Jump to content
RESET Forums (homeservershow.com)

BitLocker


Recommended Posts

Drashna Jaelre

Sounds like BitLocker makes good sense for theft-prone portable client devices to protect the data, but it makes little sense for the server.

Depends. Where are you storing your server? Out in the open? Some place easily accessible? 

Does it look like a normal computer?

 

Because, remember, a thief is going to look for high value targets. That's assuming that they don't know you, or haven't cased your house. If they know you're keeping sensitive material on your server... that's a great blackmail target. 

 

Also, because you are backing up other computers, if they could gain access to the OS, reset the admin password and log in... they could THEN "restore" the client PCs to HDDs and gain access to THAT information as well. 

 

Encrypting it means that you wouldn't have to worry about the data on the server. It would be protected. Start to finish. 

 

 

 

 

 

Another feature of W8.1 Pro is said to be Domain-Joining. How does that differ from Launchpad?

 

If this question can be answered quickly, I may be allowed to piggy-back it here, otherwise I'll start a new thread.

 

Completely separate featuires. The Launchpad is part of the WHS code (well, really "Windows Server Solutions"). This manages the "WHS health" stuff, backups, etc.  It's just software.

The domain aspect is completely separate. It is user authentication and group policies. While that seems like little.... there is an amazingly large number of things you can do with group policies.

Link to post
Share on other sites
  • Replies 44
  • Created
  • Last Reply

Top Posters In This Topic

  • ServerRookie

    14

  • Drashna Jaelre

    11

  • ikon

    7

  • nrf

    5

Top Posters In This Topic

Popular Posts

Bitlocker protects against offline access to data - either by booting to a different device (USB or CD) or by pulling the hard drive and accessing it from another computer.  It does not protect agains

By default, BitLocker does require a TPM, which we discussed earlier; thankfully a simple GPO setting can resolve that. When there is no TPM on the mobo, you must have a USB stick. There's just no way

The TPM module is a cryptoprocessor for dealing with keys and signatures only. It isn't capable of helping with encryption/decryption of actual data on disk or network. The module is designed to be re

my thinking is that one who rotates backup drives and keeps one or more off site would be a good candidate for encrypting them.

 

for the bare metal restore of the server, it sounds like it is then necessary to decrypt the drive first, definitely a pain and probably a long duration activity, but hopefully a rare occurrence. For me, BMR of a client is far more likely than for the server, as I have not needed to do it (knock on wood) for either of my servers.

Link to post
Share on other sites
ServerRookie

I have turned BitLocker on on 1 client device to get myself some exposure, it went without a glitch :) I like to turn BitLocker on on the trial WS2012R2E server as well. It runs on a single HDD machine with a backup on an external USB HDD. Are there any precautions that I shall observe? I am aware of https://technet.microsoft.com/en-ca/library/jj612864.aspx

--------------------

As to the other issue that I tossed up, I think I need a good read on the basics, any books that you all can recommend to a rookie?

Link to post
Share on other sites
Drashna Jaelre

my thinking is that one who rotates backup drives and keeps one or more off site would be a good candidate for encrypting them.

 

for the bare metal restore of the server, it sounds like it is then necessary to decrypt the drive first, definitely a pain and probably a long duration activity, but hopefully a rare occurrence. For me, BMR of a client is far more likely than for the server, as I have not needed to do it (knock on wood) for either of my servers.

You can add the bitlocker management code to the WinPE image (the recovery image). This way you can unlock the drive without decrypting it.

 

https://technet.microsoft.com/en-us/library/hh824926.aspx

 

 

 

I have turned BitLocker on on 1 client device to get myself some exposure, it went without a glitch :) I like to turn BitLocker on on the trial WS2012R2E server as well. It runs on a single HDD machine with a backup on an external USB HDD. Are there any precautions that I shall observe? I am aware of https://technet.microsoft.com/en-ca/library/jj612864.aspx

--------------------

As to the other issue that I tossed up, I think I need a good read on the basics, any books that you all can recommend to a rookie?

Other than making sure that you have the recovery key stored in a good place?

 

Also, if you encrypt the system drive, you can automatically unlock the drives.

Link to post
Share on other sites

As Drashna said, make sure you safeguard the BitLocker key. I recommend you use a password/licence #/encryption key manager such as LastPass. I have LastPass Premium ($1/month) and use it with my Yubikey.

Link to post
Share on other sites
msawyer91

You can enable BitLocker on your WS2012R2E server. I do this. It's tricky when using disk pooling software like STableBit or Drive Bender, because the disks need to be "unlocked" before the pooling software service starts. Otherwise you get pool errors and the pool is unusable until BitLocker unlocks all of the drives. Even with these shortcomings, I use BitLocker.

 

Many years ago when I first started working for EDS (now HP), there was a security campaign with the slogan, "Security - It's everyone's responsibility." I took that to heart, and I use that expression a lot. That means also encrypting all of my computers, even my servers, whether or not they have a TPM. If any of my equipment ever winds up purloined, I want to give the bad guys hell in trying to get at my data. It meant buying a bunch of extra flash drives to create "startup keys" for BitLocker, but by golly, all of my machines are more secure than without BitLocker. This can present a bit of a challenge on Patch Tuesday when the machines reboot and they're all sitting at a BitLocker prompt, waiting for me to insert the USB key so they can start.

 

OK, so it's a pain, but security is everyone's responsibility. (Sorry for the political rant, but it seems security always takes a back seat these days.)

 

As for enabling BitLocker on the 8.1 machine, just run "gpedit.msc" to bring up Group Policy Management. There you can set all of the BitLocker policy settings for operating system/boot drives, fixed disks and removable (USB, FireWire) disks. I set options for using 256-bit with Diffuser (Windows 7 and Vista) and 256-bit (Windows 8/8.1) encryption, allow BitLocker without TPM, etc. I try to make things as secure as possible. I know there is no such thing as 100% secure, but I'd rather be 90% secure than 30% secure. :)

Link to post
Share on other sites

A couple of thoughts:

  1. Would it be possible to make the DrivePool service dependent on the BitLocker service?
     
  2. What about setting the DrivePool service to Automatic (Delayed Start)?
     
  3. Doesn't DrivePool have some feature for delaying the service from enumerating the pools?
Link to post
Share on other sites
ServerRookie

I have just installed BitLocker on my trial server WS2012R2E using the TechNet procedure https://technet.microsoft.com/en-ca/library/jj612864.aspx

 

The Server Manager confirms with a checkbox BitLocker Drive Encryption (Installed) However, I don't see any padlocks on the Drive icons at all  :o

 

What did I do wrong?

 

I expected the server HDD (single HDD) and the server backup HDD (external USB HDD) to be encrypted.

Link to post
Share on other sites

All that those directions do is enable the BitLocker services on the computer, you still need to enable it on individual drives.  Go to File Explorer, right click on the hard drive and there should be an option 'Turn on BitLocker'.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...