You need to ensure that you can access the BitLocker volume if the BitLocker keys are corrupted on the member servers

Your company has several branch offices.

Your network consists of a single Active Directory domain. Each branch office contains domain controllers and member servers. The domain controllers run Windows Server 2003 SP2. The member servers run Windows Server 2008 R2.

Physical security of the servers at the branch offices is a concern.

You plan to implement Windows BitLocker Drive Encryption (BitLocker) on the member servers.

You need to ensure that you can access the BitLocker volume if the BitLocker keys are corrupted on the member servers. The recovery information must be stored in a central location.

What should you do?

Your company has several branch offices.

Your network consists of a single Active Directory domain. Each branch office contains domain controllers and member servers. The domain controllers run Windows Server 2003 SP2. The member servers run Windows Server 2008 R2.

Physical security of the servers at the branch offices is a concern.

You plan to implement Windows BitLocker Drive Encryption (BitLocker) on the member servers.

You need to ensure that you can access the BitLocker volume if the BitLocker keys are corrupted on the member servers. The recovery information must be stored in a central location.

What should you do?

A.
Upgrade all domain controllers to Windows Server 2008 R2. Use Group Policy to configure Public Key Policies.

B.
Upgrade all domain controllers to Windows Server 2008 R2. Use Group Policy to enable Trusted Platform Module (TPM) backups to Active Directory.

C.
Upgrade the domain controller that has the schema master role to Windows Server 2008 R2.
Use Group Policy to enable a Data Recovery Agent (DRA).

D.
Upgrade the domain controller that has the primary domain controller (PDC) emulator role to Windows Server 2008 R2. Use Group Policy to enable a Data Recovery Agent (DRA).

Explanation:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:

Planning BitLocker Deployment

Windows BitLocker and Drive Encryption (BitLocker) is a feature that debuted in Windows Vista Enterprise and Ultimate Editions and is available in all versions of Windows Server 2008. BitLocker serves two purposes: protecting server data through full volume encryption and providing an integrity-checking mechanism to ensure that the boot environment has not been tampered with.

Encrypting the entire operating system and data volumes means that not only are the operating system and data protected, but so are paging files, applications, and application configuration data. In the event that a server is stolen or a hard disk drive removed from a server by third parties for their own nefarious purposes, BitLocker ensures that these third parties cannot recover any useful data. The drawback is that if the BitLocker keys for a server are lost and the boot environment is compromised, the data stored on that server will be unrecoverable.

To support integrity checking, BitLocker requires a computer to have a chip capable of supporting the Trusted Platform Module (TPM) 1.2 or later standard. A computer must also have a BIOS that supports the TPM standard. When BitLocker is implemented in these conditions and in the event that the condition of a startup component has changed, BitLocker-protected volumes are locked and cannot be unlocked unless the person doing the unlocking has the correct digital keys. Protected startup components include the BIOS, Master Boot Record, Boot Sector, Boot Manager, and Windows Loader.

From a systems administration perspective, it is important to disable BitLocker during maintenance periods when any of these components are being altered. For example, you must disable BitLocker during a BIOS upgrade. If you do not, the next time the computer starts, BitLocker will lock the volumes and you will need to initiate the recovery process. The recovery process involves entering a 48-character password that is generated and saved to a specified location when running the BitLocker setup wizard. This password should be stored securely because without it the recovery process cannot occur. You can also configure BitLocker to save recovery data directly to Active Directory; this is the recommended management method in enterprise environments.

You can also implement BitLocker without a TPM chip. When implemented in this manner there is no startup integrity check. A key is stored on a removable USB memory device, which must be present and supported by the computers BIOS each time the computer starts up. After the computer has successfully started, the removable USB memory device can be removed and should then be stored in a secure location. Configuring a computer running Windows Server 2008 to use a removable USB memory device as a BitLocker startup key is covered in the second practice at the end of this lesson.

BitLocker Group Policies
BitLocker group policies are located under the Computer Configuration\Policies\ Administrative Templates\Windows Components\BitLocker Drive Encryption node of a Windows Server 2008 Group Policy object. In the event that the computers you want to deploy BitLocker on do not have TPM chips, you can use the Control Panel Setup: Enable Advanced Startup Options policy, which is shown in Figure 1-7. When this policy is enabled and configured, you can implement BitLocker without a TPM being present. You can also configure this policy to require that a startup code be entered if a TPM chip is present, providing another layer of security.

Figure 1-7Allowing BitLocker without the TPM chip

Other BitLocker policies include:
Turn On BitLocker Backup To Active Directory Domain Services When this policy is enabled, a computers recovery key is stored in Active Directory and can be recovered by an authorized administrator.
Control Panel Setup: Configure Recovery Folder When enabled, this policy sets the default folder to which computer recovery keys can be stored.



Leave a Reply 0

Your email address will not be published. Required fields are marked *