Review: Specops Key Recovery

Mobile device use continues to grow, while an increasingly mobile and remote workforce depends heavily on laptops. To secure those devices, organizations need to implement client-side security controls.

One of the more pressing risks linked to the use of mobile devices is the possibility of device loss or theft. If a device is lost, sensitive data (e.g., documents, account passwords) might get extracted and exposed.

One solution for this problem is full disk encryption, and one of the most popular systems is Microsoft BitLocker, which is part of every Windows 10 installation.

What happens when one of your users forgets their full disk encryption passphrase, or if this hasn’t been set up, simply plugs in new hardware that triggers a BitLocker Recovery Mode? If your organization uses Microsoft Active Directory and has set up the environment to store the recovery keys in AD, a system administrator can restore that machine.

Of course, the user will still need to contact their organization’s helpdesk, which will need to verify their identity in order to share the recovery key. Common problems with this scenario are issues with verifying the identity of the user and increased workload for the system administrators/helpdesk personnel.

Introducing Specops Key Recovery

Specops Software realized these problems and offers an interesting solution: Specops Key Recovery, a self-service tool for recovering BitLocker recovery keys.

Instead of contacting the helpdesk, which needs a way to verify the identity of a person over the phone (a hard problem to solve with high confidence given the lack of physical presence), Specops Key Recovery offers a cloud centric self-service portal.

An infographic from Specops illustrates the concept:

The user’s perspective (enrollment)

The user enrolls or can be pre-enrolled into the service. Pre-enrollment is achieved when an administrator selects identity services that leverage existing Active Directory details. When a user is pre-enrolled this means that he/she does not have to enroll but rather when a lock out occurs can utilize the system to authenticate identity and retrieve a recovery key.

However, it’s best practice to extend additional identity services to users to minimize failure for example if an identity service is unavailable. Enrollment will require the user to successfully login and enroll with any combination of identity services extended to them by their system admin. The solution supports a number of identity services that can serve as multi-factor authentication options, depending on the authentication policy set by the administrator. These include:

a. SMS (mobile code)
b. Windows Identity
c. Authenticators: Google, Microsoft, Specops
d. Service logins: Google, Facebook, LinkedIn, Live, Tumblr, Twitter
e. Other: Specops Fingerprint, Secret questions, Manager Identification

Administrators can vary the enrollment policy from the authentication policy to ensure that users have additional options when authenticating. Each service can be assigned a security weight reflected by stars. This depicts the security assurance level assigned to each service for example the screenshot below depicts Mobile Code as having a weight of two stars versus Security Questions which has a weight of one. Weights ensure that users are provided with options but that the alternatives are not sacrificing security as the required authentication weight will still have to be satisfied.

This screenshot of the administration interface illustrates the choices/flexibility:

The user’s perspective (use)

In the event of an encryption lock out, users are greeted with the infamous BitLocker Recovery screen:

Specops Key Recovery makes it possible for the user to visit a self-service portal via another device (e.g., a mobile phone) and verify their identity using a number of authentication factors provided by the previously enrolled identity services.

After proving their identity, they can enter the first 8 characters from the recovery key ID, press “Continue” and get the Bitlocker recovery key:

So, in a nutshell: enrolled users can recover access to their machine without having to ask the helpdesk for assistance. This is a cost savings but at the same time does not sacrifice security as users have to verify their identity before recovering access. This is what Specops Key Recovery does very well.

The sysadmin’s perspective (installation, setup, management)

To operate Specops Key Recovery, a sysadmin needs to set up multiple elements:

1. Register an account on the Specops cloud service.
2. Install the Specops Authentication Gatekeeper Administration tool on their Domain Controller (DC).
3. Set up the group policy to store the recovery passwords and key packages in the Active Directory Domain Services (AD DS).
4. Configure the service according to their required policies.

We particularly liked the fact that during account registration Specops Key Recovery insists on enabling 2-factor authentication (2FA). It’s SMS-based 2FA, but that’s still better than no 2FA, and you can swap it with something else later on. It’s also great that the system checks for common blacklisted passwords, adds a reCAPTCHA to curb automated attacks (which can be enforced or disabled), and has a default level logging and reports.

The cloud user management component is the solutions service desk. It allows the IT helpdesk to verify users’ identities using the same MFA factors they enrolled with before performing sensitive tasks such as recovering keys or resetting passwords. The interface also presents helpdesk users with details such as enrollment and authentication information. For example:

From the AD-tooling side of things, installation is straightforward and the documentation covers the entire process in enough detail that any junior system administrator could set the system up.

If we really wanted to nitpick, we could suggest that the documentation or the tool itself could help admins set up the group policy to store the recovery passwords and key packages in the AD DS.

Final verdict

If you have a large, distributed and remote workforce, you will benefit from the increased security and convenience offered by the solution.

Although we only illustrated the key recovery option, the Specops Authentication platform also offers additional account management features like password reset, change, and account unlocking – all utilizing the same multi-factor authentication engine. One important feature that stands out for those with a global workforce is geo-blocking, which may prove to be helpful in a number of situations.

From a diagnostics standpoint, it’s easy enough to see if your Gatekeeper software is working on the DC, and the variety of supported identity services provides enough freedom/ flexibility for anyone to specify which service or method they trust and how much.

Customers will appreciate the fact that the web interface can be customized and the self-service portal can be integrated with the specific visual style of an organization.

By default, the application logs privileged events like key recovery to Windows events. Reporting is also available through a dashboard, where one can search for specific events. One thing I would love to see is the actual information about user logins to the cloud service in the event logs.

Specops Key Recovery helps system administrators and users: it removes complexity and successfully solves a common problem.