Solved

Exchange 2013 Encrypt Databases and Logs

Posted on 2016-08-10
5
203 Views
Last Modified: 2016-08-11
We are going to be upgrading to Exchange 2013 SP1 and our security team has asked us to look at encrypting the Exchange Databases and its logs.  I found an article saying its possible but does not go into how its done.  Has anyone done this?  What are the pros and cons?  Thanks!
0
Comment
Question by:Sedgwick_County
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 41751119
Bitlocking the server would normally suffice. Does the server have a tpm chip? Please find out.
0
 
LVL 40

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 41751224
You'll want to use whole-disk encryption on the disk holding the database. Bitlocker is probably the simplest solution, and doesn't require third party software running to function. It doesn't *require* a TPM chip, but using it without one reduces security a good bit (System integrity checks to determine if the drive is in a new computer isn't available without TPM).

You can also use third party whole disk encryption solutions, but those must be running for the Exchange Database/logs to be accessible to the OS.

The pros of whole disk encryption with Exchange are that your database can't be read without authorization. If someone can get into the server with a valid username and password while the server is running and the disk is decrypted, they can still read the database. Outside of that specific scenario, it's not possible to read anything from the database or logs. Of course, if you have that scenario going on, you have bigger problems.

The con is a pretty significant performance hit. Drive read and write speed will be slower once things are encrypted because everything has to be encrypted when written and decrypted when read. You will probably notice slower performance after encrypting the database and logs drive. Your users may notice that OWA and Outlook access is slower as well. This performance hit can be mitigated by adding RAM, since Exchange keeps a significant chunk of the Database in RAM. Performance immediately following a reboot of the Exchange server will be much slower than it will be after the server has been running for a couple days, since all the recently received and accessed data in user mailboxes is what gets cached in RAM, which can't be encrypted, but is extremely difficult to access without valid credentials.

Third party encryption solutions take up additional resources and will slow things down more that using bitlocker.

Instructions for bitlocker on Server 2008: https://technet.microsoft.com/en-us/library/cc732725(v=ws.10).aspx
Instructions for bitlocker on Server 2012: https://technet.microsoft.com/en-us/library/jj612864(v=ws.11).aspx
1
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 41751554
I did not go into detail like Adam did and here's why: we need to know if there's a tpm chip. No, it's not that bitlocker cannot do without. It's more that you don't want to do without. Think about server restarts (scheduled updates, restarts, crashes) - who will enter the key? The tpm could do that for you, so only with a tpm chip, bitlocker can be used "hands free."
1
 

Author Comment

by:Sedgwick_County
ID: 41752221
Thank you both for the answers!  It has given me a lot ot think about.  To answer your question, no they do  not have a TPM chip in them.  We also do not want a huge impact to performace.  So I think this will be put on the back burner.  Thank you both again for the quick responses.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41752426
The impact to performance is not huge. Please do performance tests yourself since it depends on how we use the file system.
Also please note that many server mainboards have a so called tpm header that can be armed with a tpm anytime. Its costs depend on the brand, it might be up to 80 USD.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data‚Ķ
how to add IIS SMTP to handle application/Scanner relays into office 365.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question