BitLocker on DCs

ms-pro
ms-pro used Ask the Experts™
on
Hi

I want to configure Bitlocker on my DC's based on Windows server 2008 r2 (VMware and Physical servers), can anyone provide with some info about how to configure it, is there any thing i need to be aware of, what is the best practices etc....

BR
ms-pro
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Photographer
Awarded 2007
Top Expert 2008
Commented:
best practice is NOT to use it! It impedes performance and can cause issues with recovery. Since Bitlocker is primarily designed to  protect data on portable devices and drives which are likely to be stolen/lost etc you should not need it on DCs which should be physically secured in any case.

Author

Commented:
@KCTS fully agree with you, but can you provide me with a Technet article that can approve your consideration....
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

A small part of me agress with KCTS but on the other hand, if we are talking about a branch DC, somewhere where there is lack of security or theft concerns then I would use it. I foud this step by step guide here:

http://mscerts.programming4.us/windows_server/Configuring%20BitLocker%20Drive%20Encryption%20on%20a%20Windows%20Server%202008%20R2%20Branch%20Office%20Domain%20Controller%20(part%201).aspx

And another good link:

http://www.windowsecurity.com/articles/Best-practice-guide-how-configure-BitLocker-Part2.html

Commented:
aer you not using a san for vmware its thats the 'normal why these days'
Distinguished Expert 2018

Commented:
Hi.

Two thoughts to add:
-cold boot attacks are applicable to bitlocker, too. It's a matter of minutes if someone comes prepared. See http://www.youtube.com/watch?v=JDaicPIgn9U
-Maybe a RODC would help you? http://technet.microsoft.com/en-us/library/cc732801(v=ws.10).aspx
Quote: Branch offices often cannot provide the adequate physical security that is required for a writable domain controller

Author

Commented:
*

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial