Encrypt a Server

I am dealing with a Financial Adviser.   His home office now requires that he encrypt his server.  The server happens to be brand new and setup as Raid 10.  My go to product in the pas has been Symantec Drive Encryption.  They do not work with Raid 10.  I checked with Dell and their product doesn't do Raid 10.   So far the only suggestion which will work is Bit Locker but I have never used it and good luck getting support through Microsoft.  For what it is worth the Server is partitioned into 2 drives.  C which is the OS and doesnt need to be encrypted and D which has data.  

I have thought about rebuilding the server so that it is Raid 5 or Raid 1 Which would be compatible with Symantec.  However this is a PDC  Any thoughts would really be appreciated.

Thanks in advance
chuckkotlerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
A Domain Controller Needs to run at any time if there's only one. So if you think of using Symantecs solution, be Aware that there's no way to encrypt that Server transparently like there is with bitlocker. So if the Server rebooted for whatever reason, someone would Need to be there and enter the encrytion Password...

So with ony one DC, Bitlocker with TPM (=transparent encryption) is definitely recommended for a DC. That leads to 2 further questions to be answered by you:

1 Does the Hardware Feature a TPM chip?
2 If yes, is the RAID a Software or Hardware RAID? Bitlocker does not work with Software RAID.

Another comment on "C which is the OS and doesnt need to be encrypted" - you should encrypt it as well, definitely. Data on d would not be secure if c: is open to an attacker who could then all too easy manipulate the OS (=the whole Domain).
0
chuckkotlerAuthor Commented:
Thanks for your answer.  It makes sense.  Yes the server has a TPM Chip and it has a Raid Controller.
0
McKnifeCommented:
Ok, Sounds like Bitlocker.

Things to consider:
Bitlocker with TPM only means no preboot authentication and therefore has attack scenarios, namely "cold boot attacks": https://www.youtube.com/watch?v=JDaicPIgn9U .  Also, you have to make sure that the firewall is on in all profiles, your passwords are strong and no firewire attack can be done (firewire disabled in the bios if present).
You could of course do it two fold also: encrypt the boot partition with Bitlocker + TPM and encrypt the data partition with another key so that in case someone indeed breaks in, won't get to the data. That implies, that this second key would need to be read automatically from a network share of another machine. So if the thief doesn't get his hands on the other machine as well, the data is perfectly secure. I hope you understand the thought.
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

chuckkotlerAuthor Commented:
Never having done Bitlocker before I am a little intimidated.  Have you found good step by step instructions?  This is Server 2008 R2.  Also is it necessary for Bitlocker to work to have the firewall on?  We have a couple of programs that dont play nicely with Windows Firewall.  To that end I have a Sonicwall.

Thanks
0
McKnifeCommented:
There are no requirements or interactions with other products, nothing to fear. When doing image backups, suspend bitlocker, that's all.
0
McKnifeCommented:
So no instructions, straight forward action.
Keep the recovery key secured and not on the drive. Whenever you change bios settings or hardware components, suspend bitlocker before you do it.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chuckkotlerAuthor Commented:
Thanks very much for all of your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Software

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.