Remotely BitLocking

In a corporate IT environment is very common to use the BitLocker Drive Encryption technology to prevent data from being read in case of a stolen drive.

Remember that, if a unencrypted drive is stolen from a machine and connected to a foreign computer, most likely the attacker can get access to all the content of the drive regardless the fact that users logged with secure password.

The BDE techology encrypt the disk so it must first be decoded when connected to another machine before being able to read data from it.
Another feature of BDE is that you can lock it with a PIN that is asked to the user before Windows loads, so it acts as a sort of two-factor authentication. Strictly speaking, the two factors should not be two different things the user knows – in this case they are both passwords – but this is an additional security layer several companies like to add.

For IT Professionals it is a useful feature to be able to reset or change the PIN remotely.
Commonly it is thought that this must be done using a remote screen control, or some kind of remote execution tool, but in reality the BDE suite comes with a full set of command-line interfaces that have built-in remote capabilities.

In this specific case, changing the PIN remotely is simply as the following example:

C:\WINDOWS\system32>manage-bde -changepin c: -computername hostname

Where:

  • manage-bde -changepin
    is the main tool to command BDE, you can learn more at Manage-bde.exe Parameter Reference
  • c:
    is the drive letter you want to manage BDE of
  • -computername hostname
    the parameter indicating you want to operate on a remote machine which name is hostname

Result of this command will be

BitLocker Drive Encryption: Configuration Tool version 6.1.7601
Copyright (C) Microsoft Corporation. All rights reserved.

Computer Name: hostname

Type the new PIN: ******
Confirm the new PIN by typing it again:******

where you need to enter and re-enter the new PIN for confirmation and finally

Your PIN has been successfully updated.

It is worth noting, even if this is quite obvious,  that this command must be entered by an elevated command prompt where you have administrative permission to the remote machine.

Advertisements

Look for your address

For the most part of the websites I am owner of, I normally use Visual Studio to code and test locally, then I publish them to the FTP folder provided from my hosting company.

When I first set that publish up I was asked for the obvious few information needed to complete the process: the FTP address, username and password for login and the publish folder (as it is normal fro the hosting company to use shared resources for low-cost hoisting, they normally use a common FTP with the customers isolated through the use of folders normally named after the domain name).
After starting the publish procedure, I was reminded by Visual Studio that my credentials were transmitted insecurely over the net in plain text.

Of course this rang a warning bell in my head, so I cancel the procedure and thought for a while.
I realized during the setup process I was not asked what authentication method I wanted to use: I normally use FTP Secure protocol when available and, if not available, I think twice about commit myself to a company who is not offering it.

I doubled checked the Visual Studio configuration and I was more than surprised not finding any options for this; a search on Google also proved to be inconclusive.
Then I tried the simplest solution of all that, not surprisingly, worked properly: simply add the ftps: scheme name at the beginning of the address to let Visual Studio to automatically switch to secure connection.

So, to make the long story short, simply replace the connection string that will look like

ftp.yoursite.com/yoursite.com

with

ftps://ftp.yoursite.com/yoursite.com

and Visual Studio will automatically use TLS encryption to connect.
At the first publish attempt, the digital certificate is shown so you can validate the authenticity of the site and you have the option to remember that certificate as valid for that moment on.

At the end of the day I was a little surprised this option was not clearly shown in Visual Studio as it could fool a programmer not familiar enough with security or simply too distracted to notice the lack of it with the standard settings.