none
How to pull Bitlocker inormation stored in AD into FIM? RRS feed

  • Question

  • We have computers pulled into FIM from AD.

    In AD we also store the bitlocker recovery key.  We would like to store that information in FIM joined to its computer object.  If I only had one recovery key per computer or I was only encrypting one hard drive, I could do this easily.  We have a powershell script which can pull each recovery key and associated TPM data for each computer, but most of the hard drives are encrypted....so easily half of the computer objects have more than one key.

    I'm struggling with coming up with a way to join different keys to one object.

    Any ideas?  and no.  we cannot use MBAM.  We have a mix environment of Vista and Win7.  MBAM only works for windows 7 computers.


    • Edited by gdtilghman Thursday, July 19, 2012 6:04 PM
    Thursday, July 19, 2012 6:04 PM

Answers

  • IIRC BitLocker keys are stored as a different object type as a child of the computer. With that in mind, you're going to need to bring them in as a different metaverse object type.

    What is the end goal here? What do you want to do with the info? How do you want to display it?


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Marked as answer by gdtilghman Tuesday, July 31, 2012 3:01 PM
    Friday, July 20, 2012 2:37 PM
    Moderator
  • IIRC BitLocker keys are stored as a different object type as a child of the computer. With that in mind, you're going to need to bring them in as a different metaverse object type.

    You're back to this point from Brian now ... you will need to create a new FIM (portal and metaverse) resource type ms-fve-recoveryinformation, and with any luck you should be able to import/derive a multi-value reference property of computer to map a reference to each of these child objects.  This should give you the ability to write the FIM policy you to manage these objects as child references of computer.  With any luck you should only need to use direct flow rules, but you may run into problems with limitations of the AD MA.  If you do run into limitations, you may find it useful to use the FIM Replay MA idea (as applied to the AD MA as opposed to the FIM MA) to define advanced flow rules on AD attributes.

    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using Event Broker 3.0 for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    • Marked as answer by gdtilghman Tuesday, July 31, 2012 3:00 PM
    Saturday, July 21, 2012 1:52 PM

All replies

  • I've never used BitLocker.  How and where in AD is the information stored?  Is it in a multivalue string attribute?  If so you should be able to flow it into a multivalue attribute in the metaverse.

    If you are pulling the data via PowerShell script, it seems like you could either generate an import file with multiple values separated by some kind of delimeter and have a rule extension parse it out and populate a metaverse attribute, or you could define an anchor value of something other than just the DN or GUID of the computer object (perhaps a combination of attributes).  You will get into trouble if you have multiple connectors trying to flow into the same metaverse attribute for the same metaverse object.

    Chris

    Friday, July 20, 2012 1:22 PM
  • IIRC BitLocker keys are stored as a different object type as a child of the computer. With that in mind, you're going to need to bring them in as a different metaverse object type.

    What is the end goal here? What do you want to do with the info? How do you want to display it?


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Marked as answer by gdtilghman Tuesday, July 31, 2012 3:01 PM
    Friday, July 20, 2012 2:37 PM
    Moderator
  • We've figured out how to pull the information into a .csv with the computer name associated using a quest powershell script.  I'm going to try Chris' suggestion and create a multivalue attribute bound to the computer object.  I will pull each password id and recovery key and concatenate them joined by the computer name.  We'll see if that works out.

    Brian, you're correct of course, but the issue was that until we had this powershell script, there was no way for me to find the association between the bitlocker objects in AD and the computer they belonged to.  So, pulling it as a seperate object was out of the question unless I knew the context.

    Our end goal here is to be able to keep the recovery keys for historical, archival information due to security requirements, but be able to remove computers from AD as needed when they are off the network and no longer used.  We had been keeping them in AD and disabled just for the bitlocker information.

    Thanks for the suggestions guys and keep it up!  We might find something more useful or a smarter way to do it.

    Friday, July 20, 2012 2:51 PM
  • The parent of the object is always going to be the computer, so, you can grab the second component of the DN and you have the computer.

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Friday, July 20, 2012 2:53 PM
    Moderator
  • They are hidden objects under the computer.

    Maybe you can explain how FIM can see them at all?

    Friday, July 20, 2012 3:12 PM
  • I can pull the info, the only problem is that the export has one line for each unique key.

    FIM complains of a duplicate object.  I was hoping to pull in each seperate instance of the keys into the one object on a multivalue attribute.

    Maybe I can change the output file on the script to put each object's multiple keys on one line...

    Friday, July 20, 2012 4:37 PM
  • I've exposed the FIM AD to the ms-fve-recoveryinformation object....Now I'm having issues connecting the dots.
    Friday, July 20, 2012 5:11 PM
  • I've exposed the FIM AD to the ms-fve-recoveryinformation object....Now I'm having issues connecting the dots.

    Can you elaborate a bit on what you're struggling with?

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Friday, July 20, 2012 5:20 PM
    Moderator
  • IIRC BitLocker keys are stored as a different object type as a child of the computer. With that in mind, you're going to need to bring them in as a different metaverse object type.

    You're back to this point from Brian now ... you will need to create a new FIM (portal and metaverse) resource type ms-fve-recoveryinformation, and with any luck you should be able to import/derive a multi-value reference property of computer to map a reference to each of these child objects.  This should give you the ability to write the FIM policy you to manage these objects as child references of computer.  With any luck you should only need to use direct flow rules, but you may run into problems with limitations of the AD MA.  If you do run into limitations, you may find it useful to use the FIM Replay MA idea (as applied to the AD MA as opposed to the FIM MA) to define advanced flow rules on AD attributes.

    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using Event Broker 3.0 for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    • Marked as answer by gdtilghman Tuesday, July 31, 2012 3:00 PM
    Saturday, July 21, 2012 1:52 PM
  • OK...I have created the new object in the Metaverse and FIM to hold the data.

    The key portion here is msFVE-RecoveryPassword and the <dn> of the object.

    The DN contains two pieces I need to make this whole thing come together completed.

    Looks like this:  CN=2012-03-14T17:28:43-06:00{X36X7X07-088X-4XXX-X32X-118X578X2X50},CN=SERVERNAME,OU=BitLocker,OU=Standard Servers,OU=SERVERCONTAINER,DC=DOMAIN,DC=NAME,DC=net

    How do I codeless (if at all possible) flow parts of this to PasswordID (new attribute under new object) where the data is between {}...and Display Name for new object which will be Servername....and how do i handle display names not being unique since some servers can have more than one bitlocker key active?

    Monday, July 23, 2012 8:58 PM
  • No suggestions on that last question?  When I get this all together, I'm going to show screenshots of how this is useful.
    Wednesday, July 25, 2012 4:38 AM
  • I don't see any obvious way to do this in a codeless manner....

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Wednesday, July 25, 2012 6:05 PM
    Moderator
  • So....does anyone have similar code example for metaverse rules extension on the flow that I can use to strip the relevant data out and flow to new attributes?
    Thursday, July 26, 2012 6:07 PM
  • Personally I'd write a simple little ECMA to pull out just the bits I wanted from AD as an LDIF-style input that could join directly to the computer object.  e.g.;

    dn: cn=computer,dc=foo,dc=bar blkey: some-key-data blkey: other-key-data

    However what I'm quite interested to know is how this would actually be useful... what's the business value?

    Thursday, July 26, 2012 8:12 PM
  • Historical audit info per security on Bitlocker Keys for computers containing or possibly containing PII.
    Wednesday, December 5, 2012 3:36 PM