BitLocker PIN Service

This is a tool for anyone who needs to let their users control the boot PIN code of their computer while still not making them administrators. The boot PIN cannot be set without administrative rights (local administrator) on the system, but at the same time something you need your users to know and to be in-control of. To mitigate issue/feature there is a tool floating around the net that's called the BitLocker PIN Tool. This tool uses as DOS-console to get the user to enter a PIN. While this works great with people who has moderate-high computer knowledge some users struggle with using the tool (since it's command line). So I decided to take some spare time to develop a tool for this. I call this the BitLocker PIN Service and have thrown some central-administration-support into the tool also.

The application consists of two parts. A administration service that runs in the context of the local system, and then a client to run in user-mode to give the user a GUI. The client and server is completely separated and does not live within the same dll or files in any way. All authentication, authorization and dirty-work is done within the service part of the application to ensure maximum security. The service will allow any user that is permitted (regardless if they are local admin or not) to change the boot-PIN. To get authorized you need to 1) be a member of a local group called BLPinAdmins or 2) be a member of a domain group in your default domain called BLPinAdmins_<machine name>. This ensures that you can either use local groups or domain based as you prefer. This is how the GUI looks like:

Pretty simple huh? Under protectors you can see what protectors there is. This tool only works with Demanding, and if it is not present the protector will be created. When you have hit the Change PIN >> button you will most hopefully get this dialog:

The application then terminates without any further dialogs. The application should be started from the Desktop or Start menu link if you need to change the boot PIN code. There is however some more advanced options available via group-policy (local or domain based) to ensure even better security and foremost more control of the PIN-code and enforcing how often it should be changed. First lets look at the settings:

Options are as follows:

Local BLPin Administrators group name = if you "need" to change the group name of the BLPin users on the local computer you can set a new name here.
Allow all users = let all users who have the logon-local privilege to set the code (shared computers perhaps?)
Start client on logon = Start the client on each logon. This should be used in conjunction with the Force PIN-change interval. Client will quit if it is not time to set a new PIN.
Force PIN-change interval = If the client is started and this amount of days have passed since last new PIN was set then remove the "Exit" and Control Box and then display the GUI. "Forcing" the user to change PIN.
Domain BLPin Administrators group name = If you "need" to change the group name of the BLPin users in Active-directory you can set a new name here.

If you think this sounds like a nice tool: I'm offering this tool free to anyone who needs it without warranties or support (except for this post).
If you like the tool, please, send me a email! If you find a bug, please, send me email!
If you need source code or need a supported version that also possible for a small fee.
When bugs are found, updates are avaliable or other important information I will send it by mail to all registered users.

Binary License

PLEASE READ THIS SOFTWARE LICENSE ("LICENSE") CAREFULLY; YOU INDICATE YOUR ACCEPTANCE OF THIS LICENSE WHEN DOWNLOAD THE SOFTWARE OR USE IT. YOU MUST ACCEPT THIS LICENSE TO USE THE PRODUCT.

Redistribution and use in binary form, with or without modification, is permitted provided that the following conditions are met:

• You do not sell, or license or transfer for a fee, the Software, or any work that in any manner contains the Software. This restriction applies only to this binary software, not to images and data produced as a result of using the Software.
• You agree not to attempt to decompile, disassemble, reverse engineer or otherwise discover the source code from which the binary code was derived.
• Neither the name of Dasaar Innovation AB, nor the names of its Contributors may be used to endorse or promote products derived from this Software without specific prior written permission.
• Redistributions must retain the above copyright notices, referenced source(s) for additional terms, this list of conditions, and the disclaimer below in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE SOFTWARE.

Download

Version 1.5 (first public release) [download]

Published 10-28-2011 18:17 by Daniel

Title (required)
Name: (required)
Website: (optional)
Comments (required)
Remember Me?

Daniel2ThePoint

Daniel2ThePoint

Related Blogs

Other links

Syndication

Tags

Blog Recent Posts

Archives