Bitlocker, DC's and Local NLSAS Drives

Hello,

I'm looking to install bitlocker on a Dell T130 Server which will act a s a domain controller. It has a TPM chip 4 X 1TB NLSAS Drives configured in RAID10 on a PERC H730 1GB Controller. It will be a physical server running Windows Server 2016 Std

Am I interpreting this document correctly…

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack

Specifically it says:-

"If a domain controller is configured to use software RAID, serial-attached SCSI, SAN/NAS storage, or dynamic volumes, BitLocker cannot be implemented, so locally attached storage (with or without hardware RAID) should be used in domain controllers whenever possible."

This has confused me a little as I'm using serial attached SCSI but it is locally attached.

Can I use Bitlocker on this system?

Thanks

Dave
LVL 1
DeclaroAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
You have local SAS drive only
Further you are not using software RAID on top of os installation
You are using hardware RAID system and hence you can encrypt with bitlocker
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DeclaroAuthor Commented:
Hi Mahesh,

Thank you for confirming my thoughts, was a little unsure so always best to seek advice.

Cheers

Dave
0
McKnifeCommented:
True. If your tpm is based on an infeon module, it might have a security problem. To find out, open tpm.msc and right there, you'd see a notification in case you are affected.
0
The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

DeclaroAuthor Commented:
I don't get hold of the server until tomorrow but will check that out thanks...

Can I ask a side question...

When using Bitlocker the DC and Workstations will be managed mainly from remote locations, whats the implications of using TPM only as authentication method?

Sorry would offer points but original question already marked as answered but appreciate your comments

Cheers
0
McKnifeCommented:
It is recommended to use TPM-only as bitlocker protector (that's the default, by the way), so that the server may restart hands-free if a restart is needed or if it eventually crashes. That means of course, that it is endangered by cold-boot-attacks as shown in https://en.wikipedia.org/wiki/Cold_boot_attack
Also, you should set this policy https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.VolumeEncryption::DisableExternalDMAUnderLock_Name to protect against DMA attacks. Please note that all these measures are only recommendable if you have reason to believe that the server is not well-protected, physically. If it is behind secured, locked doors, and accessed only by authorized people, you wouldn't need to encrypt it.
0
DeclaroAuthor Commented:
Thanks very much for the information, wasn't aware of cold boot attacks, goes nothing is secure.

I have to encrypt and use Sophos safeguard file encryption as client has a lot of customer data and it's been specified. done a bit with Sophos but never got into BitLocker very much.

Cheers
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.