Meeting the InCommon Assurance profile criteria using Active Directory

["Michael W. Brogan" <>]

If I’m not mistaken, syskey is on by default and I don’t think you can turn it off. All you configure with syskey utility is where you want the decryption key stored: locally on disk, on removable media, or in an admin’s head. The default is to store on local disk.

 

--Michael

 

From: [mailto:] On Behalf Of Rank, Mark
Sent: Friday, June 07, 2013 1:24 PM
To:
Subject: [AD-Assurance] RE: BitLocker operational issues

 

 

sorry ... poor choice of wording... guess what i was getting at was would it make sense to just pursue an AM for Microsoft's proprietary encryption to just eliminate the need for Bitlocker or syskey.

 

mark

 

 

--------------------------------------------------

Mark Rank
Project Manager - Identity & Access Mgt

UCSF Information Technology Services (ITS)
email:

phn:414-331-1476

--------------------------------------------------

---

From: [] on behalf of Ron Thielen []
Sent: Friday, June 07, 2013 1:20 PM
To:
Subject: [AD-Assurance] RE: BitLocker operational issues

We didn’t rule out AM.  We said that if BitLocker can be used, then you don’t need AM.  If it can’t be used, then you need AM.

 

Ron

 

From: [] On Behalf Of Rank, Mark
Sent: Friday, June 07, 2013 3:16 PM
To:
Subject: [AD-Assurance] RE: BitLocker operational issues

 

 

Why again did we rule out an alternate means for Microsoft's own proprietary encryption for the credential store?

 

Just curious.

Mark

 

 

--------------------------------------------------

Mark Rank
Project Manager - Identity & Access Mgt

UCSF Information Technology Services (ITS)
email:

phn:414-331-1476

--------------------------------------------------

---

From: [] on behalf of Ron Thielen []
Sent: Friday, June 07, 2013 11:59 AM
To:
Subject: [AD-Assurance] BitLocker operational issues

I raised the question about BitLocker operational issues, because something was  nagging at the back of my mind.  I asked the Windows admins and they pointed me in the right direction.

 

It turns out that there is a significant issue that may affect some institutions.  BitLocker is not supported in virtual environments by either Microsoft or VMware.  We run some of our domain controllers on VMware VMs, so this is certainly an issue for us.

http://technet.microsoft.com/en-us/library/hh831507.aspx#BKMK_VHD

and

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2036142

 

I guess we have to decide whether to move our VMs to physical hardware and lose the advantages that virtualization provides or submit an alternative means statement for RC4.

 

Ron