Melbourne to Bangkok will have to do! Lesson 1: Managing BitLocker Several studies have found that the staff at a medium-sized business loses an average of two laptop computers each year. These studies have determined that the cost of a lost laptop computer to an organization can exceed 20 times the value of the laptop computer itself, adding up to tens of thousands of dollars. The biggest cost involved with a lost laptop computer is determining what data was stored on the computer and the impact of that data finding its way into the hands of a competing organization. Often, it can be difficult to ascertain exactly what data may have been stored on a misplaced computer. When you assume a worst-case scenario, that cost can rise very high. Universal serial bus (USB) flash devices present a similar problem. People often use them to transfer important data from home to the workplace. Because these devices are small, they are easy to misplace. When one of these devices is lost, there is a chance, however small, that some sensitive data may find its way into the hands of a competing organization. Research that has measured the cost of lost equipment has also found that the cost to an organization of losing a laptop computer was significantly lower for organizations that could
QR-Code Generation In C#
Using Barcode drawer for .NET framework Control to generate, create QR Code JIS X 0510 image in VS .NET applications.
www.OnBarcode.com
Creating QR Code 2d Barcode In .NET
Using Barcode generator for ASP.NET Control to generate, create QR Code 2d barcode image in ASP.NET applications.
www.OnBarcode.com
be sure that a full disk encryption solution such as BitLocker protected all data on their portable computers. This was because in these cases, organizations could be sure that a competing organization was unable to recover any important data that might be stored on a misplaced computer or device. This significantly reduced the cost to the organization of the loss because it did not have to determine what might be stored on the lost equipment because that data was effectively irretrievable. In this lesson, you learn how to configure the BitLocker and BitLocker To Go features in Windows 7 so that if someone in your organization loses a laptop computer or USB flash device, you can be certain that the person who finds it is unable to recover any data stored on the device. After this lesson, you will be able to: Configure BitLocker and BitLocker To Go Policies. Manage Trusted Platform Module PINs. Configure Startup Key storage. Configure Data Recovery Agent support. Estimated lesson time: 40 minutes
QR-Code Maker In VB.NET
Using Barcode generation for .NET framework Control to generate, create QR-Code image in .NET applications.
www.OnBarcode.com
Paint Matrix 2D Barcode In .NET Framework
Using Barcode drawer for Visual Studio .NET Control to generate, create Matrix Barcode image in .NET framework applications.
www.OnBarcode.com
BitLocker BitLocker is a full volume encryption and system protection feature that is available on computers running the Enterprise and Ultimate editions of Windows 7. The function of BitLocker is to protect computers running Windows 7 from offline attacks. Offline attacks include booting using an alternative operating system in an attempt to recover data stored on the hard disk and removing the computer's hard disk and connecting it to another computer in an attempt to access the data it contains. BitLocker provides full encryption of a computer's volumes. Without the BitLocker encryption key, the data stored on the volume is inaccessible. BitLocker stores the encryption key for the volume in a separate safe location, and it releases this key, making the data on the volume accessible, only after it is able to verify the integrity of the boot environment. BitLocker provides the following benefits: It prevents an attacker from recovering data from a stolen computer unless that person also steals the passwords that provide access to the computer. Without the appropriate authentication, the hard disk remains encrypted and inaccessible. It simplifies the process of hard disk drive disposal. Rather than having to wipe a computer's hard disk, you can be sure that without the accompanying BitLocker key, any data on the disposed hard disk is irrecoverable. Many organizations have suffered security breaches because people have been able to recover data on hard disk drives after the hard disk has theoretically been disposed of. It protects the integrity of the boot environment against unauthorized modification by checking the boot environment each time you turn on the computer. If BitLocker detects any modifications to the boot environment, it forces the computer into BitLocker recovery mode.
Draw USS-128 In Visual Studio .NET
Using Barcode drawer for .NET Control to generate, create UCC - 12 image in VS .NET applications.
www.OnBarcode.com
Paint Quick Response Code In VS .NET
Using Barcode encoder for .NET framework Control to generate, create QR Code JIS X 0510 image in Visual Studio .NET applications.
www.OnBarcode.com
Although BitLocker does provide some forms of protection, BitLocker does not protect data hosted on the computer once the computer is fully active. If there are multiple users of a computer and BitLocker is enabled, BitLocker cannot stop them from reading each other's files if file and folder permissions are not properly set. BitLocker encrypts the hard disk, but that encryption does not protect data from attack locally or over the network once the computer is operating normally. To protect data from access on a powered-up computer, configure NTFS permissions and use Encrypting File System (EFS). You learned about these technologies in 8, "BranchCache and Resource Sharing." Note MORE INFO: BitLocker EXECUTIVE OVERVIEW For a more detailed summary of the functionality of BitLocker in Windows 7, consult the following executive overview document hosted on Microsoft TechNet: http://technet.microsoft.com/en-us/library/dd548341(WS.10).aspx.
