Planning How to Secure the MBAM Websites

This topic describes the following methods for securing the Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 Administration and Monitoring Website and Self-Service Portal:

Method	Required or optional?
Using certificates to secure MBAM websites	Optional, but highly recommended
Registering Service Principal Names (SPN) for the application pool account	Required

For more information about how to secure your MBAM deployment, see MBAM 2.5 Security Considerations.

Using certificates to secure MBAM websites

We recommend that you use a certificate to secure the communication between the:

• MBAM Client and the web services

• Browser and the Administration and Monitoring Website and the Self-Service Portal websites

For information about requesting and installing a certificate, see Configuring Internet Server Certificates.

Note
You can configure the websites and web services on different servers only if you are using Windows PowerShell. If you use the MBAM Server Configuration wizard to configure the websites, you must configure the websites and the web services on the same server.

To secure the communication between the web services and the databases, we also recommend that you force encryption in SQL Server. For information about securing all connections to SQL Server, including communication between the web services and SQL Server, see MBAM 2.5 Security Considerations.

Registering SPNs for the application pool account

To enable the MBAM Servers to authenticate communication from the Administration and Monitoring Website and the Self-Service Portal, you must register a Service Principal Name (SPN) for the host name under the domain account that you are using for the web application pool.

This topic contains instructions on how to register SPNs for the following types of host names:

• Fully qualified domain name

• NetBIOS name

• Virtual name

Before you create SPNs for an initial MBAM installation

Review the information in the following table before you start creating SPNs.

Task or item	More information
Create a service account in Active Directory Domain Services (AD DS).	The service account is a user account that you create in AD DS to provide security for the MBAM websites. The MBAM websites run under an application pool, whose identity is the name of the service account. The SPNs are then registered in the application pool account. Note You must use the same application pool account for all web servers.
Verify that either the IIS-IUSRS group account or the application pool account has been granted the necessary rights.	To check this, follow these steps: Open the Local Security Policy editor and expand the Local Policies node. Select the User Rights Assignment node, and double-click the Impersonate a client after authentication and Log on as a batch job Group Policy settings in the right pane.
If you configure the MBAM websites by using a domain administrative account, MBAM will create the SPNs for you.	If you configure the MBAM websites by using a domain administrative account, follow the steps in this topic to register SPNs manually for the type of host name that you are using.

Registering SPNs when you use a fully qualified domain host name

If you use a fully qualified domain host name when you configure MBAM, you have to register only one SPN, as shown in the following example.

What you need to do	Examples and more information
Register an SPN for the fully qualified domain name.	Setspn -s http/mybitlockerrecovery.contoso.com contoso\mbamapppooluser The fully qualified host name is mybitlockerrecovery.contoso.com, and the domain account used for the web application pool is contoso\mbamapppooluser.
Configure constrained delegation for the SPN that you are registering for the application pool account.	Configuring Constrained Delegation This requirement only applies to MBAM 2.5; it is not necessary in MBAM 2.5 SP1.

Registering SPNs when you use a NetBIOS host name

If you use a NetBIOS host name when you configure MBAM, register one SPN for the NetBIOS name, and another SPN for the fully qualified domain name, as shown in the following examples.

What you need to do	Examples and more information
Register an SPN for the NetBIOS host name.	Setspn -s http/nbname01 contoso\mbamapppooluser The NetBIOS host name is nbname01, and the domain account used for the web application pool is contoso\mbamapppooluser.
Register an SPN for the fully qualified domain name.	Setspn –s http/nbname01.corp.contoso.com contoso\mbamapppooluser The fully qualified domain name is nbname01.contoso.com, and the domain account used for the web application pool is contoso\mbamapppooluser.
Configure constrained delegation for the SPNs that you are registering for the application pool account.	Configuring Constrained Delegation This requirement only applies to MBAM 2.5; it is not necessary in MBAM 2.5 SP1.

Registering SPNs when you use a virtual host name

If you configure MBAM with a virtual host name that is a fully qualified domain name, register only one SPN for the virtual host name. If the virtual host name that you configure is not a fully qualified domain name, you must create a second SPN that specifies the fully qualified domain name, as described in the following examples.

What you need to do	Examples and more information
If your virtual host name is a fully qualified domain name, as in this example, register only one SPN.	Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser In the example, the virtual host name is mbamvirtual.contoso.com, and the domain account used for the web application pool is contoso\mbamapppooluser.
Register this additional SPN if your virtual host name is not a fully qualified domain name.	Setspn -s http/mbamvirtual contoso\mbamapppooluser In the example, the virtual host name is mbamvirtual, and the domain account used for the web application pool is contoso\mbamapppooluser.
Register this additional SPN if your virtual host name is not a fully qualified domain name.	Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser In the example, the virtual host name is mbamvirtual.contoso.com, and the domain account used for the web application pool is contoso\mbamapppooluser.
On the Domain Name Server (DNS) server, create an “A record” for the custom host name and point it to a web server or a load balancer.	See the “To configure DNS Host A Records” section in Configure DNS Host Records. We recommend that you use A records instead of CNAMES. If you use CNAMES to point to the domain address, you must also register SPNs for the web server name in the application pool account.
Configure constrained delegation for the SPNs that you are registering for the application pool account.	Configuring Constrained Delegation This requirement only applies to MBAM 2.5; it is not necessary in MBAM 2.5 SP1.

Registering an SPN when you upgrade from previous versions of MBAM

Complete the steps in this section only if you want to:

• Upgrade from a previous version of MBAM.

• Run the websites in MBAM 2.5 in a load-balanced or distributed configuration, and you are currently running in a configuration that is not load balanced.

If you already registered SPNs on the machine account rather than in an application pool account, MBAM uses the existing SPNs, and you cannot configure the websites in a load-balanced or distributed configuration.

What you need to do	Examples and more information
Create an application pool account in Active Directory Domain Services (AD DS).
Remove the currently installed websites and web services.	Removing MBAM Server Features or Software
Remove SPNs from the machine account.	Setspn –d http/mbamwebserver mbamwebserver Setspn –d http/mbamwebserver.contoso.com mbamwebserver
Register SPNs in the application pool account.	Follow the steps for Registering SPNs when you use a virtual host name.
Reconfigure the web applications and web services.	How to Configure the MBAM 2.5 Web Applications
Do one of the following, depending on the method you use for the configuration: Method Details MBAM Server Configuration wizard Enter the application pool account in the Web service application pool domain account field. Enable-MbamWebApplication Windows PowerShell cmdlet Enter the account in the WebServiceApplicationPoolCredential parameter.	Important The host name that you enter must be the same name as the virtual host name for which you are creating the SPNs. Also, in your web farm, the host names and the application pool credentials must be the same on every server that you are configuring. When MBAM configures the web applications, it will try to register the SPNs for you, but it can do so only if you have Domain Admin rights on the server on which you are installing MBAM. If you do not have these rights, you can complete the configuration, but you will have to set the SPNs before or after you configure MBAM.

Required Request Filtering Settings

'Allow unlisted file name extensions' is required for the application to operate as expected. This can be found by navigating to the 'Microsoft BitLocker Administration and Monitoring' -> Request Filtering -> Edit Feature Settings.

Related topics

Preparing your Environment for MBAM 2.5

MBAM 2.5 Deployment Prerequisites

Got a suggestion for MBAM?

For MBAM issues, use the MBAM TechNet Forum.