• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 468
  • Last Modified:

Encrypt a Server

I am dealing with a Financial Adviser.   His home office now requires that he encrypt his server.  The server happens to be brand new and setup as Raid 10.  My go to product in the pas has been Symantec Drive Encryption.  They do not work with Raid 10.  I checked with Dell and their product doesn't do Raid 10.   So far the only suggestion which will work is Bit Locker but I have never used it and good luck getting support through Microsoft.  For what it is worth the Server is partitioned into 2 drives.  C which is the OS and doesnt need to be encrypted and D which has data.  

I have thought about rebuilding the server so that it is Raid 5 or Raid 1 Which would be compatible with Symantec.  However this is a PDC  Any thoughts would really be appreciated.

Thanks in advance
0
chuckkotler
Asked:
chuckkotler
  • 4
  • 3
1 Solution
 
McKnifeCommented:
A Domain Controller Needs to run at any time if there's only one. So if you think of using Symantecs solution, be Aware that there's no way to encrypt that Server transparently like there is with bitlocker. So if the Server rebooted for whatever reason, someone would Need to be there and enter the encrytion Password...

So with ony one DC, Bitlocker with TPM (=transparent encryption) is definitely recommended for a DC. That leads to 2 further questions to be answered by you:

1 Does the Hardware Feature a TPM chip?
2 If yes, is the RAID a Software or Hardware RAID? Bitlocker does not work with Software RAID.

Another comment on "C which is the OS and doesnt need to be encrypted" - you should encrypt it as well, definitely. Data on d would not be secure if c: is open to an attacker who could then all too easy manipulate the OS (=the whole Domain).
0
 
chuckkotlerAuthor Commented:
Thanks for your answer.  It makes sense.  Yes the server has a TPM Chip and it has a Raid Controller.
0
 
McKnifeCommented:
Ok, Sounds like Bitlocker.

Things to consider:
Bitlocker with TPM only means no preboot authentication and therefore has attack scenarios, namely "cold boot attacks": https://www.youtube.com/watch?v=JDaicPIgn9U .  Also, you have to make sure that the firewall is on in all profiles, your passwords are strong and no firewire attack can be done (firewire disabled in the bios if present).
You could of course do it two fold also: encrypt the boot partition with Bitlocker + TPM and encrypt the data partition with another key so that in case someone indeed breaks in, won't get to the data. That implies, that this second key would need to be read automatically from a network share of another machine. So if the thief doesn't get his hands on the other machine as well, the data is perfectly secure. I hope you understand the thought.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
chuckkotlerAuthor Commented:
Never having done Bitlocker before I am a little intimidated.  Have you found good step by step instructions?  This is Server 2008 R2.  Also is it necessary for Bitlocker to work to have the firewall on?  We have a couple of programs that dont play nicely with Windows Firewall.  To that end I have a Sonicwall.

Thanks
0
 
McKnifeCommented:
There are no requirements or interactions with other products, nothing to fear. When doing image backups, suspend bitlocker, that's all.
0
 
McKnifeCommented:
So no instructions, straight forward action.
Keep the recovery key secured and not on the drive. Whenever you change bios settings or hardware components, suspend bitlocker before you do it.
0
 
chuckkotlerAuthor Commented:
Thanks very much for all of your help.
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now