Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 967
  • Last Modified:

BitLocker on Windows 8, Windows Server 2008 & 2012, SBS2011

Hi,
 I successfully enabled BitLocker on Windows 7 Ultimate OS.
 Now I like to do the same on  Windows 8, Windows Server 2008 & 2012, SBS2011.
 Before I do that, are there things that I should be aware?
 For example, Does Windows 8 Professional version only comes with BitLocker feature?

 When I tried to enable BitLocker on Windows 2008 Server Std. with one drive/partition yesterday, it said that I had to have two partitions to enable BitLocker. So apparently I need an separate OS partition on the top of data partition even if there is only one hard disk?

 Having seen that message, I just wanted to get some heads-up before attempting to do this on other server operating systems that I manage.
0
sglee
Asked:
sglee
  • 5
  • 4
3 Solutions
 
McKnifeCommented:
Hi.

You would not do this without having backups, will you?
Win8 does not Feature bitlocker, win8 pro and 8 Enterprise do.

When encrypting, an extra Partition will get created unless there already is one. On 2008, there was not. On 2008 R2/2012/2012R2/win8, there already is.

Biggest caveat: please think about what happens after encrypting the Servers. How are the keys provided if the Servers reboot after nightly updates or eventual crashes? Who provides the key?
0
 
sgleeAuthor Commented:
@McKnife
Thanks for the information. I understand why I saw that message on W2008 Server now.
I am glad to hear that on 2008 R2/2012/2012R2/win8, extra partition will be created as BitLocker is turned on.
Now on "Biggest caveat", it make total sense. If I leave the USB flash drive that has the recovery key plugged into the Servers and if they get stolen, it defeats the purposes of encrypting. On the other hand, if the user takes the USB flash drive out of the Server and take it home, then what happens when the Server restarts after the reboot....
It is definitely something to think about...
0
 
McKnifeCommented:
I have this solved like this:

Possibility A: virtualize the Server and encrypt the whole VM machine or, if not possible:
B: put the sensitive data on an extra Partition and encrypt it, set the Server to Auto unlock itself using a script (using manage-bde.exe, the bitlocker command line tool). That script of course lies on another,  physically secured Server. So if the Server gets stolen: no Access to that script, so no data Access at all.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
sgleeAuthor Commented:
@McKnife
Sounds complicated, particularly since I am not familiar with the process.

If the Server gets stolen, first, they are protected by the Windows admin password. Secondly even if the thief takes the hard disks out, they won't be useful because they are part of disk array in RAID system. So I don't have to too much worry about the Servers ...
0
 
McKnifeCommented:
> So I don't have to too much worry about the Servers ...
Sorry, but you don't know what you are talking about. If the thieves have no understanding of Windows, yes, then you won't have to worry. Otherwise...it's very easy to get at the data in minutes. I would stick in a Windows 8.1 to go and after maybe 5 minutes, I have your data.

The process is not complicated, please feel free to ask for Details.
0
 
serialbandCommented:
Physical access is access.
That's why everyone is starting to focus on encryption now.

You can recreate a RAID array.  I've done it before to recover data.
0
 
sgleeAuthor Commented:
I like to try your method as mentioned in ID: 39926762.
Please tell me what OS I need to setup for testing - W2008, W2008R2, W2012.
I will do RAID 1 on a test server.
Would you kindley post detailed steps?
0
 
McKnifeCommented:
Ok, I will.

But first you have to decide for A or B as I mentioned 2 completely different aproaches.
0
 
sgleeAuthor Commented:
How about trying A first?
Do you want me to setup HyperV on W2012 Server or VMWare ESX V5.1?
0
 
McKnifeCommented:
If virtualization is possible with that server, why not?
Please be aware, that Bitlocker is not supported on virtual machines, but it works. Possibly, the reason for lack of support is, that Microsoft developed BL primarily for devices with a TPM chip and until now, a TPM cannot be virtualized. Again: but no problems will arise.

The process is described here for win7, but is the same on server 2012: http://blogs.msdn.com/b/mszcool/archive/2010/02/03/bitlocker-in-a-windows-7-guest-running-on-a-hyper-v-r2-environment-or-any-environment-without-a-tpm.aspx

Please note that the floppy file needs to be put to a share of another server that is indeed physically secured, otherwise, what would be the point :)
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now