Server Data Security in case of stolen server

Hello,

I have a client who is concerned with someone breaking in to their office and stealing their server and then being able to get access to the data.   The server uses Active Directory and a SQL database.  The database by software design uses authentication access.

I know there are tools that allow someone to reset the password to the domain administrator, etc.. and then get to the data.

Is there any good way to reduce this risk in the case of someone stealing the server?

If yes, does it take a big performance hit in regards to disk i/o?
tucktechAsked:
Who is Participating?
 
McKnifeConnect With a Mentor Commented:
Just learn the syntax of manage-bde.exe
That's all you need. Put it in a batch file and there you go.
No best practices. My method requires the policy"require additional startup key" to be activated.
Of course that method can only be used for non-OS partitions.
0
 
Rich WeisslerConnect With a Mentor Professional Troublemaker^h^h^h^h^hshooterCommented:
For Windows Server, you can use BitLocker.

For SQL, one "built in" possibility is Transparent Data Encryption, which will require the Enterprise Edition of SQL, and you'll need to be very careful with certificates and keys.

In both cases, I'd strongly suggest reading up on the features, implementations and recovery... and be aware that you'll need to keep the private keys for the certificates safe.

And yes, with any encryption, there will be performance hit, but it'll usually be mostly CPU.
0
 
McKnifeConnect With a Mentor Commented:
The performance hit is nearly unnoticable for bitlocker, and if the whole/partition drive is encrypted, why use additional SQL encryption?
But be aware that for secure encyrption, you need a concept. Turning on bitlocker is not as easy as it seems. Bitlocker ("BL") should not run in transparent mode (which requires a TPM chip, by the way), but should require authentication. As servers normally should reboot "hands-free", this creates a new problem: how to provide the key?

We can solve like this: use a script to unlock the BL-encyrpted drive. Place that script on another, physically better secured server's share and have task scheduler start it. When the server is stolen, the script is not accessible and the drive stays locked.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
tucktechAuthor Commented:
Thanks, are there any suggested guides or best practices on bitlocker that you would recommend?

Like the idea of the share and automatic task scheduler to keep it automatic and only available if both devices are available to each other.
0
 
tucktechAuthor Commented:
Seems simple enough....
0
 
McKnifeCommented:
If you need more help, just say, we have used this for years.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.