Draw Barcode In .NET
Using Barcode printer for VS .NET Control to generate, create bar code image in Visual Studio .NET applications.
www.OnBarcode.com
Drawing OneCode In .NET Framework
Using Barcode generation for VS .NET Control to generate, create USPS Intelligent Mail image in Visual Studio .NET applications.
www.OnBarcode.com
BitLocker Modes You can configure BitLocker to function in a particular mode. The mode that you choose depends on whether you have a Trusted Platform Module (TPM) on your computer and the level of security that you want to enforce. The modes involve selecting a combination of TPM, personal identification number (PIN), and startup key. A startup key is a special cryptographically generated file that is stored on a separate USB device. The available BitLocker modes are as follows: TPM-only mode In TPM-only mode, the user is unaware that BitLocker is functioning and does not have to provide any passwords, PINs, or startup keys to start the computer. The user becomes aware of BitLocker only if there is a modification to the boot environment, or if she removes her hard disk drive and tries to use it on another computer. TPM-only mode is the least secure implementation of BitLocker because it does not require additional authentication. TPM with startup key This mode requires that a USB device hosting a preconfigured startup key be available to the computer before the computer can boot into Microsoft Windows. If the device hosting the startup key is not available at boot time, the computer enters recovery mode. This mode also provides boot environment protection through the TPM. TPM with PIN When you configure this mode, the user must enter a PIN before the computer boots. You can configure Group Policy so that it is possible to enter a password containing numbers, letters, and symbols rather than a simple PIN. If you do not enter the correct PIN or password at boot time, the computer enters recovery mode. This mode also provides boot environment protection through the TPM. TPM with PIN and startup key This is the most secure option. You can configure this option through Group Policy. When you enable this option, a user must enter a startup PIN and have the device hosting the startup key connected before the computer will boot into Windows. This option is appropriate for high-security
Recognizing DataMatrix In Visual Basic .NET
Using Barcode recognizer for .NET Control to read, scan read, scan image in Visual Studio .NET applications.
www.OnBarcode.com
GS1 - 13 Maker In VB.NET
Using Barcode generator for .NET framework Control to generate, create UPC - 13 image in VS .NET applications.
www.OnBarcode.com
environments. This mode also provides boot environment protection through the TPM. BitLocker without a TPM This mode provides hard disk encryption but does not provide boot environment protection. This mode is used on computers without TPM chips. You can configure BitLocker to work on a computer that does not have a TPM chip by configuring the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require Additional Authentication At Startup policy. This policy is shown in Figure 11-1. When you configure BitLocker to work without a TPM chip, you need to boot with a startup key on a USB storage device.
Recognizing GTIN - 12 In Visual Basic .NET
Using Barcode decoder for .NET framework Control to read, scan read, scan image in Visual Studio .NET applications.
www.OnBarcode.com
UPC - 13 Generator In Java
Using Barcode generation for BIRT Control to generate, create EAN / UCC - 13 image in Eclipse BIRT applications.
www.OnBarcode.com
Figure 11-1: Allow BitLocker without a TPM chip Managing the TPM Chip Most implementations of BitLocker store the encryption key in a special chip on the computer's hardware known as the TPM chip. The TPM Management console, shown in Figure 11-2, allows administrators to manage the TPM. Using this console, you can store TPM recovery information in Active Directory Domain Services (AD DS) clear the TPM, reset the TPM lockout, and enable or disable the TPM. You can access the TPM Management console from the BitLocker Drive Encryption control panel by clicking the TPM Administration icon.
