Wednesday, May 30, 2012

Secure DoD Drive Wiping with SCCM

I mentioned in my last post a need to do a secure drive wipe on remote systems. There are several good and free options for wiping drives, but not many that can be executed remotely. Microsoft however offers a nice tool called SDelete as part of their free Sysinternals Suite. SDelete will do a DoD 5220.22-M sanitization of free space on a drive, but by itself isn't very good at destroying all of the data on a disk. That is where WinPE comes in. Using WinPE and sdelete is something that Derek Meier has blogged about previously. We're going to take this a step further and use SCCM to make this process remotely executable. Plus, we'll use a package to deliver the files to WinPE, so there is no need to modify the boot.wim or do any custom WinPE builds.

We'll basically use an SCCM Task Sequences to boot into Windows PE and format the drive with a single, empty C: partition. Then we'll use sdelete to handle the DoD wipe of the empty partition.

To do this, we'll need to get SDelete to Windows PE. So to start, we'll create a package with SDelete.exe (which can be downloaded from here: http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx).

We'll also create a file called sdelete.reg with the following contents:

----------------- begin sdelete.reg -----------------

Windows Registry Editor Version 5.00


[HKEY_CURRENT_USER\Software\Sysinternals\SDelete]
"EulaAccepted"=dword:00000001

----------------- end sdelete.reg -----------------

Once the package with these two files is created, we can now move to our task sequence.

Note: These steps only apply for systems with a single hard drive. If you have multiple hard drives, you'll need to to repeat steps 3 and 4 for each disk in the system.

Step 1: Add a task to Restart into WinPE using your favorite boot.wim.
Step 2: We're going to copy over the files from our sdelete package. To do this, add a General -> Run Command Line task. Check the box by Package and select the package created with the sdelete files in it. The command line the I use whenever I'm copying files from a package to WinPE is:
xcopy.exe ".\*.*" "%WinDir%" /E /C /Q /H /R /Y /I

(Ignore the whole Enable Remote Control section in this image. If you want to learn about using VNC to connect to WinPE, see my previous post)

Step 3: Now that the files are in place, we'll add another Run Command Line task, which we'll use to accept the Systernals EULA for sdelete.exe. This time our command line will be:
regedit /s sdelete.reg 
Set the Start in field to %WinDir%, since that is where we copied the files.
Step 4: Now we'll create on big C partition to fill the entire drive. Add a Disks -> Format and Partition Disk task.  Set Disk number to and Disk type to Standard(MBR). Create a new Volume. Set the Partition type to Primary and set it to use 100% of the free space. The File system should be NTFS and I recommend checking the Quick Format box (the seven pass 0/1 fill takes long enough).


Step 5: Now that we have one big, empty C: partition, its time to use sdelete to make sure that the old data is unrecoverable. For this we'll go back to a Run Command Line task. Our command will be:
sdelete.exe -p 7 -c -z
The -p 7 gives us seven passes. The -c tells it to clean free space. The -z tells it to zero free space.
Its important to set the Start in to C:\, otherwise you might try and clean the X: drive.

Now you're ready to go destroy some data! Just advertise your task sequence and watch it go to work making information unrecoverable. I think it goes without saying, but you should be very careful about where this is advertised, especially if you're using mandatory assignments.




14 comments:

  1. How do you get the boot image to a remote computer? I have a computer that is stolen and obviously not on the network so how do you boot into WIM image when not on the network?

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. I would not recommend this in a corporate environment because you can never control what an administrator can make a mistake. Suppose its advertised to All System, you would be done.

    ReplyDelete
  4. What do you do about the log file that's left on the C: \ drive (C:\_SMSTSLog)?

    ReplyDelete
    Replies
    1. Can I bump this 4 years later? Still an issue. Still no answer.

      Delete
    2. Follow this https://garytown.com/secure-wipe-with-logging-using-configmgr-task-sequence

      Delete
  5. Hi, I know this is an older article. Thank you so much for the information. I just have one issue.. I think I created the sdelete package incorrectly, because I get an error "cannot find files" during the copy phase. suggestions?

    ReplyDelete
  6. Great article - needs one change to work in CONFIGMGR R2 Sp1 and greater.

    SDelete -p C: -c -s -z /AcceptEULA

    ReplyDelete
    Replies
    1. Works great thanks. Know of any way to monitor progress?

      Delete
  7. This comment has been removed by the author.

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. Question, does this require the system you are wiping to have an operating system, or are we talking about PXE booting?

    ReplyDelete
  10. The more I think of this, the more I think about how simple it is to build your own pxe image anyways. You can use buildroot to make a linux based pxe image bootable over the network. This is practically what my job is. As for secure wiping, well, what is secure? You need a certificate generation for that, it needs verification.

    ReplyDelete