Your company has a main office and a branch office. Your network contains a single Active Directory
domain. You install 25 Windows Server 2008 R2 member servers in the branch office. You need to
recommend a storage solution that meets the following requirements:
• Encrypts all data on the hard disks
• Allows the operating system to start only when the authorized user is present
What should you recommend?
A.
Encrypting File System (EFS)
B.
File Server Resource Manager (FSRM)
C.
Windows BitLocker Drive Encryption (BitLocker)
D.
Windows System Resource Manager (WSRM)
Explanation:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:
Planning BitLocker Deployment
Windows BitLocker and Drive Encryption (BitLocker) is a feature that debuted in Windows Vista
Enterprise and Ultimate Editions and is available in all versions of Windows Server 2008. BitLocker
serves two purposes:
protecting server data through full volume encryption and providing an integrity-checking
mechanism to ensure that the boot environment has not been tampered with.
Encrypting the entire operating system and data volumes means that not only are the operating
system and data protected, but so are paging files, applications, and application configuration data.
In the event that a server is stolen or a hard disk drive removed from a server by third parties for
their own nefarious purposes, BitLockerensures that these third parties cannot recover any useful
data. The drawback is that if the BitLocker keys for a server are lost and the boot environment is
compromised, the data stored on that server will be unrecoverable.
To support integrity checking, BitLocker requires a computer to have a chip capable of supporting
the Trusted Platform Module (TPM) 1.2 or later standard. A computer must also have a BIOS that
supports the TPM standard. When BitLocker is implemented in these conditions and in the event
that the condition of a startup component has changed, BitLocker-protected volumes are locked and
cannot be unlocked unless the person doing the unlocking has the correct digital keys. Protected
startup components include the BIOS, Master Boot Record, Boot Sector, Boot Manager, and
Windows Loader.
From a systems administration perspective, it is important to disable BitLocker during maintenance
periods when any of these components are being altered. For example, you must disable BitLocker
during a BIOS upgrade. If you do not, the next time the computer starts, BitLocker will lock the
volumes and you will need to initiate the recovery process. The recovery process involves entering a
48-character password that is generated and saved to a specified location when running the
BitLocker setup wizard. This password should be stored securely because without it the recovery
process cannot occur. You can also configure BitLocker to save recovery data directly to Active
Directory; this is the recommended management method in enterprise environments.
You can also implement BitLocker without a TPM chip. When implemented in this manner there is
no startup integrity check. A key is stored on a removable USB memory device, which must be
present and supported by the computer’s BIOS each time the computer starts up. After the
computer has successfully started, the removable USB memory device can be removed and should
then be stored in a secure location. Configuring a computer running Windows Server 2008 to use a
removable USB memory device as a BitLocker startup key is covered in the second practice at the
end of this lesson.
BitLocker Volume Configuration
One of the most important things to remember is that a computer must be configured to support
BitLocker prior to the installation of Windows Server 2008. The procedure for this is detailed at the
start of Practice 2 at the end of this lesson, but involves creating a separate 1.5-GB partition,
formatting it, and making it active as the System partition prior to creating a larger partition,
formatting it, and then installing the Windows Server 2008 operating system. Figure 1-6 shows a
volume configuration that supports BitLocker. If a computer’s volumes are not correctly configured
prior to the installation of Windows Server 2008, you will need to perform a completely new
installation of Windows Server 2008 after repartitioning the volume correctly. For this reason you
should partition the hard disk drives of all computers in the environment on which you are going to
install Windows Server 2008 with the assumption that at some stage in the future you might need to
deploy BitLocker.
If BitLocker is not deployed, it has cost you only a few extra minutes of configuration time. If you
later decide to deploy BitLocker, you will have saved many hours of work reconfiguring the server to
support full hard drive encryption.
Figure 1-6Partition scheme that supports BitLocker
The necessity of having specifically configured volumes makes BitLocker difficult to implement on
Windows Server 2008 computers that have been upgraded from Windows Server 2003. The
necessary partition scheme would have had to be introduced prior to the installation of Windows
Server 2003, which in most cases would have occurred before most people were aware of BitLocker.
