Solved

BitLocker on Windows 8, Windows Server 2008 & 2012, SBS2011

Posted on 2014-03-13
10
871 Views
Last Modified: 2014-03-27
Hi,
 I successfully enabled BitLocker on Windows 7 Ultimate OS.
 Now I like to do the same on  Windows 8, Windows Server 2008 & 2012, SBS2011.
 Before I do that, are there things that I should be aware?
 For example, Does Windows 8 Professional version only comes with BitLocker feature?

 When I tried to enable BitLocker on Windows 2008 Server Std. with one drive/partition yesterday, it said that I had to have two partitions to enable BitLocker. So apparently I need an separate OS partition on the top of data partition even if there is only one hard disk?

 Having seen that message, I just wanted to get some heads-up before attempting to do this on other server operating systems that I manage.
0
Comment
Question by:sglee
  • 5
  • 4
10 Comments
 
LVL 53

Accepted Solution

by:
McKnife earned 340 total points
ID: 39926699
Hi.

You would not do this without having backups, will you?
Win8 does not Feature bitlocker, win8 pro and 8 Enterprise do.

When encrypting, an extra Partition will get created unless there already is one. On 2008, there was not. On 2008 R2/2012/2012R2/win8, there already is.

Biggest caveat: please think about what happens after encrypting the Servers. How are the keys provided if the Servers reboot after nightly updates or eventual crashes? Who provides the key?
0
 

Author Comment

by:sglee
ID: 39926743
@McKnife
Thanks for the information. I understand why I saw that message on W2008 Server now.
I am glad to hear that on 2008 R2/2012/2012R2/win8, extra partition will be created as BitLocker is turned on.
Now on "Biggest caveat", it make total sense. If I leave the USB flash drive that has the recovery key plugged into the Servers and if they get stolen, it defeats the purposes of encrypting. On the other hand, if the user takes the USB flash drive out of the Server and take it home, then what happens when the Server restarts after the reboot....
It is definitely something to think about...
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 340 total points
ID: 39926762
I have this solved like this:

Possibility A: virtualize the Server and encrypt the whole VM machine or, if not possible:
B: put the sensitive data on an extra Partition and encrypt it, set the Server to Auto unlock itself using a script (using manage-bde.exe, the bitlocker command line tool). That script of course lies on another,  physically secured Server. So if the Server gets stolen: no Access to that script, so no data Access at all.
0
 

Author Comment

by:sglee
ID: 39926965
@McKnife
Sounds complicated, particularly since I am not familiar with the process.

If the Server gets stolen, first, they are protected by the Windows admin password. Secondly even if the thief takes the hard disks out, they won't be useful because they are part of disk array in RAID system. So I don't have to too much worry about the Servers ...
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39926990
> So I don't have to too much worry about the Servers ...
Sorry, but you don't know what you are talking about. If the thieves have no understanding of Windows, yes, then you won't have to worry. Otherwise...it's very easy to get at the data in minutes. I would stick in a Windows 8.1 to go and after maybe 5 minutes, I have your data.

The process is not complicated, please feel free to ask for Details.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 28

Expert Comment

by:serialband
ID: 39927622
Physical access is access.
That's why everyone is starting to focus on encryption now.

You can recreate a RAID array.  I've done it before to recover data.
0
 

Author Comment

by:sglee
ID: 39932734
I like to try your method as mentioned in ID: 39926762.
Please tell me what OS I need to setup for testing - W2008, W2008R2, W2012.
I will do RAID 1 on a test server.
Would you kindley post detailed steps?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39932760
Ok, I will.

But first you have to decide for A or B as I mentioned 2 completely different aproaches.
0
 

Author Comment

by:sglee
ID: 39932859
How about trying A first?
Do you want me to setup HyperV on W2012 Server or VMWare ESX V5.1?
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 340 total points
ID: 39933147
If virtualization is possible with that server, why not?
Please be aware, that Bitlocker is not supported on virtual machines, but it works. Possibly, the reason for lack of support is, that Microsoft developed BL primarily for devices with a TPM chip and until now, a TPM cannot be virtualized. Again: but no problems will arise.

The process is described here for win7, but is the same on server 2012: http://blogs.msdn.com/b/mszcool/archive/2010/02/03/bitlocker-in-a-windows-7-guest-running-on-a-hyper-v-r2-environment-or-any-environment-without-a-tpm.aspx

Please note that the floppy file needs to be put to a share of another server that is indeed physically secured, otherwise, what would be the point :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now