While many admins rely more and more on BitLocker and third-party drive encryption tools at the workstation level,
Windows servers are often overlooked. Is there a good reason? Or is it just something many people haven’t thought about? There are certainly some downsides to server-based drive encryption, but by and large I think it’s something that just hasn’t been on the radar.
The old-school mindset is that servers are in-house and therefore locked down and physically protected -- but that’s not always true. Just ask any business manager who has experienced a burglary and I’m sure they’ll beg to differ. I’ve seen plenty of business environments where servers were out in the open ready for the taking. Furthermore, many Windows admins are running Windows Server on “workstation” hardware -- particularly laptops.
Windows Server 2008 and R2 ship with BitLocker drive encryption for free and it provides strong protection. BitLocker does have its downsides, however, so make sure you understand all the facts before rolling it out across your enterprise. Thinking outside the Microsoft box, PGP Corporation has its own drive encryption solution for Windows-based systems, for example.
The good thing about Windows Server encryption is that it’s relatively transparent. In other words, once the volume is unlocked the encryption doesn’t get in the way of applications and users trying to access it. The problem is that anyone on the network who has privileges on the server can access the data, so drive encryption isn’t going to keep your databases and files secure when the system is up and running. Also, data stored in server memory is not encrypted, which mean it could be vulnerable to malware or other vectors and written to the server’s swap or crash dump file. Data backups can’t be encrypted either.
All’s not lost, however. Getting back to my original point of physical security, disk encryption will protect the system in the event of loss or theft, which I still believe is a real threat to many servers out there.
Sure, in the end many servers are protected by gates, guards and guns in the typical data center, but take a look around and you’ll likely find many Windows server systems in your environment that are “in the clear”, waiting to sprout legs and walk out the door. If this scenario ever occurs, it’ll no doubt be one of those unexpected data breaches -- but it’s still a data breach. After all, how are you supposed to protect against something that you never thought would be an issue?
Now you know, so take a long hard look and think about what could happen, both inside your own building(s) and with any third-party hosting/collocation providers you use. If Windows server drive encryption is an option, it’s great for in-depth defense and can only serve to improve how you manage risks in your business.
You can follow SearchWindowsServer.com on Twitter @WindowsTT.
ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored eight books on information security. He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at his website www.principlelogic.com.