For a company offering IT hosting and development solutions for the largest enterprises in Europe, seamless and secure operation of the IT infrastructure is a top priority. IT Services Hungary chose the BitLocker functionality
of Windows 7 Enterprise when the company needed a cheaper and, from operational point of view, more efficient disk encryption tool for ensuring the privacy of its more than one thousand laptops, now managed by Microsoft BitLocker Administration and Monitoring.
As an IT service provider, ITSH must use modern technology and meet the highest security requirements, if it intends to remain a credible market player with customers, who also want only the best.
With such history, it was a great opportunity for ITSH that Windows 7 – chosen for deployment already – provides an integrated data encryption solution, BitLocker Drive Encryption, without additional costs. “BitLocker was not the only reason why we migrated
to Windows 7 Enterprise, but the encryption capability was yet another argument for not hesitating with the deployment. The issue of disk encryption had to be dealt with promptly, that is why we hastened the companywide OS upgrade”, describes the background
Zsolt Horváth, IT Manager of ITSH.
Naturally, BitLocker had to undergo pre-testing as well, and it became clear that it perfectly met ITSH’s needs. “We do not have extreme needs in this aspects – BitLocker knows exactly as much as we need, while it is less burdening to the resources of the
notebooks, and it has the huge benefit of not requiring a separate license fee”, goes on László Kovács, Architect at ITSH.
Managing the software is simple for users too. After turning on the computer, BitLocker asks for a six-digit PIN; if it is correct, the user can continue, log into the Windows domain, and use the PC just as usual.
Management is a Must
But during the larger-scale rollout of Windows 7 Enterprise and BitLocker, some additional management needs have been formulated which the tool did not offer any solution for. Parallel to the migration to Windows 7 Enterprise, administrative privileges of
users to their own computer have been revoked. However, the encryption tool only allows modifying the PIN used for the login with administrative rights (due to reasonable security aspects). This way, on the other hand, it was not possible to hand out the computers
with the default password set during the setup process, and assign users with changing the PIN: an administrator had to be present when handing over the machine to help the user to set the new password.
At this point, Windows 7 Enterprise and BitLocker were operating on approximately 200 computers. “It turned out that we are going to need a BitLocker management tool. We expected that users would be able to change the login PIN without administrative privileges,
and the system would automatically change the troubleshooting recovery password, a 48-character long number string”, lists Zsolt Horváth the requirements.
The professionals of ITSH tried several solutions, they even considered custom development. They found a free tool that enabled setting which programs can each users start with administrative privileges, but this was not at all sufficient.
Fortunately for ITSH, Microsoft just released the beta version of its new tool, Microsoft BitLocker Administration and Monitoring (MBAM). “We were so eager to find a solution that we immediately jumped on the product, in spite of the fact that it was only
a beta”, illustrates László Kovács how much they needed the tool.
The beta version was tested and evaluated on 20-30 isolated machines for months. “As we used a beta version, we knew that it would not be easy for us. Initial setup was cumbersome, documentation was incomplete, but the Hungarian Microsoft Consulting Services
(MCS) team helped to overcome all challenges. The Hungarian Microsoft team even managed to establish direct contact with the product development team, so we received answers for our requests and calls very quickly”, talks Péter Komáromi about the initial phases
of getting started with MBAM.
Also, it did not make things easy for ITSH’s professionals that they had unique needs regarding the solution. Normally, BitLocker stores recovery passwords in Active Directory, but it did not fulfill the needs of the IT service provider. The reason for this
is that the migration of ITSH’s Active Directory into the parent company’s infrastructure is still in progress, so the storing of recovery information had to be solved independently of the directory.
Due to all this, ITSH purchased Microsoft SQL Server Enterprise database solution (and Windows Server on the side) for storing recovery passwords and keys. The virtualized high availability server stores the keys in an encrypted database. As back-end databases
requires minimal storage, one server is perfectly enough: it would be able to serve as much as 10 thousand clients, while the current number of PCs in ITSH’s whole machine pool is around 3 thousand.
Despite all this, the experiences were so positive that the initial test environment was soon extended to more than one hundred computers, and the system kept operating flawlessly. ITSH’s professionals switched to the final version of the product when it
was released, and started to use it in production with all computers running Windows 7 Enterprise and BitLocker.
