Your company has a main office and a branch office. Your network contains a single Active Directory domain.
You install 25 Windows Server 2008 R2 member servers in the branch office.
You need to recommend a storage solution that meets the following requirements:
– Encrypts all data on the hard disks
– Allows the operating system to start only when the authorized user is present
What should you recommend?
A.
Encrypting File System (EFS)
B.
File Server Resource Manager (FSRM)
C.
Windows BitLocker Drive Encryption (BitLocker)
D.
Windows System Resource Manager (WSRM)
Explanation:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:Planning BitLocker Deployment
Windows BitLocker and Drive Encryption (BitLocker) is a feature that debuted in Windows Vista Enterprise and Ultimate Editions and is available in all versions of Windows Server 2008. BitLocker serves two purposes: protecting server data through full volume encryption and providing an integrity-checking mechanism to ensure that the boot environment has not been tampered with.Encrypting the entire operating system and data volumes means that not only are the operating system and data protected, but so are paging files, applications, and application configuration data. In the event that a server is stolen or a hard disk drive removed from a server by third parties for their own nefarious purposes, BitLockerensures that these third parties cannot recover any useful data. The drawback is that if the BitLocker keys for a server are lost and the boot environment is compromised, the data stored on that server will be unrecoverable.
To support integrity checking, BitLocker requires a computer to have a chip capable of supporting the Trusted Platform Module (TPM) 1.2 or later standard. A computer must also have a BIOS that supports the TPM standard. When BitLocker is implemented in these conditions and in the event that the condition of a startup component has changed, BitLocker-protected volumes are locked and cannot be unlocked unless the person doing the unlocking has the correct digital keys. Protected startup components include the BIOS, Master Boot Record, Boot Sector, Boot Manager, and Windows Loader.
From a systems administration perspective, it is important to disable BitLocker during maintenance periods when any of these components are being altered. For example, you must disable BitLocker during a BIOS upgrade. If you do not, the next time the computer starts, BitLocker will lock the volumes and you will need to initiate the recovery process. The recovery process involves entering a 48-character password that is generated and saved to a specified location when running the BitLocker setup wizard. This password should be stored securely because without it the recovery process cannot occur. You can also configure BitLocker to save recovery data directly to Active Directory; this is the recommended management method in enterprise environments.
You can also implement BitLocker without a TPM chip. When implemented in this manner there is no startup integrity check. A key is stored on a removable USB memory device, which must be present and supported by the computers BIOS each time the computer starts up. After the computer has successfully started, the removable USB memory device can be removed and should then be stored in a secure location. Configuring a computer running Windows Server 2008 to use a removable USB memory device as a BitLocker startup key is covered in the second practice at the end of this lesson.
BitLocker Volume Configuration
One of the most important things to remember is that a computer must be configured to support BitLocker prior to the installation of Windows Server 2008. The procedure for this is detailed at the start of Practice 2 at the end of this lesson, but involves creating a separate 1.5-GB partition, formatting it, and making it active as the System partition prior to creating a larger partition, formatting it, and then installing the Windows Server 2008 operating system. Figure 1-6 shows a volume configuration that supports BitLocker. If a computers volumes are not correctly configured prior to the installation of Windows Server 2008, you will need to perform a completely new installation of Windows Server 2008 after repartitioning the volume correctly. For this reason you should partition the hard disk drives of all computers in the environment on which you are going to install Windows Server 2008 with the assumption that at some stage in the future you might need to deploy BitLocker. If BitLocker is not deployed, it has cost you only a few extra minutes of configuration time. If you later decide to deploy BitLocker, you will have saved many hours of work reconfiguring the server to support full hard drive encryption.
Figure 1-6Partition scheme that supports BitLocker
The necessity of having specifically configured volumes makes BitLocker difficult to implement on Windows Server 2008 computers that have been upgraded from Windows Server 2003. The necessary partition scheme would have had to be introduced prior to the installation of Windows Server 2003, which in most cases would have occurred before most people were aware of BitLocker.
