Microsoft Windows: BitLocker-protected removable drives recovery (require AD)

2018-06-26T00:00:00
ID OPENVAS:1361412562310109417
Type openvas
Reporter Copyright (c) 2018 Greenbone Networks GmbH
Modified 2019-12-16T00:00:00

Description

This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.

In

                                        
                                            # Copyright (C) 2018 Greenbone Networks GmbH
#
# Text descriptions excerpted from a referenced source are
# Copyright (C) of the respective author(s)
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.109417");
  script_version("2019-12-16T11:36:02+0000");
  script_tag(name:"last_modification", value:"2019-12-16 11:36:02 +0000 (Mon, 16 Dec 2019)");
  script_tag(name:"creation_date", value:"2018-06-26 12:01:12 +0200 (Tue, 26 Jun 2018)");
  script_tag(name:"cvss_base", value:"0.0");
  script_tag(name:"cvss_base_vector", value:"AV:L/AC:H/Au:S/C:N/I:N/A:N");
  script_tag(name:"qod", value:"97");

  script_name("Microsoft Windows: BitLocker-protected removable drives recovery (require AD)");

  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (c) 2018 Greenbone Networks GmbH");
  script_family("Policy");
  script_dependencies("smb_reg_service_pack.nasl");
  script_mandatory_keys("Compliance/Launch");

  script_add_preference(name:"Value", type:"radio", value:"0;1");

  script_xref(name:"URL", value:"https://www.microsoft.com/en-us/download/confirmation.aspx?id=25250");

  script_tag(name:"summary", value:"This policy setting allows you to control how BitLocker-protected
removable data drives are recovered in the absence of the required credentials. This policy setting
is applied when you turn on BitLocker.

In 'Save BitLocker recovery information to Active Directory Domain Services' choose which BitLocker
recovery information to store in AD DS for removable data drives. If you select 'Backup recovery
password and key package', both the BitLocker recovery password and key package are stored in AD DS.
If you select 'Backup recovery password only' only the recovery password is stored in AD DS.

Select the 'Do not enable BitLocker until recovery information is stored in AD DS for removable data
drives' check box if you want to prevent users from enabling BitLocker unless the computer is
connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

Note: If the 'Do not enable BitLocker until recovery information is stored in AD DS for fixed data
drives' check box is selected, a recovery password is automatically generated.

(C) Microsoft Corporation 2015.");

  exit(0);
}

include("smb_nt.inc");
include("policy_functions.inc");
include("host_details.inc");
include("version_func.inc");

target_os = "Microsoft Windows 7 or later";
win_min_ver = "6.1";
title = "Choose how BitLocker-protected removable drives can be recovered";
solution = "Set following UI path accordingly:
Windows Components/BitLocker Drive Encryption/Removable Data Drives/" + title;
type = "HKLM";
key = "Software\Policies\Microsoft\FVE";
item = "RDVRequireActiveDirectoryBackup";
reg_path = type + "\" + key + "!" + item;
test_type = "RegKey";
default = script_get_preference("Value");

if(!policy_verify_win_ver(min_ver:win_min_ver))
  results = policy_report_wrong_os(target_os:target_os);
else
  results = policy_match_exact_reg_dword(key:key, item:item, type:type, default:default);

value = results["value"];
comment = results["comment"];
compliant = results["compliant"];

policy_reporting(result:value, default:default, compliant:compliant, fixtext:solution,
  type:test_type, test:reg_path, info:comment);
policy_set_kbs(type:test_type, cmd:reg_path, default:default, solution:solution, title:title,
  value:value, compliant:compliant);

exit(0);