MBAM 2.5 Security Considerations
Gjelder for: Microsoft BitLocker Administration and Monitoring 2.5
This topic contains the following information about how to secure Microsoft BitLocker Administration and Monitoring (MBAM):
Configure MBAM to own the TPM and store OwnerAuth passwords
Secure connections to SQL Server
Create accounts and groups
Use MBAM log files
Review MBAM database TDE considerations
Understand general security considerations
Configure MBAM to own the TPM and store OwnerAuth passwords
In Windows 8.1 and Windows 8, the operating system automatically provisions the Trusted Platform Module (TPM). To enable the MBAM database to store the TPM OwnerAuth passwords, and to enable the MBAM websites to retrieve recovery keys, you must disable TPM auto-provisioning and clear the TPM on the client computer.
To configure MBAM to own the TPM and store OwnerAuth passwords
On the client computer, open an elevated Windows PowerShell command prompt.
Type the following Windows PowerShell commands:
Command Description $tpm=get-wmiobject -class Win32_Tpm -namespace root\cimv2\security\microsofttpm
Gets an instance of the TPM WMI class.
$tpm.DisableAutoProvisioning()
Disables TPM auto-provisioning.
$tpm. SetPhysicalPresenceRequest(22)
Clears the TPM.
Restart the computer, and then confirm that you want to clear the TPM.
To prevent the recovery keys from being backed up to Active Directory Domain Services, ensure that the Require TPM Backup to AD DS option is not set in the Turn on TPM backup to Active Directory Domain Services Group Policy setting.
The location of this Group Policy setting is Computer Configuration > Policies > Administrative Templates > System > Trusted Platform Module Services.
Use MBAM to manually provision the TPM.
Advantages of having MBAM own the TPM
There are several advantages to having MBAM own the TPM versus having Windows own it. When MBAM owns the TPM, MBAM stores the TPM recovery passwords, which provides the following benefits:
The OwnerAuth password file is more secure because fewer people typically have access to the MBAM database where the file is stored.
All recovery activity is stored and available for viewing through Reports.
Users with assigned rights can use the Administration and Monitoring Website (Help Desk) to provide recovery passwords to end users if their TPM becomes locked.
Secure connections to SQL Server
In MBAM, SQL Server communicates with SQL Server Reporting Services and with the web services for the Administration and Monitoring Website and Self-Service Portal. We recommend that you secure the communication with SQL Server. For more information, see Encrypting Connections to SQL Server.
For more information about securing the MBAM websites, see Planning How to Secure the MBAM Websites.
Create accounts and groups
The best practice for managing user accounts is to create domain global groups and add user accounts to them. For a description of the recommended accounts and groups, see Planning for MBAM 2.5 Groups and Accounts.
Use MBAM log files
This section describes the MBAM Server and MBAM Client log files.
MBAM Server Setup log files
The MBAMServerSetup.exe file generates the following log files in the user’s %temp% folder during the MBAM installation:
Microsoft_BitLocker_Administration_and_Monitoring_<14 numbers>.log
Logs the actions taken during the MBAM setup and the MBAM Server feature configuration.
Microsoft_BitLocker_Administration_and_Monitoring_<14_numbers>_0_MBAMServer.msi.log
Logs additional action taken during installation.
MBAM Server Configuration log files
Applications and Services Logs/Microsoft Windows/MBAM-Setup
Logs the errors that occur when you are using Windows Powershell cmdlets or the MBAM Server Configuration wizard to configure the MBAM Server features.
MBAM Client setup log files
MSI<five random characters>.log**
Logs the actions taken during the MBAM Client installation.
Review MBAM database TDE considerations
The transparent data encryption (TDE) feature that is available in SQL Server is an optional installation for the database instances that will host the MBAM database features.
With TDE, you can perform real-time, full database-level encryption. TDE is the optimal choice for bulk encryption to meet regulatory compliance or corporate data security standards. TDE works at the file level, which is similar to two Windows features: the Encrypting File System (EFS) and BitLocker Drive Encryption. Both features also encrypt data on the hard drive. TDE does not replace cell-level encryption, EFS, or BitLocker.
When TDE is enabled on a database, all backups are encrypted. Thus, special care must be taken to ensure that the certificate that was used to protect the database encryption key is backed up and maintained with the database backup. If this certificate (or certificates) is lost, the data will be unreadable.
Back up the certificate with the database. Each certificate backup should have two files. Both of these files should be archived. Ideally for security, they should be backed up separately from the database backup file. You can alternatively consider using the extensible key management (EKM) feature (see Extensible Key Management) for storage and maintenance of keys that are used for TDE.
For an example of how to enable TDE for MBAM database instances, see Understanding Transparent Data Encryption (TDE).
Understand general security considerations
Understand the security risks. The most serious risk when you use Microsoft BitLocker Administration and Monitoring is that its functionality could be compromised by an unauthorized user who could then reconfigure BitLocker Drive Encryption and gain BitLocker encryption key data on MBAM Clients. However, the loss of MBAM functionality for a short period of time, due to a denial-of-service attack, does not generally have a catastrophic impact, unlike, for example, losing e-mail or network communications, or power.
Physically secure your computers. There is no security without physical security. An attacker who gets physical access to an MBAM Server could potentially use it to attack the entire client base. All potential physical attacks must be considered high risk and mitigated appropriately. MBAM Servers should be stored in a secure server room with controlled access. Secure these computers when administrators are not physically present by having the operating system lock the computer, or by using a secured screen saver.
Apply the most recent security updates to all computers. Stay informed about new updates for Windows operating systems, SQL Server, and MBAM by subscribing to the Security Notification service at the Security TechCenter.
Use strong passwords or pass phrases. Always use strong passwords with 15 or more characters for all MBAM administrator accounts. Never use blank passwords. For more information about password concepts, see Password Policy.
Got a suggestion for MBAM?
Add or vote on suggestions here. For MBAM issues, use the MBAM TechNet Forum.