Is there any way to use whole disk encryption to protect servers if stolen from a site?
Is there any product that does whole disk encryption for Small Business Server so that it can be protected if the physical machine or hard drive are stolen?
Second best solution if that's not possible, how about just the Exchange store?
Second best solution if that's not possible, how about just the Exchange store?
Just to be sure, backup your system before... just in case.
I know of several companies which use a program called Safeboot on laptops, I guess it would run on a server - http://www.safeboot.com/
-tigermatt
-tigermatt
1) One thing to bear in mind is that the security of your encryption using a full disk encryption method is rarely the security of the algorithm (in this case AES) but rather of the key material, in this case your password. So, when you consider a product, make sure that it supports long and truly random passwords. You may need to generate a decent random password by some other method, such as rolling dice, using playing cards or selecting characters from a book at random. You need a lot of key material to make it hard to break. Simple solutions can be broken automatically in a couple of hours.
2) Also, make sure that the product has been properly tested and the implementation accredited, otherwise it is worthless. Check out Bruce Schneier at http://www.schneier.com/ for more information about these issues.
3) I don't know anything about the product suggested, but certainly do not use Microsoft EFS technology on your server---it won't do want you want. Use a pre-boot authentication, ideally using a USB key or floppy disk that you do not store with the server. That way, it really will be secure.
Of course, physical security should not be overlooked.
2) Also, make sure that the product has been properly tested and the implementation accredited, otherwise it is worthless. Check out Bruce Schneier at http://www.schneier.com/ for more information about these issues.
3) I don't know anything about the product suggested, but certainly do not use Microsoft EFS technology on your server---it won't do want you want. Use a pre-boot authentication, ideally using a USB key or floppy disk that you do not store with the server. That way, it really will be secure.
Of course, physical security should not be overlooked.
Sorry, I always think of one more thing...
Are your backup tapes encrypted? Otherwise, someone might just take them instead!
Are your backup tapes encrypted? Otherwise, someone might just take them instead!
DriveCrypt Plus looks good from a general point of view, but the site doesn't show any evidence of being peer-reviewed, so its security credentials are questionable. Also can't find anything relevant on Google.
Here is an article in comparison with PGP Whole Disk Encryption 9.5
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004881
Another one:
http://www.scmagazine.com/asia/products/productdetails/0958fd0e-0920-5250-d1ed-2314864ccbfa/drivecrypt-plus-pack-whole-disk-encryption-2007/
Here is a press release:
http://news.thomasnet.com/companystory/512032
I'm sure you can trust them, I'm using drivecrypt myself, they implement AES 256 so what do you want?
Tolomir
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004881
Another one:
http://www.scmagazine.com/asia/products/productdetails/0958fd0e-0920-5250-d1ed-2314864ccbfa/drivecrypt-plus-pack-whole-disk-encryption-2007/
Here is a press release:
http://news.thomasnet.com/companystory/512032
I'm sure you can trust them, I'm using drivecrypt myself, they implement AES 256 so what do you want?
Tolomir
None of these reviews are from security experts. As a result, you can trust the functioning of the software but not necessarily its security credentials. See http://www.schneier.com/essay-037.html for more on this.
If you do choose to use this software then you should not use the steganography option, as it is prone to a targeted attack. Instead, use a USB solution for the key media,
I was involved in looking at a full disk encryption solution for laptops earlier in the year. Having reviewed a large number of products, I found that only enterprise class software did what it said with any authority. Unfortunately, it was beyond our budget. If that is the case for you, then you will certainly gain something by using products like Drive Crypt, but if you are working in a regulated environment (Sarblanes-Oxley, Data Protection, FSA, FDA, etc.) then these cheaper solutions are not sufficient. Review a list of exhibitors from an IT security-specific show, such as Infosecurity (www.infosec.co.uk). As an example, the SafeNet product has US government approval.
If you do choose to use this software then you should not use the steganography option, as it is prone to a targeted attack. Instead, use a USB solution for the key media,
I was involved in looking at a full disk encryption solution for laptops earlier in the year. Having reviewed a large number of products, I found that only enterprise class software did what it said with any authority. Unfortunately, it was beyond our budget. If that is the case for you, then you will certainly gain something by using products like Drive Crypt, but if you are working in a regulated environment (Sarblanes-Oxley, Data Protection, FSA, FDA, etc.) then these cheaper solutions are not sufficient. Review a list of exhibitors from an IT security-specific show, such as Infosecurity (www.infosec.co.uk). As an example, the SafeNet product has US government approval.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree with Tolomir
I would recommend TrueCrypt: www.truecrypt.org
It works very well. It is very secure. And it is free.
Remember - as pointed out above - it is important to choose a "good" passphrase.
It works very well. It is very secure. And it is free.
Remember - as pointed out above - it is important to choose a "good" passphrase.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all for your contributions to this question. I've reviewed the products suggested and while they do support Windows 2003, none address the matter of the Exchange database store and Exchange Server in general, which is part of SBS2003 and key to securing small branch servers. There are other products that will create secure volumes, for example to encrypt data files in user directories, but the Exchange store which is very sensitive sits unprotected.
These solutions offer whole disk protection but do not specifically address what impact if any on Exchange.
These solutions offer whole disk protection but do not specifically address what impact if any on Exchange.
If you encrypt the Exchange databases there will be a performance impact, of course.
Full disk solutions will work, but it is unlikely they will be supported by Microsoft.
Other solutions do not work.
Full disk solutions will work, but it is unlikely they will be supported by Microsoft.
Other solutions do not work.
ASKER
There don't appear to be any solutions that explicitly support encrypting an Exchange store, so it's a "close but no cigar" situation. Trial and error (time consuming) with cloned servers may be only way to see what works. Still the risk that the Exchange bit is unsupported. MS really ought to offer encrypted store option.
http://www.securstar.com/products_drivecryptpp.php
- Full Disk Encryption (Encrypts parts or 100% of your HardDisk including the operating System)
- Pre-Boot authentication (BEFORE the machines boots, a password is requested to decrypt the disk and start your machine)
- Allows secure hiding of an entire operating system inside the free space of another operating system.
- Strong 256bit AES encryption
- USB-Token authentication at pre-boot level
Tolomir