Benefits from Several Aspects
MBAM offered a solution for the most critical problem of ITSH’s operations team: the ability to change user PINs without administrative privileges, in line with the efforts of the company to promote user self-service as widely as possible.
“With this and other functionality, MBAM greatly simplified not only the work of users, but system administrators as well”, says Krisztián Rigó, project coordinator. Both the previously encrypted clients and those encrypted after the deployment can be managed
through simple processes. Recovery keys are stored and queried according to neatly controlled processes, in a centralized manner, independently of Active Directory. It not only enhances the security of the whole system and company data, but enables helpdesk
employees to help users who got into trouble due to issues related to incorrect PIN. In the meantime, similarly to every administrator intervention, this process is also logged by the system, making every action traceable and verifiable.
The unified management interface reduces time required for administration, while the use of roles increases companywide security, because all role members receive exactly as much privileges that is absolutely necessary for performing the given task. “The
combination of BitLocker and MBAM operates with extremely high reliability. Problems occur very rarely, and even they do, they can be solved easily, as we were easily able to integrate the entire system into the management processes, while technical support
is also much better than that of the previous tool”, says Péter Komáromi, project manager.
Advanced reporting functionality is a huge benefit of MBAM. The central interface allows for the creation of easily customizable reports, both for the operations personnel and the IT security team. With the queries and the reports, it is simple to gain insight
into the current and any previous state of the overall BitLocker infrastructure, or query any client computer’s status.
“The latter is extremely important for us. Some of our employees still require administrative access to their computers, and sometimes they disable BitLocker for various reasons. From our position, there is no possibility, neither any intention to prevent
this remotely – but we are immediately notified. We would also be informed of the last known state of BitLocker in a potentially lost computer, and whether or not the hard disk was encrypted”, mentions László Kovács another aspect.
It was also an important factor that MBAM was an excellent choice for ITSH from a financial point of view as well. The company has already licensed Microsoft Desktop Optimization Pack 2011 R2, so it was able to deploy MBAM without additional license fees.
Security or Convenience?
Beyond all this, ITSH’s professionals would be pleased to see certain other functions in MBAM, but some of them conflicts with the security aspects held desirable by Microsoft.
For example, there is not any solution so far for the issue that BitLocker sometimes starts in a so-called recovery mode when turning on the computer. In this case, even if the user enters the recovery key (which must be obtained from the helpdesk), the
computer will still start in recovery mode again the next time. The problem can only be solved by setting BitLocker into suspend mode – this, however, requires logging in with administrative privileges, which administrators are unable to perform in case of
“We would find a development desirable that would allow returning from recovery mode to standard operation with normal user permissions. There could be a button, for example, which the user would click on after entering the recovery password: the computer
would then restart and ask for only the normal PIN instead of the password”, mentions László Kovács a possibility.
These issues, however, are minor compared with the benefits of the combination of BitLocker and MBAM. The system now operates to the full satisfaction of ITSH’s professionals on the entire machine pool consisting of more than a thousand laptops. “It offers
cost-efficient end-to-end management capabilities for encryption, ensures legal compliance, while bringing the overall IT security health of the company to the next level”, summarizes the benefits of the solution IT Manager Zsolt Horváth.
“It offers cost-efficient end-to-end management capabilities for encryption, ensures legal compliance, while bringing the overall IT security health of the company to the next level”
Zsolt Horváth, IT Manager, ITSH
“BitLocker was not the only reason why we migrated to Windows 7 Enterprise, but the encryption capability was yet another argument for not hesitating with the deployment.”
Péter Boda, IT Security Manager, ITSH
“BitLocker knows exactly as much as we need, and it is less burdening to the resources of the notebooks.”
László Kovács, Architect at ITSH
“We expected the management tool to enable users to change the login PIN without administrative privileges, and the system would automatically change the troubleshooting recovery password.”
Zsolt Horváth, IT Manager, ITSH
“The Hungarian Microsoft team even managed to establish direct contact with the product development team, so we received answers for our requests and calls very quickly.”
Péter Komáromi, Project Manager
“MBAM greatly simplified not only the work of users, but system administrators as well.”
Krisztián Rigó, Project Coordinator
“The combination of BitLocker and MBAM operates with extremely high reliability. Problems occur very rarely, and even they do, they can be solved easily.”
Péter Komáromi, Project Manager