BitLocker Group Policies
BitLocker group policies are located under the Computer Configuration\Policies\ Administrative
Templates\Windows Components\BitLocker Drive Encryption node of a Windows Server 2008 Group
Policy object. In the event that the computers you want to deploy BitLocker on do not have TPM
chips, you can use the Control Panel Setup: Enable Advanced Startup Options policy, which is shown
in Figure 1-7. When this policy is enabled and configured, you can implement BitLocker without a
TPM being present. You can also configure this policy to require that a startup code be entered if a
TPM chip is present, providing another layer of security.
Figure 1-7Allowing BitLocker without the TPM chip
Other BitLocker policies include:
■Turn On BitLocker Backup To Active Directory Domain ServicesWhen this policy is enabled, a
computer’s recovery key is stored in Active Directory and can be recovered by an authorized
administrator.
■Control Panel Setup: Configure Recovery FolderWhen enabled, this policy sets the default folder to
which computer recovery keys can be stored.
■Control Panel Setup: Configure Recovery OptionsWhen enabled, this policy can be used to disable
the recovery password and the recovery key. If both the recovery password and the recovery key are
disabled, the policy that backs up the recovery key to Active Directory must be enabled.
■Configure Encryption MethodThis policy allows the administrator to specify the properties of the
AES encryption method used to protect the hard disk drive.
■Prevent Memory Overwrite On RestartThis policy speeds up restarts, but increases the risk of
BitLocker being compromised.
■Configure TMP Platform Validation ProfileThis policy configures how the TMP security hardware
protects the BitLocker encryption key.
Encrypting File System vs. BitLocker
Although both technologies implement encryption, there is a big difference between Encrypting File
System (EFS) and BitLocker. EFS is used to encrypt individual files and folders and can be used to
encrypt these items for different users. BitLockerencrypts the whole hard disk drive. A user with
legitimate credentials can log on to a file server that is protected by BitLocker and will be able to
read any files that she has permissions for. This user will not, however be able to read files that have
been EFS encrypted for other users, even if she is granted permission, because you can only readEFS-encrypted files if you have the appropriate digital certificate. EFS allows organizations to protect
sensitive shared files from the eyes of support staff who might be required to change file and folder
permissions as a part of their job task, but should not actually be able to review the contents of the
file itself. BitLocker provides a transparent form of encryption, visible only when the server is
compromised. EFS provides an opaque form of encryption—the content of files that are visible to
the person who encrypted them are not visible to anyone else, regardless of what file and folder
permissions are set.
Turning Off BitLocker
In some instances you may need to remove BitLocker from a computer. For example, the
environment in which the computer is located has been made much more secure and the overhead
from the BitLocker process is causing performance problems. Alternatively, you may need to
temporarily disable BitLocker so that you can perform maintenance on startup files or the
computer’s BIOS. As Figure 1-8 shows, you have two options for removing BitLocker from a
computer on which it has been implemented: disable BitLocker or decrypt the drive.
Figure 1-8Options for removing BitLocker
Disabling BitLocker removes BitLocker protection without decrypting the encrypted volumes. This is
useful if a TPM chip is present, but it is necessary to update a computer’s BIOS or startup files. If you
do not disable
BitLocker when performing this type of maintenance, BitLocker—when implemented with a TPM
chip—will lock the computer because the diagnostics will detect that the computer has been
tampered with. When you disable BitLocker, a plaintext key is written to the hard disk drive. This
allows the encrypted hard disk drive to be read, but the presence of the plaintext key means that the
computer is insecure. Disabling BitLocker using this method provides no performance increase
because the data remains encrypted—it is just encrypted in an insecure way. When BitLocker is reenabled, this plaintext key is removed and the computer is again secure.
Exam Tip Keep in mind the conditions under which you might need to disable BitLocker. Also
remember the limitations of BitLocker without a TPM 1.2 chip.
Select Decrypt The Drive when you want to completely remove BitLocker from a computer. This
process is as time-consuming as performing the initial drive encryption—perhaps more so because
more data might be stored on the computer than when the initial encryption occurred. After the
decryption process is finished, the computer is returned to its pre-encrypted state and the data
stored on it is no longer protected byBitLocker.
Decrypting the drive will not decrypt EFS-encrypted files stored on the hard disk drive.
