[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Bit locker

Posted on 2012-03-19
11
Medium Priority
?
1,099 Views
Last Modified: 2012-04-19
I have around 150 users using windows XP,We are planning to migrate to win7 and enable Bit locker  encryption on all computers,I need to know,
1, Will be performance of computer will go down if i enable bit locker encryption
2,Do user will have any problem accessing the network shares,eg : If one user make a change on a file from the shared folder,Can the other user who have access to the shared folder able to open the files without any problems.
3,If anybody using bitlocker in a network environment,please advise the necessary steps to follow before the migration.
Please advise.Thanks a million
0
Comment
Question by:dmgUAE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 37739489
1. Technically yes. But you won't notice

2. Nope. Bitlocker is hardware only encryption. It does not interfere once the operating system is started

3. You will probably want to enable bitlocker during the imaging process. If you have the extra money - Microsoft Bitlocker Administration and Monitoring is very useful!
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37739547
Jmoody10 answered your questions, but just to add some things you should consider or have in minde.

Remember to use Win7 Enterprise or Ultimate.

Should you use Bitlocker To Go? -> Make sure to inform the users before, and not after.

Where should you store the recovery key? In AD or let each user take care of it.

Will you use the TPM? (make seperate GPOs. One for TPM and one with out TPM)
0
 

Author Comment

by:dmgUAE
ID: 37741083
I would like to store key on the AD,What should i do to store the key on Ad?
Is it necessary TPM should be there for all computers using bit locker?
If a Bit locker enabled laptop user access network shareand any changes made,Will the data can be accessed by an another laptop  user on the network?
Please advise.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 22

Expert Comment

by:Joseph Moody
ID: 37741710
http://technet.microsoft.com/en-us/library/dd875529(v=WS.10).aspx

No but it is recommended. If you don't have a TPM chip, you will need to do USB key. This is less secure as users will leave the usb key in the computer

Yes. Once a machine is in Windows, bitlocker doesn't have an effect.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37745975
Bitlocker will not encrypt files on a network share. If a user connect to a nettwork share from his Bitlocker enabled machine and make a change on a file. This file is not encrypted.

Bitlocker encrypt the local disk on the machine. Northing more. If you use Bitlocker To Go, you can enforce users to encrypt i.e. USB drives if they want write access to it.


Here are the links I used when I configured Bitlocker (it is alot of reading):

Best practices: http://technet.microsoft.com/en-us/library/dd875532(WS.10).aspx

Best practices 2: http://www.windowsecurity.com/articles/Best-practice-guide-how-configure-BitLocker-Part1.html

Step-by-step guide: http://technet.microsoft.com/en-us/library/dd835565(WS.10).aspx

Group Policy: http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx

Password recovery: http://technet.microsoft.com/en-us/library/dd875531(WS.10).aspx
0
 

Author Comment

by:dmgUAE
ID: 37792915
Thanks,The above links are absolutely good and helpful,If you dont mind can you guide me how can i deploy bitlocker,both user laptop configurattion and group policy
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37792965
Ouch, that would be one long post!

I would recomend you to configure a GPO (link above). I don't know your requirements or company policy, so I can't say tick that and don't tick that one, etc.

If you have a mixture of laptops and desktops and you only want BitLocker on the laptops, you can:

a) Move all laptops to an own OU and link the GPO to that OU.
b) Enable a WMI filter on the GPO to only apply to laptops.

Do all laptops have a TPM chip, and will you take adventage of it? (this can give you a PIN authentication before the OS is loaded, aka. two-factor authentication).

If you want to use the chip you'll have to initialize it and take ownership of it. See "Best practices 2" above.

In the GPO you'll also set if you want to use "BitLocker To Go". If you enable it, users can't write to i.e. USB flash drives/disks if they have not encrypted the USB unit. In the GPO you also set the password length to be used on USB disks/flash drives.

If you have MAC/Linux users, they will be unable to read a BitLocker encrypted drives. Legacy Win OS (Win XP) without Bitlocker, can read the drives aslong as they type the password set on the encrypted USB disk.

When the GPO and TPM chip is in place, users can enable Bitlocker and encrypt the disk (open Explorer, right click the C-drive and choose encrypt).

Since BitLocker should be configured to meet the company policy, I can't give you a direct guide on how to do it.
0
 

Author Comment

by:dmgUAE
ID: 37793806
When I try to setup advanced group policies for Bitlocker on server 2008, I notice below are missing:

- Operating System Drives
- Fixed Data Drives
- Removable Data Drives

Please advise.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 37797520
Do you setup the GPO from a 2008 DC?

If you don't have 2008R2 DCs, you can do it from a Win7 machine to see if you spot the missing settings.
0
 

Author Comment

by:dmgUAE
ID: 37799788
I have a win 2008 server and in the server only i am missing following under Bitlocker,

- Operating System Drives
- Fixed Data Drives
- Removable Data Drives
To Enable DRA,If i go to windows setting---security settings---public key policies,i cannot see Bit locker there aswell.
0
 
LVL 21

Accepted Solution

by:
snusgubben earned 1500 total points
ID: 37802538
Did you try from a Win7 machine? (You will have to use RSAT http://www.microsoft.com/download/en/details.aspx?id=7887)
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question