BitLocker Group Policies
BitLocker group policies are located under the Computer Configuration\Policies\ Administrative Templates\Windows Components\BitLocker Drive Encryption node of a Windows Server 2008 Group Policy object. In the event that the computers you want to deploy BitLocker on do not have TPM chips, you can use the Control Panel Setup: Enable Advanced Startup Options policy, which is shown in Figure 1-7. When this policy is enabled and configured, you can implement BitLocker without a TPM being present. You can also configure this policy to require that a startup code be entered if a TPM chip is present, providing another layer of security.Figure 1-7Allowing BitLocker without the TPM chip
Other BitLocker policies include:
Turn On BitLocker Backup To Active Directory Domain ServicesWhen this policy is enabled, a computers recovery key is stored in Active Directory and can be recovered by an authorized administrator.
Control Panel Setup: Configure Recovery FolderWhen enabled, this policy sets the default folder to which computer recovery keys can be stored.
Control Panel Setup: Configure Recovery OptionsWhen enabled, this policy can be used to disable the recovery password and the recovery key. If both the recovery password and the recovery key are disabled, the policy that backs up the recovery key to Active Directory must be enabled.
Configure Encryption MethodThis policy allows the administrator to specify the properties of the AES encryption method used to protect the hard disk drive.
Prevent Memory Overwrite On RestartThis policy speeds up restarts, but increases the risk of BitLocker being compromised.
Configure TMP Platform Validation ProfileThis policy configures how the TMP security hardware protects the BitLocker encryption key.
Encrypting File System vs. BitLocker
Although both technologies implement encryption, there is a big difference between Encrypting File System (EFS) and BitLocker. EFS is used to encrypt individual files and folders and can be used to encrypt these items for different users. BitLockerencrypts the whole hard disk drive. A user with legitimate credentials can log on to a file server that is protected by BitLocker and will be able to read any files that she has permissions for. This user will not, however be able to read files that have been EFS encrypted for other users, even if she is granted permission, because you can only read EFS-encrypted files if you have the appropriate digital certificate. EFS allows organizations to protect sensitive shared files from the eyes of support staff who might be required to change file and folder permissions as a part of their job task, but should not actually be able to review the contents of the file itself. BitLocker provides a transparent form of encryption, visible only when the server is compromised. EFS provides an opaque form of encryptionthe content of files that are visible to the person who encrypted them are not visible to anyone else, regardless of what file and folder permissions are set.Turning Off BitLocker
In some instances you may need to remove BitLocker from a computer. For example, the environment in which the computer is located has been made much more secure and the overhead from the BitLocker process is causing performance problems. Alternatively, you may need to temporarily disable BitLocker so that you can perform maintenance on startup files or the computers BIOS. As Figure 1-8 shows, you have two options for removing BitLocker from a computer on which it has been implemented: disable BitLocker or decrypt the drive.Figure 1-8Options for removing BitLocker
Disabling BitLocker removes BitLocker protection without decrypting the encrypted volumes. This is useful if a TPM chip is present, but it is necessary to update a computers BIOS or startup files. If you do not disable BitLocker when performing this type of maintenance, BitLockerwhen implemented with a TPM chipwill lock the computer because the diagnostics will detect that the computer has been tampered with. When you disable BitLocker, a plaintext key is written to the hard disk drive. This allows the encrypted hard disk drive to be read, but the presence of the plaintext key means that the computer is insecure. Disabling BitLocker using this method provides no performance increase because the data remains encryptedit is just encrypted in an insecure way. When BitLocker is re-enabled, this plaintext key is removed and the computer is again secure.
Exam TipKeep in mind the conditions under which you might need to disable BitLocker. Also remember the limitations of BitLocker without a TPM 1.2 chip.
Select Decrypt The Drive when you want to completely remove BitLocker from a computer. This process is as time-consuming as performing the initial drive encryptionperhaps more so because more data might be stored on the computer than when the initial encryption occurred. After the decryption process is finished, the computer is returned to its pre-encrypted state and the data stored on it is no longer protected byBitLocker. Decrypting the drive will not decrypt EFS-encrypted files stored on the hard disk drive.