Free VMware Encryption – Bitlocker

You have a requirement for Full Disk Encryption, but have no Budget (like with all other IT related items)
Its free and Easy.
This is assuming your system is standalone and you have full control of the vCenter Server, cluster, and storage. Also assumes you know what your doing and take responsibilities for your own actions.
Some changes would need to be made if integration of AD.

  1. Set Encryption settings and policies
      • Run gpedit.msc
      • Click on Computer Configuration –> click Administrative Templates –> click Windows Components –> click on Bitlocker Drive Encryption.
      • Modify “Choose drive encryption method and cipher strength” and set it to Enabled, AEC 256-bit (Do the same for the Vista, 2008, 7 & 2008R2 entry if using older version)
      • Click OK to save
      • Click on Operating System Drives
      • Modify “Require Additional Authentication at Startup”
        • Set to Enable:
        • Allow BitLocker without compatible TPM (requires…….)
        • Leave the rest at defaults
        • Click OK
      • Modify “Choose How BitLocker-protected operating system drives can be recovered
        • Allow data recovery agent
        • Omit recovery options from BitLocker setup wizard (everything should be done command line anyway)
        • Save BitLocker recovery information to AD DS for Operating system drives
        • Do not enable BitLocker until recovery information is stored in AD DS for Operating system drives
      • Navigate Back to BitLocker Drive Encryption –> Fixed Data Drives
      • Modify “Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
        • Enable
        • Leave checkbox unchecked for “Do not install BitLocker…”
        • Click OK
      • Modify “Configure use of passwords for fixed data drives”
        • Enable
        • Click OK
      • Modify “Choose how BitLocker-protected fixed drives can be recovered
        • Enable
        • Check “Allow data recovery agent”
        • Check “Omit recovery options from the BitLocker setup wizard”
        • Check “Do not install BitLocker…”
        • Click OK
      • Close gpedit.msc
  2. Create Virtual Floppy drive in Vmware
    • Connect to vSphere web server (using the old Flash one as of 6.5 works, the HTML5 doesn’t have the floppy options)
    • Shutdown the VM
    • Add a Floppy drive to the VM, Creating a New Image and saving it on your data-store (somewhere you feel safe storing the keys) MAKE SURE YOU HAVE IT SET TO CONNECT AT POWER ON.
    • Set the VM to go into the BIOS at next power on
    • Power on the VM, it should go into the BIOS config automatically
    • Change the Boot Order to Hard Disk First (move the Removable media below the hard drive)
    • Save and exit the BIOS and let windows boot normally.
    • Once in Windows you will need to “Format” the A: Drive, you can just right click on it, select Format, and accept the default values.
  3. Enable the Encryption
    • Login to Windows with admin account
    • Open Command prompt with Elevated Administrative rights
    • The Following command will Create the keys and instruct Windows to save the Key to the A: drive, and Display the Recovery password to you.
      • manage-bde.exe –on C: -rp –sk A:
    • If your hard disk is Thin Provisioned and not Think Provisioned, you will need to use this command
      • Option:manage-bde.exe –on C: -used -rp –sk A:
    • TAKE NOTE OF THE RECOVERY PASSWORD YOU RECEIVE ON SCREEN AFTER RUNNING THE ABOVE COMMAND. You will need this if your Floppy image ever gets lost/corrupted/etc.
    • You will need to reboot windows to get the initial Test completed so it can start encrypting your Disks.
    • Windows should boot up normally.  Log into windows
    • Windows will automatically start the encryption process after a minuet or so. Run this command to Monitor its progress.
      • manage-bde -status
    • You should see the Percentage increase as it goes.  Also Verify you see External Key & Numerical Password under the “Key Protectors”
    • That’s it. Just keep that Recovery key handy, you will need it one day.  Two Different Locked Draws at Two different buildings is best.
  4. Enable Encryption for Secondary hard drives.
    • If your C drive is already encrypted, this process is fairly smooth. This Example the Second drive is letter “E”
    • Login to Windows, Verify the C drive is 100% encrypted
      • manage-bde -status
    • The Following command will Create the keys and instruct Windows to save the Key, and Display the Recovery password to you, as well as start the Encryption Process.
      • manage-bde.exe –on E: -rp
      • If you have Thin provisioned hard drive
      • manage-bde.exe –on E: -used -rp
    • TAKE NOTE OF THE RECOVERY PASSWORD YOU RECEIVE ON SCREEN AFTER RUNNING THE ABOVE COMMAND. You will need this if your key ever gets lost/corrupted/etc.
    • Then you need to set it to Auto unlock so you don’t have to manually enter that password
      • manage-bde.exe -autounlock E: -enable
    • This will create an ‘External Key’ that is stored on your C drive (which is encrypted) that is used to decrypt the drive when the server boots.
    • Monitor the progress
      • manage-bde -status
    • It should go to 100% Encrypted.
    • Verify you see External Key & Numerical Password under the “Key Protectors”
    • Also Verify Automatic Unlock shows Enabled.
  5. Keep Those Floppy Images safe.  One way would be to put them on a ‘nas’ that has a NFS share, only accessible from the IP(s) of the ESXi servers.  The NAS is located in a different area of your building, and then is backed up/snapshots & replicated to another Building

Power Shell Get Members from AD Group

Get Members’ names from Active Directory Group (you need the ActiveDirectory Module added to your powershell if not doing it from a DC.

Get-AdGroupMember -identity "Group Name" | select name

If you want to dump it to a CSV, you can add this to the end of the above command

| Export-csv -path C:\Output\Groupmembers.csv -NoTypeInformation

Exchange log Clear (Fake Backup)

Open Command Prompt as Administrator

Diskshadow
Add volume d: (optional, add one line for each additional drive to include) 
Begin Backup
Create
End Backup

At this step you should notice the following events in the application log indicating that the backup was indeed successful and logs will now be deleted.

Allow Anonymous Relay on a Receive Connector

Create a new Receive Connector, name it “Anonymous Relay”
Set Permission Groups tab; to ONLY Exchange Servers
Set Authentication tab; to do TLS and Externally Secured Only

Then Run this in Power shell.

Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Exporting PST’s from Exchange 2010

##First you need to grant your self permissions one time

New-ManagementRoleAssignment -Role "Mailbox Import Export" -user cswadmin

Exit Exchange Shell and Enter again

Setup UNC Share, and set the Exchnage server Computer account to have access to the Share&Folder

##Now Run this command for each user’s Mailbox.

New-MailboxExportRequest -Mailbox useralias -FilePath \\server\ExchangeMailboxes\user.pst

#### TO check on the STATUS

Get-MailboxExportRequest | get-mailboxexportrequeststatistics

######WHen they are COmpleted, and you want to CLear them from the History, run this

Get-MailboxExportRequest | where {$_.status -eq "Completed"} | Remove-MailboxExportRequest

How to send as/from a distribution group with Exchange 2010

To grant a user the permission to send from a distribution group you will need to open Active Directory with the view set to “Advanced” then open the properties of the Distribution group you wish to modify, and select the “Security” tab. Click the “Add…” tab to add the users who will be sending as the group.
Once you’ve added the users, check mark Allow for “Send as” under “Permissions for SELF” make sure to uncheck all other permissions.
Remember to allow time for the changes to replicate, and send a test message to you to confirm the changes took effect.