Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Server Data Security in case of stolen server

Posted on 2014-04-18
6
Medium Priority
?
398 Views
Last Modified: 2014-04-21
Hello,

I have a client who is concerned with someone breaking in to their office and stealing their server and then being able to get access to the data.   The server uses Active Directory and a SQL database.  The database by software design uses authentication access.

I know there are tools that allow someone to reset the password to the domain administrator, etc.. and then get to the data.

Is there any good way to reduce this risk in the case of someone stealing the server?

If yes, does it take a big performance hit in regards to disk i/o?
0
Comment
Question by:tucktech
  • 3
  • 2
6 Comments
 
LVL 30

Assisted Solution

by:Rich Weissler
Rich Weissler earned 900 total points
ID: 40009640
For Windows Server, you can use BitLocker.

For SQL, one "built in" possibility is Transparent Data Encryption, which will require the Enterprise Edition of SQL, and you'll need to be very careful with certificates and keys.

In both cases, I'd strongly suggest reading up on the features, implementations and recovery... and be aware that you'll need to keep the private keys for the certificates safe.

And yes, with any encryption, there will be performance hit, but it'll usually be mostly CPU.
0
 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 1100 total points
ID: 40010199
The performance hit is nearly unnoticable for bitlocker, and if the whole/partition drive is encrypted, why use additional SQL encryption?
But be aware that for secure encyrption, you need a concept. Turning on bitlocker is not as easy as it seems. Bitlocker ("BL") should not run in transparent mode (which requires a TPM chip, by the way), but should require authentication. As servers normally should reboot "hands-free", this creates a new problem: how to provide the key?

We can solve like this: use a script to unlock the BL-encyrpted drive. Place that script on another, physically better secured server's share and have task scheduler start it. When the server is stolen, the script is not accessible and the drive stays locked.
0
 

Author Comment

by:tucktech
ID: 40010277
Thanks, are there any suggested guides or best practices on bitlocker that you would recommend?

Like the idea of the share and automatic task scheduler to keep it automatic and only available if both devices are available to each other.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 57

Accepted Solution

by:
McKnife earned 1100 total points
ID: 40010316
Just learn the syntax of manage-bde.exe
That's all you need. Put it in a batch file and there you go.
No best practices. My method requires the policy"require additional startup key" to be activated.
Of course that method can only be used for non-OS partitions.
0
 

Author Closing Comment

by:tucktech
ID: 40010462
Seems simple enough....
0
 
LVL 57

Expert Comment

by:McKnife
ID: 40013604
If you need more help, just say, we have used this for years.
0

Featured Post

WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question