Declaro
asked on
Bitlocker, DC's and Local NLSAS Drives
Hello,
I'm looking to install bitlocker on a Dell T130 Server which will act a s a domain controller. It has a TPM chip 4 X 1TB NLSAS Drives configured in RAID10 on a PERC H730 1GB Controller. It will be a physical server running Windows Server 2016 Std
Am I interpreting this document correctly…
https://docs.microsoft.com /en-us/win dows-serve r/identity /ad-ds/pla n/security -best-prac tices/secu ring-domai n-controll ers-agains t-attack
Specifically it says:-
"If a domain controller is configured to use software RAID, serial-attached SCSI, SAN/NAS storage, or dynamic volumes, BitLocker cannot be implemented, so locally attached storage (with or without hardware RAID) should be used in domain controllers whenever possible."
This has confused me a little as I'm using serial attached SCSI but it is locally attached.
Can I use Bitlocker on this system?
Thanks
Dave
I'm looking to install bitlocker on a Dell T130 Server which will act a s a domain controller. It has a TPM chip 4 X 1TB NLSAS Drives configured in RAID10 on a PERC H730 1GB Controller. It will be a physical server running Windows Server 2016 Std
Am I interpreting this document correctly…
https://docs.microsoft.com
Specifically it says:-
"If a domain controller is configured to use software RAID, serial-attached SCSI, SAN/NAS storage, or dynamic volumes, BitLocker cannot be implemented, so locally attached storage (with or without hardware RAID) should be used in domain controllers whenever possible."
This has confused me a little as I'm using serial attached SCSI but it is locally attached.
Can I use Bitlocker on this system?
Thanks
Dave
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
True. If your tpm is based on an infeon module, it might have a security problem. To find out, open tpm.msc and right there, you'd see a notification in case you are affected.
ASKER
I don't get hold of the server until tomorrow but will check that out thanks...
Can I ask a side question...
When using Bitlocker the DC and Workstations will be managed mainly from remote locations, whats the implications of using TPM only as authentication method?
Sorry would offer points but original question already marked as answered but appreciate your comments
Cheers
Can I ask a side question...
When using Bitlocker the DC and Workstations will be managed mainly from remote locations, whats the implications of using TPM only as authentication method?
Sorry would offer points but original question already marked as answered but appreciate your comments
Cheers
It is recommended to use TPM-only as bitlocker protector (that's the default, by the way), so that the server may restart hands-free if a restart is needed or if it eventually crashes. That means of course, that it is endangered by cold-boot-attacks as shown in https://en.wikipedia.org/wiki/Cold_boot_attack
Also, you should set this policy https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.VolumeEncryption::DisableExternalDMAUnderLock_Name to protect against DMA attacks. Please note that all these measures are only recommendable if you have reason to believe that the server is not well-protected, physically. If it is behind secured, locked doors, and accessed only by authorized people, you wouldn't need to encrypt it.
Also, you should set this policy https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.VolumeEncryption::DisableExternalDMAUnderLock_Name to protect against DMA attacks. Please note that all these measures are only recommendable if you have reason to believe that the server is not well-protected, physically. If it is behind secured, locked doors, and accessed only by authorized people, you wouldn't need to encrypt it.
ASKER
Thanks very much for the information, wasn't aware of cold boot attacks, goes nothing is secure.
I have to encrypt and use Sophos safeguard file encryption as client has a lot of customer data and it's been specified. done a bit with Sophos but never got into BitLocker very much.
Cheers
I have to encrypt and use Sophos safeguard file encryption as client has a lot of customer data and it's been specified. done a bit with Sophos but never got into BitLocker very much.
Cheers
ASKER
Thank you for confirming my thoughts, was a little unsure so always best to seek advice.
Cheers
Dave