Improve company productivity with a Business Account.Sign Up

x
?
Solved

BitLocker on Windows 8, Windows Server 2008 & 2012, SBS2011

Posted on 2014-03-13
10
Medium Priority
?
1,002 Views
Last Modified: 2014-03-27
Hi,
 I successfully enabled BitLocker on Windows 7 Ultimate OS.
 Now I like to do the same on  Windows 8, Windows Server 2008 & 2012, SBS2011.
 Before I do that, are there things that I should be aware?
 For example, Does Windows 8 Professional version only comes with BitLocker feature?

 When I tried to enable BitLocker on Windows 2008 Server Std. with one drive/partition yesterday, it said that I had to have two partitions to enable BitLocker. So apparently I need an separate OS partition on the top of data partition even if there is only one hard disk?

 Having seen that message, I just wanted to get some heads-up before attempting to do this on other server operating systems that I manage.
0
Comment
Question by:sglee
  • 5
  • 4
10 Comments
 
LVL 59

Accepted Solution

by:
McKnife earned 1360 total points
ID: 39926699
Hi.

You would not do this without having backups, will you?
Win8 does not Feature bitlocker, win8 pro and 8 Enterprise do.

When encrypting, an extra Partition will get created unless there already is one. On 2008, there was not. On 2008 R2/2012/2012R2/win8, there already is.

Biggest caveat: please think about what happens after encrypting the Servers. How are the keys provided if the Servers reboot after nightly updates or eventual crashes? Who provides the key?
0
 

Author Comment

by:sglee
ID: 39926743
@McKnife
Thanks for the information. I understand why I saw that message on W2008 Server now.
I am glad to hear that on 2008 R2/2012/2012R2/win8, extra partition will be created as BitLocker is turned on.
Now on "Biggest caveat", it make total sense. If I leave the USB flash drive that has the recovery key plugged into the Servers and if they get stolen, it defeats the purposes of encrypting. On the other hand, if the user takes the USB flash drive out of the Server and take it home, then what happens when the Server restarts after the reboot....
It is definitely something to think about...
0
 
LVL 59

Assisted Solution

by:McKnife
McKnife earned 1360 total points
ID: 39926762
I have this solved like this:

Possibility A: virtualize the Server and encrypt the whole VM machine or, if not possible:
B: put the sensitive data on an extra Partition and encrypt it, set the Server to Auto unlock itself using a script (using manage-bde.exe, the bitlocker command line tool). That script of course lies on another,  physically secured Server. So if the Server gets stolen: no Access to that script, so no data Access at all.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 

Author Comment

by:sglee
ID: 39926965
@McKnife
Sounds complicated, particularly since I am not familiar with the process.

If the Server gets stolen, first, they are protected by the Windows admin password. Secondly even if the thief takes the hard disks out, they won't be useful because they are part of disk array in RAID system. So I don't have to too much worry about the Servers ...
0
 
LVL 59

Expert Comment

by:McKnife
ID: 39926990
> So I don't have to too much worry about the Servers ...
Sorry, but you don't know what you are talking about. If the thieves have no understanding of Windows, yes, then you won't have to worry. Otherwise...it's very easy to get at the data in minutes. I would stick in a Windows 8.1 to go and after maybe 5 minutes, I have your data.

The process is not complicated, please feel free to ask for Details.
0
 
LVL 32

Expert Comment

by:serialband
ID: 39927622
Physical access is access.
That's why everyone is starting to focus on encryption now.

You can recreate a RAID array.  I've done it before to recover data.
0
 

Author Comment

by:sglee
ID: 39932734
I like to try your method as mentioned in ID: 39926762.
Please tell me what OS I need to setup for testing - W2008, W2008R2, W2012.
I will do RAID 1 on a test server.
Would you kindley post detailed steps?
0
 
LVL 59

Expert Comment

by:McKnife
ID: 39932760
Ok, I will.

But first you have to decide for A or B as I mentioned 2 completely different aproaches.
0
 

Author Comment

by:sglee
ID: 39932859
How about trying A first?
Do you want me to setup HyperV on W2012 Server or VMWare ESX V5.1?
0
 
LVL 59

Assisted Solution

by:McKnife
McKnife earned 1360 total points
ID: 39933147
If virtualization is possible with that server, why not?
Please be aware, that Bitlocker is not supported on virtual machines, but it works. Possibly, the reason for lack of support is, that Microsoft developed BL primarily for devices with a TPM chip and until now, a TPM cannot be virtualized. Again: but no problems will arise.

The process is described here for win7, but is the same on server 2012: http://blogs.msdn.com/b/mszcool/archive/2010/02/03/bitlocker-in-a-windows-7-guest-running-on-a-hyper-v-r2-environment-or-any-environment-without-a-tpm.aspx

Please note that the floppy file needs to be put to a share of another server that is indeed physically secured, otherwise, what would be the point :)
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

There’s hardly a doubt that Business Communication is indispensable for both enterprises and small businesses, and if there is an email system outage owing to Exchange server failure, it definitely results in loss of productivity.
In this article, we will discuss how you can secure Active Directory using free tools, and how you can choose a safe and secure Active Directory security auditing tool.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question