Bitlocker, DC's and Local NLSAS Drives

Hello,

I'm looking to install bitlocker on a Dell T130 Server which will act a s a domain controller. It has a TPM chip 4 X 1TB NLSAS Drives configured in RAID10 on a PERC H730 1GB Controller. It will be a physical server running Windows Server 2016 Std

Am I interpreting this document correctly…

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack

Specifically it says:-

"If a domain controller is configured to use software RAID, serial-attached SCSI, SAN/NAS storage, or dynamic volumes, BitLocker cannot be implemented, so locally attached storage (with or without hardware RAID) should be used in domain controllers whenever possible."

This has confused me a little as I'm using serial attached SCSI but it is locally attached.

Can I use Bitlocker on this system?

Thanks

Dave
LVL 1
DeclaroAsked:
Who is Participating?
 
MaheshConnect With a Mentor ArchitectCommented:
You have local SAS drive only
Further you are not using software RAID on top of os installation
You are using hardware RAID system and hence you can encrypt with bitlocker
0
 
DeclaroAuthor Commented:
Hi Mahesh,

Thank you for confirming my thoughts, was a little unsure so always best to seek advice.

Cheers

Dave
0
 
McKnifeCommented:
True. If your tpm is based on an infeon module, it might have a security problem. To find out, open tpm.msc and right there, you'd see a notification in case you are affected.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
DeclaroAuthor Commented:
I don't get hold of the server until tomorrow but will check that out thanks...

Can I ask a side question...

When using Bitlocker the DC and Workstations will be managed mainly from remote locations, whats the implications of using TPM only as authentication method?

Sorry would offer points but original question already marked as answered but appreciate your comments

Cheers
0
 
McKnifeCommented:
It is recommended to use TPM-only as bitlocker protector (that's the default, by the way), so that the server may restart hands-free if a restart is needed or if it eventually crashes. That means of course, that it is endangered by cold-boot-attacks as shown in https://en.wikipedia.org/wiki/Cold_boot_attack
Also, you should set this policy https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.VolumeEncryption::DisableExternalDMAUnderLock_Name to protect against DMA attacks. Please note that all these measures are only recommendable if you have reason to believe that the server is not well-protected, physically. If it is behind secured, locked doors, and accessed only by authorized people, you wouldn't need to encrypt it.
0
 
DeclaroAuthor Commented:
Thanks very much for the information, wasn't aware of cold boot attacks, goes nothing is secure.

I have to encrypt and use Sophos safeguard file encryption as client has a lot of customer data and it's been specified. done a bit with Sophos but never got into BitLocker very much.

Cheers
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.