Solved

Exchange 2013 Encrypt Databases and Logs

Posted on 2016-08-10
5
63 Views
Last Modified: 2016-08-11
We are going to be upgrading to Exchange 2013 SP1 and our security team has asked us to look at encrypting the Exchange Databases and its logs.  I found an article saying its possible but does not go into how its done.  Has anyone done this?  What are the pros and cons?  Thanks!
0
Comment
Question by:Sedgwick_County
  • 3
5 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 41751119
Bitlocking the server would normally suffice. Does the server have a tpm chip? Please find out.
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 41751224
You'll want to use whole-disk encryption on the disk holding the database. Bitlocker is probably the simplest solution, and doesn't require third party software running to function. It doesn't *require* a TPM chip, but using it without one reduces security a good bit (System integrity checks to determine if the drive is in a new computer isn't available without TPM).

You can also use third party whole disk encryption solutions, but those must be running for the Exchange Database/logs to be accessible to the OS.

The pros of whole disk encryption with Exchange are that your database can't be read without authorization. If someone can get into the server with a valid username and password while the server is running and the disk is decrypted, they can still read the database. Outside of that specific scenario, it's not possible to read anything from the database or logs. Of course, if you have that scenario going on, you have bigger problems.

The con is a pretty significant performance hit. Drive read and write speed will be slower once things are encrypted because everything has to be encrypted when written and decrypted when read. You will probably notice slower performance after encrypting the database and logs drive. Your users may notice that OWA and Outlook access is slower as well. This performance hit can be mitigated by adding RAM, since Exchange keeps a significant chunk of the Database in RAM. Performance immediately following a reboot of the Exchange server will be much slower than it will be after the server has been running for a couple days, since all the recently received and accessed data in user mailboxes is what gets cached in RAM, which can't be encrypted, but is extremely difficult to access without valid credentials.

Third party encryption solutions take up additional resources and will slow things down more that using bitlocker.

Instructions for bitlocker on Server 2008: https://technet.microsoft.com/en-us/library/cc732725(v=ws.10).aspx
Instructions for bitlocker on Server 2012: https://technet.microsoft.com/en-us/library/jj612864(v=ws.11).aspx
1
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 41751554
I did not go into detail like Adam did and here's why: we need to know if there's a tpm chip. No, it's not that bitlocker cannot do without. It's more that you don't want to do without. Think about server restarts (scheduled updates, restarts, crashes) - who will enter the key? The tpm could do that for you, so only with a tpm chip, bitlocker can be used "hands free."
1
 

Author Comment

by:Sedgwick_County
ID: 41752221
Thank you both for the answers!  It has given me a lot ot think about.  To answer your question, no they do  not have a TPM chip in them.  We also do not want a huge impact to performace.  So I think this will be put on the back burner.  Thank you both again for the quick responses.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41752426
The impact to performance is not huge. Please do performance tests yourself since it depends on how we use the file system.
Also please note that many server mainboards have a so called tpm header that can be armed with a tpm anytime. Its costs depend on the brand, it might be up to 80 USD.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now