Solved

Server Data Security in case of stolen server

Posted on 2014-04-18
6
390 Views
Last Modified: 2014-04-21
Hello,

I have a client who is concerned with someone breaking in to their office and stealing their server and then being able to get access to the data.   The server uses Active Directory and a SQL database.  The database by software design uses authentication access.

I know there are tools that allow someone to reset the password to the domain administrator, etc.. and then get to the data.

Is there any good way to reduce this risk in the case of someone stealing the server?

If yes, does it take a big performance hit in regards to disk i/o?
0
Comment
Question by:tucktech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 30

Assisted Solution

by:Rich Weissler
Rich Weissler earned 225 total points
ID: 40009640
For Windows Server, you can use BitLocker.

For SQL, one "built in" possibility is Transparent Data Encryption, which will require the Enterprise Edition of SQL, and you'll need to be very careful with certificates and keys.

In both cases, I'd strongly suggest reading up on the features, implementations and recovery... and be aware that you'll need to keep the private keys for the certificates safe.

And yes, with any encryption, there will be performance hit, but it'll usually be mostly CPU.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 275 total points
ID: 40010199
The performance hit is nearly unnoticable for bitlocker, and if the whole/partition drive is encrypted, why use additional SQL encryption?
But be aware that for secure encyrption, you need a concept. Turning on bitlocker is not as easy as it seems. Bitlocker ("BL") should not run in transparent mode (which requires a TPM chip, by the way), but should require authentication. As servers normally should reboot "hands-free", this creates a new problem: how to provide the key?

We can solve like this: use a script to unlock the BL-encyrpted drive. Place that script on another, physically better secured server's share and have task scheduler start it. When the server is stolen, the script is not accessible and the drive stays locked.
0
 

Author Comment

by:tucktech
ID: 40010277
Thanks, are there any suggested guides or best practices on bitlocker that you would recommend?

Like the idea of the share and automatic task scheduler to keep it automatic and only available if both devices are available to each other.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 54

Accepted Solution

by:
McKnife earned 275 total points
ID: 40010316
Just learn the syntax of manage-bde.exe
That's all you need. Put it in a batch file and there you go.
No best practices. My method requires the policy"require additional startup key" to be activated.
Of course that method can only be used for non-OS partitions.
0
 

Author Closing Comment

by:tucktech
ID: 40010462
Seems simple enough....
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40013604
If you need more help, just say, we have used this for years.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question