Microsoft: September 2008 Archives

Bitlocker podcast with Paul Cook

Today I listened to a recording of Paul Cooke posted at MyitForum, Director in the Windows Client division specializing in security, where he discusses BitLocker Drive Encryption, and how it has been extended in Windows Vista SP1.

Its been a while since I'd read anything on bitlocker. Since GuardianEdge did a number on my laptop I am interested to see if its worth continuing with GE if we ever upgrade to Vista.

SP1 enhancements:
- Can now require TPM, PIN and USB all together.
- Can now encrypt data volumes instead of only the OS/primary volume.

TPM 1.2 is required (if you use the TPM option). That sounds like quite a hassle, making sure the TPM chip is enabled on the computers that are coming in.

Recovery involves a 48 digit PIN. That sounds like a real joy to read off to the end user. What rights does the helpdesk need to access that number anyway? With our current product while you are reading off numbers to the user, there is a check digit returned to verify correct entry.

By Roger on September 17, 2008 2:01 PM | | Comments (1) | TrackBacks (0)

Missing Remote Registry Permissions

I found that I couldn't remotely access the registry or event viewer on my kiosk computers. I was rebuffed with a "Access Denied" error message. My kiosk computers are locked down via Group Policy so that was my first suspect.

I looked through the kiosk Group Policy and didn't find anything obvious so I checked with a co-worker. He found a KB article that pointed out that the permissions on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurePipeServers\winreg control remote access to the registry and event log. That had slipped my mind.

It turned out that the group policy (originally a Windows 2000 group policy) had applied permissions to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurePipeServers\winreg. The setting removed the native XP permission and replaced it with a more restrictive permission . Windows XP uses the local service account for remote registry access. My policy removed that necessary permission. To resolve the problem, I gave local service read access to the registry value. See MSKB892192 for step by step instruction.


By Roger on September 13, 2008 8:54 AM | | Comments (0) | TrackBacks (0)
« Microsoft: July 2008 | Main Index | Archives | Microsoft: October 2008 »

Search