0

I'm implementing Bitlocker on windows 10 laptops without TPMs. Some people are saying Bitlocker stores keys in AD in cleartext by default - is this true?

Davtho1983
  • 3,827
  • 8
  • 54
  • 105

2 Answers2

1

https://technet.microsoft.com/en-us/library/cc766200(v=ws.10).aspx#BKMK_ADRecovery

Yes it's true! Bitlocker stores keys in AD in cleartext :(

Davtho1983
  • 3,827
  • 8
  • 54
  • 105
  • Before you panic: `but the entries have access control lists (ACLs) that limit access to only domain administrators` – Remko Apr 05 '17 at 19:46
  • 1
    Yeah that's not great. ACLs are not the same level of security as encryption! It's not good enough for a global network imho – Davtho1983 Apr 06 '17 at 21:08
0

Yes its true. But as mentioned you can mitigate by auditing ACL access. "Find-AdmPwdExtendedRights" installed with the LAPS toolkit will tell you the holders of permissions to read such plain text keys.

Jessica Payne from Microsoft Enterprise Cybersecurity Group thinks plain text key storage in AD (LAPS / Bitlocker) is a non issue with proper ACLs in most environments.

https://blogs.technet.microsoft.com/askpfeplat/2015/12/28/local-administrator-password-solution-laps-implementation-hints-and-security-nerd-commentary-including-mini-threat-model/

lewe
  • 121
  • 1
  • 5