Paint UPC Symbol In None
Using Barcode encoder for Font Control to generate, create UPC-A image in Font applications.
www.OnBarcode.com
Scanning Data Matrix In Java
Using Barcode reader for Java Control to read, scan read, scan image in Java applications.
www.OnBarcode.com
Figure 11-2: TPM Management console Configuring a BitLocker DRA Data Recovery Agents (DRAs) are special user accounts that you can use to recover encrypted data. You can configure a DRA to recover BitLocker-protected drives if the recovery password or keys are lost. The advantage of a DRA is that you can use it organization-wide, meaning that you can recover all BitLocker-encrypted volumes using a single account rather than having to recover a specific volume's recovery password or key. The first step you must take in configuring BitLocker to support DRAs is to add the account of a DRA to the Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption node, as shown in Figure 11-3. A DRA account is a user account enrolled with a special type of digital certificate. In organizational environments, this digital certificate is almost always issued by an AD DS certificate authority (CA).
Paint Code 128 In None
Using Barcode encoder for Microsoft Word Control to generate, create Code 128B image in Microsoft Word applications.
www.OnBarcode.com
Bar Code Maker In Objective-C
Using Barcode generator for iPad Control to generate, create barcode image in iPad applications.
www.OnBarcode.com
Figure 11-3: Assigning the recovery key After you have configured the DRA, It is also necessary to configure the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Prove The Unique Identifiers For Your Organization policy to support DRA recovery. BitLocker works with DRAs only when an identification field is present on a volume and the value matches that configured for the computer. Figure 11-4 shows this policy configured with the identification field set to ContosoBitLockerSelfHost. You also use this policy when denying write access to removable devices not protected by BitLocker. You will learn more about denying write access to removable devices later in this lesson.
Figure 11-4: Configure unique identifiers After you have configured the DRA and the Identifiers, you need to configure the following policies to allow specific volume types to utilize the DRA: Choose How BitLocker-Protected Operating System Drives Can Be Recovered Choose How BitLocker-Protected Fixed Drives Can Be Recovered Choose How BitLocker-Protected Removable Drives Can Be Recovered Each of these policies is similar in that you configure it to allow the DRA. You can also configure a recovery password and a recovery key for each volume type, as shown in Figure 11-5. You can use any of the items you specify in these policies for recovery. These policies also allow you to force the backup of recovery passwords and keys to AD DS. It is even possible to block the implementation of BitLocker unless backup to AD DS is successful. You should not enable the option of backing up data to AD DS when clients running Windows 7 are not members of an AD DS domain.
Figure 11-5: Recovery policies In some cases, you may have already enabled BitLocker on a volume prior to preparing a DRA. You can update a volume to support a DRA by using the manage-bde-Setldentifier command on the encrypted volume from an elevated command prompt. You can verify the identifier setting by using the manage-bde-status command and checking the Identification Field setting in the resulting output. To verify that the DRA is configured properly, issue the manage-bdeprotectors -get command. This lists the certificate thumbprint assigned to the DRA. To recover data from a volume protected by a DRA, connect the volume to a working computer that has the DRA private key installed and use the manage-bde.exe -unlock <drive> -Certificate -ct <certificate thumbprint> command from an elevated command prompt. You will use some of these commands in the practice at the end of this lesson. Note MORE INFO: CONFIGURING A BitLocker DRA To learn more about configuring a BitLocker DRA, consult the following Microsoft TechNet article: http://technet.microsoft.com/enus/library/dd875560(WS.10).aspx. Enabling BitLocker To enable BitLocker on a computer, open the BitLocker Drive Encryption control panel and then click Turn On BitLocker. A user must be a member of the local Administrators group to enable BitLocker on a computer running Windows 7. When you click Turn On BitLocker, a check is performed to see if your computer has the appropriate TPM hardware, or has the appropriate Group Policy if that hardware is not present, to support BitLocker. If the TPM hardware is not present and Group Policy is not configured appropriately, an error message is displayed informing you that the computer does not support BitLocker and you are unable to implement BitLocker.
The next step in configuring BitLocker is to configure which authentication choice to use with BitLocker. You learned about the different BitLocker modes TPM-only, TPM with startup key, TPM with PIN, and TPM with startup key and PIN earlier in this lesson. If you are using BitLocker without a TPM, you only have the option of requiring a Startup key, as shown in Figure 11-6. You can configure the option to require TPM with startup key and PIN only through Group Policy.
Figure 11-6: Configure BitLocker startup options If you choose to require a startup key, Windows prompts you to designate the USB storage device that hosts the startup key. Windows then writes the startup key to the designated device. The next step in the BitLocker process involves storing the recovery key, as shown in Figure 11-7. The recovery key is different from the startup key or PIN. You should store the recovery key in a different location to the startup key. That way, if you lose your startup key, you have not also lost the recovery key.
Copyright © OnBarcode.com . All rights reserved.