Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

BitLocker on Windows 8, Windows Server 2008 & 2012, SBS2011

Posted on 2014-03-13
10
Medium Priority
?
951 Views
Last Modified: 2014-03-27
Hi,
 I successfully enabled BitLocker on Windows 7 Ultimate OS.
 Now I like to do the same on  Windows 8, Windows Server 2008 & 2012, SBS2011.
 Before I do that, are there things that I should be aware?
 For example, Does Windows 8 Professional version only comes with BitLocker feature?

 When I tried to enable BitLocker on Windows 2008 Server Std. with one drive/partition yesterday, it said that I had to have two partitions to enable BitLocker. So apparently I need an separate OS partition on the top of data partition even if there is only one hard disk?

 Having seen that message, I just wanted to get some heads-up before attempting to do this on other server operating systems that I manage.
0
Comment
Question by:sglee
  • 5
  • 4
10 Comments
 
LVL 57

Accepted Solution

by:
McKnife earned 1360 total points
ID: 39926699
Hi.

You would not do this without having backups, will you?
Win8 does not Feature bitlocker, win8 pro and 8 Enterprise do.

When encrypting, an extra Partition will get created unless there already is one. On 2008, there was not. On 2008 R2/2012/2012R2/win8, there already is.

Biggest caveat: please think about what happens after encrypting the Servers. How are the keys provided if the Servers reboot after nightly updates or eventual crashes? Who provides the key?
0
 

Author Comment

by:sglee
ID: 39926743
@McKnife
Thanks for the information. I understand why I saw that message on W2008 Server now.
I am glad to hear that on 2008 R2/2012/2012R2/win8, extra partition will be created as BitLocker is turned on.
Now on "Biggest caveat", it make total sense. If I leave the USB flash drive that has the recovery key plugged into the Servers and if they get stolen, it defeats the purposes of encrypting. On the other hand, if the user takes the USB flash drive out of the Server and take it home, then what happens when the Server restarts after the reboot....
It is definitely something to think about...
0
 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 1360 total points
ID: 39926762
I have this solved like this:

Possibility A: virtualize the Server and encrypt the whole VM machine or, if not possible:
B: put the sensitive data on an extra Partition and encrypt it, set the Server to Auto unlock itself using a script (using manage-bde.exe, the bitlocker command line tool). That script of course lies on another,  physically secured Server. So if the Server gets stolen: no Access to that script, so no data Access at all.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:sglee
ID: 39926965
@McKnife
Sounds complicated, particularly since I am not familiar with the process.

If the Server gets stolen, first, they are protected by the Windows admin password. Secondly even if the thief takes the hard disks out, they won't be useful because they are part of disk array in RAID system. So I don't have to too much worry about the Servers ...
0
 
LVL 57

Expert Comment

by:McKnife
ID: 39926990
> So I don't have to too much worry about the Servers ...
Sorry, but you don't know what you are talking about. If the thieves have no understanding of Windows, yes, then you won't have to worry. Otherwise...it's very easy to get at the data in minutes. I would stick in a Windows 8.1 to go and after maybe 5 minutes, I have your data.

The process is not complicated, please feel free to ask for Details.
0
 
LVL 31

Expert Comment

by:serialband
ID: 39927622
Physical access is access.
That's why everyone is starting to focus on encryption now.

You can recreate a RAID array.  I've done it before to recover data.
0
 

Author Comment

by:sglee
ID: 39932734
I like to try your method as mentioned in ID: 39926762.
Please tell me what OS I need to setup for testing - W2008, W2008R2, W2012.
I will do RAID 1 on a test server.
Would you kindley post detailed steps?
0
 
LVL 57

Expert Comment

by:McKnife
ID: 39932760
Ok, I will.

But first you have to decide for A or B as I mentioned 2 completely different aproaches.
0
 

Author Comment

by:sglee
ID: 39932859
How about trying A first?
Do you want me to setup HyperV on W2012 Server or VMWare ESX V5.1?
0
 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 1360 total points
ID: 39933147
If virtualization is possible with that server, why not?
Please be aware, that Bitlocker is not supported on virtual machines, but it works. Possibly, the reason for lack of support is, that Microsoft developed BL primarily for devices with a TPM chip and until now, a TPM cannot be virtualized. Again: but no problems will arise.

The process is described here for win7, but is the same on server 2012: http://blogs.msdn.com/b/mszcool/archive/2010/02/03/bitlocker-in-a-windows-7-guest-running-on-a-hyper-v-r2-environment-or-any-environment-without-a-tpm.aspx

Please note that the floppy file needs to be put to a share of another server that is indeed physically secured, otherwise, what would be the point :)
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question