Tip

BitLocker in R2 provides data protection for semi-protected servers

Microsoft's BitLocker technology, now in its second edition with the release of Windows Server 2008 R2, is most commonly thought of as a solution for protecting desktops and laptops. Its new "To Go" capabilities in Windows 7 extend its encryption powers further to include connected USB drives. Encrypting data stored on these easily-losable devices ensures that a lost or misplaced USB drive doesn't spell a major data exposure event for your company.

    Requires Free Membership to View

More on Windows 2008 R2

Windows Server 2008 R2 gives managers plenty to think about

Active Directory tops the list of hot Windows Server 2008 R2 features

Top 10 things you don't know about Windows Server 2008 R2

But one application of BitLocker that doesn't get much press relates to its inclusion with Windows Server 2008 R2 itself. BitLocker as a full-drive encryption technology can indeed be used to protect your server data in the same ways it protects your laptops.

Now unlike laptops, which have a tendency to roam both inside and outside your protected networks, servers don't often make that transition. For most environments, once a server enters the building, it never again sees the light of day until years later when it's removed for decommissioning.

Servers that are forever secured behind locked doors don't necessarily make best candidate for full-drive encryption technologies. Servers that aren't behind locked doors, however, are a great fit for BitLocker.

If your environment supports branch offices or satellite network sites, it's likely that you don't have the same physical protections in those locations. Even today, many businesses still store branch office servers under the desks of employees, inadvertently creating a major data exposure risk in the lowest-security portions of their networks.

For these environments where servers can easily walk off with little warning, BitLocker on servers makes a lot of sense.

Why Now? Why BitLocker?

BitLocker arrives as Microsoft's second attempt at creating an encryption solution for Windows. It is designed to augment Microsoft's initial effort -- the Encrypting File System (EFS). While BitLocker gets much of the press with its easy installation, useful administrative tools, and handy levels of automation, the most important difference between BitLocker and its older brother EFS has to do with "full drive encryption".

Think for a moment about traditional EFS. Using this solution, you could very easily encrypt files on a file-by-file or folder-by-folder basis. Once enabled, any file or folder was encrypted simply by checking a box within its Properties menu. A few clicks later, and your sensitive spreadsheets or documents were protected against prying eyes.

While convenient for just those documents of importance, this file-by-file nature was also EFS's greatest weakness. The problem: file artifacts. When opening any particular file in its hosing application, new and unencrypted copies of that file could potentially be created in any number of locations. A temporary clear text copy could get created in a TEMP location for emergency restoration. The system could also cache a file, or pieces of that file, in a cache location. Copy-and-paste versus move operations to new folders could have very different effects on whether the file remained encrypted or not.

Because of all these residual artifacts, your safely-encrypted file could -- and often did -- leave pieces of itself strewn about one or more computer systems across the network and in the clear. That's not a great way to remain encrypted.

The Windows Report

Gearing up for Windows 7 and Windows 2008 R2
Could enthusiasm over Windows 7 speed up Windows Server 2008 R2 deployments? Greg Shields tackles that question and talks about some of his favorite new R2 features.

Will AD have your back in R2?
IT guru Don Jones discusses what to expect from the new Active Directory Recycle Bin in Windows Server 2008 R2.

BranchCache for R2
Microsoft MVP Gary Olsen offers his take on Windows Server 2008 R2's BranchCache feature and how it works with Windows 7.

BitLocker is different because it encrypts the entire drive at once. In this version, that drive also needn't necessarily only be the system drive. By encrypting every drive all at once, BitLocker ensures complete security over files as well as their nasty artifacts.

BitLocker at the branch

Now, this whole-drive approach to encryption also changes the use cases where BitLocker makes sense. Remember that a BitLocker-enabled server encrypts its entire drive(s) at once. This means that the process to boot a server starts by decrypting that drive for use. The result is that BitLocker, unlike EFS, isn't an encrypting solution for your individual files sitting atop a running server. You wouldn't necessarily use BitLocker to encrypt a file against prying eyes who already have permission to view the file.

You can argue that such encryption is unnecessary in environments which permission correctly. Individuals who shouldn't be able to see the contents of a file shouldn't have the NTFS and/or share-level permissions to view it. Reality often overrides, however, and things like corporate security policies and regulatory compliance mandate the encryption of individual files. For these requirements, EFS is still available (with its own set of new Windows Server 2008 R2 features) in this version of the OS.

Those needs aside, BitLocker really does comes in handy for environments where the potential for hardware loss or theft is high. Laptops are a perfect example, as are USB keys. Your semi-protected servers sitting openly under the desks of remote office employees are a particularly smart example, too.

If a would-be intruder steals a BitLocker-enabled server, they simply won't be able to do anything with the data on its drives. Encrypted with 128- or 256-bit AES encryption, a brute-force approach to hacking its contents might take longer than the lifespan of the universe.

You can find plenty of information about actually deploying BitLocker in Microsoft's BitLocker Drive Encryption Deployment Guide for Windows 7. While the guide talks specifically about Windows 7 deployments, the concepts hold true for Windows Server 2008 R2 implementations as well.

ABOUT THE AUTHOR
Greg Shields, Microsoft MVP, is a partner at Concentrated Technology. Get more of Greg's Jack-of-all-Trades tips and tricks at www.ConcentratedTech.com.

This was first published in October 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.