The official blog for Windows Server Essentials and Small Business Server support and product group communications.
EPS Team Blogs
[Today’s post comes to us courtesy of JoAnn McKimpson from the SBS Marketing Team]
Are you concerned about the security of your company's data? If your employees use laptops, they can easily be lost or stolen. USB sticks are easy to lose or to leave in a customer's office. What if your office building was broken into and the thieves managed to steal servers and desktop computers? How can you make sure that you don't lose the company-critical information on your server? The BitLocker feature of Windows Small Business Server 2008 and of Windows 7 Ultimate can help mitigate these risks.
For the purposes of this post, let's consider that your accountant uses a laptop. The data is backed up on your server that is running Windows SBS, but you want to make sure that the data both on the laptop and on the server is protected. In this post, we'll discuss how you can use BitLocker to accomplish this goal.
BitLocker encrypts all the data that is stored on the Windows operating system volume (and configured data volumes). This includes the Windows operating system, the hibernation and paging files, the applications, and the data.
BitLocker uses encryption keys to help ensure the integrity of the components that are used in the earlier stages of the startup process. By default, BitLocker is configured to use a Trusted Platform Module (TPM) chip for the storage and management of these keys. Protected volumes remain protected even if your accountant's computer is tampered with when the operating system is not running.
BitLocker encrypts the entire drive. Your accountant can log on and work with files normally, but BitLocker can help block hackers from accessing the system files that they rely on to discover your accountant's password or from accessing your accountant's drive by removing it from the laptop and installing it in a different computer.
Whenever you deal with the encryption of data, especially in an enterprise environment, you must consider how that data can be recovered in the event of hardware failure, changes in personnel, or other situations in which encryption keys are lost. BitLocker supports a robust recovery scenario.
BitLocker offers many benefits when you use it in Windows SBS 2008 or in Windows 7 Ultimate. A few of the primary benefits are as follows:
In our scenario, we're discussing securing your accountant's laptop, but why stop there? You can use Group Policy to enforce BitLocker for all of the computers and USB drives in your domain.
From policy-configured Active Directory Domain Services integration for the escrow of recovery keys, to simple and efficient hardware recovery processes, BitLocker provides an integrated management experience. Group Policy settings that affect BitLocker are located in Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption. For more information about BitLocker drive encryption and about these settings, see the following Microsoft TechNet article: http://technet.microsoft.com/en-us/library/cc725719(WS.10).aspx
You can use Group Policy settings to configure BitLocker to require or to prevent different types of recovery password storage or to make them optional. You can also use Group Policy settings to prevent BitLocker from being enabled if the keys cannot be backed up to Active Directory. For more information about how to configure Active Directory to support recovery options, see Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information (http://go.microsoft.com/fwlink/?LinkId=82827).
Note: If you choose to save encryption keys in Active Directory, it is a best practice to promote an additional domain controller as a backup.
Two new sets of Group Policy settings have been introduced to support BitLocker and management of the TPM. All of the policy settings are explained in the Local Group Policy Editor and the Group Policy Management Console. To view more detailed explanations, start the Local Group Policy Editor by typing gpedit.msc at an elevated command prompt or in the Start Search box, and then examine the description provided for each of the settings in the table.
You can use BitLocker to secure your server that is running Windows SBS 2008. BitLocker is an optional component in Windows SBS 2008; you must install BitLocker before you can use it. Please note that depending on your hardware configuration, enabling BitLocker can have a moderate impact on server performance. If your server is already I/O bound, you should upgrade your disk subsystem before implementing Bitlocker on the server that is running Windows SBS 2008.
Important: Before you install BitLocker, it is imperative that you perform a full backup of the server.
To install BitLocker during the initial configuration, follow these steps:
To install BitLocker after the initial installation by using the Windows user interface, follow these steps:
To install BitLocker after the initial installation by using a Command Prompt window, follow these steps:
After you install BitLocker, turn on BitLocker Drive Encryption:
By completing this procedure, you encrypted the operating system volume and created a recovery password unique to this volume. The next time that you log on, you will see no change. If the TPM ever changes or cannot be accessed, if there are changes to key system files, or if someone tries to start the computer from a product CD or DVD to circumvent the operating system, the computer will switch to recovery mode until the recovery password is supplied.
For additional scenarios, refer to the "BitLocker Drive Encryption Step-by-Step Guide" at the following TechNet website: http://technet.microsoft.com/en-us/library/cc732725(WS.10).aspx
Now that you've protected your server with BitLocker, you can use BitLocker Drive Encryption to help protect all the files that are stored on your employees' computers. BitLocker is available in Windows 7 Ultimate and can help protect the data that is stored on client computers, particularly mobile ones.
If you encrypt the operating system drive, BitLocker checks the computer during startup for any conditions that could represent a security risk (for example, a change to the BIOS or changes to any startup files). If a potential security risk is detected, BitLocker will lock the operating system drive and require a special BitLocker recovery key to unlock it. Make sure that you create this recovery key when you turn on BitLocker for the first time; otherwise, you could permanently lose access to your files. If your computer has the TPM chip, BitLocker uses it to seal the keys that are used to unlock the encrypted operating system drive. When you start your computer, BitLocker asks the TPM for the keys to the drive and unlocks it.
If you encrypt data drives (fixed or removable), you can unlock an encrypted drive with a password or a smart card, or you can set the drive to automatically unlock when you log on to the computer.
You can turn off BitLocker at any time, either temporarily by suspending it or permanently by decrypting the drive.
And of course you can also use BitLocker on your Windows 7 Ultimate laptops to ensure that confidential information on the hard drive cannot be accessed if the laptop gets stolen or lost. Users must supply the correct credentials to access the disk, either through a smart card and a PIN, by entering a password, or through their regular domain logon. Setting up BitLocker in Windows 7 Ultimate is a breeze; any Windows SBS administrator can enable BitLocker with a simple right-click since disk preparation is now automatic.
To turn on BitLocker, follow these steps:
For additional information, refer to the "BitLocker Drive Encryption Step-by-Step Guide for Windows 7" at the following TechNet website: http://technet.microsoft.com/en-us/library/dd835565(WS.10).aspx.
By turning on BitLocker for your computers that are running Windows Server 2008 and Windows 7 Ultimate, you've gone a long way toward protecting your infrastructure from accidental loss and theft. Let's not forget the easiest to lose, though: removable media.
To protect USB sticks, thumb drives, and other portable media, you can use BitLocker to Go on your Windows 7 Ultimate workstations and laptops. BitLocker to Go protects any USB storage device and allows access only if you know the correct passphrase or key. As an administrator, you have control over passphrase length and complexity, and you can also set a policy that requires users to apply BitLocker protection to any removable drives before they can write to them. This means that even if your users lose their USB drive, no one else can get to the data unless they know the BitLocker key. To manually protect a removable storage device, connect the device to your Windows 7-based computer, follow the instructions in the "Help Protect Files and Folders on Client Computers" section of this post, and click Turn On BitLocker next to BitLocker Drive Encryption–BitLocker To Go in step 2.
To protect the data contained within the backup files themselves, it is a best practice to store them on a data drive that has been encrypted with BitLocker. Although the backup may be of a drive that has been encrypted by BitLocker, the backup files themselves are not inherently encrypted. Also, if you must recover a machine that is protected by Bitlocker, you must reapply Bitlocker encryption after the restore. This does not happen automatically.
Available in Windows SBS 2008 and in Windows 7 Ultimate, BitLocker Drive Encryption helps you protect your organization's sensitive information by encrypting the data that is stored on servers, client computers, and removable storage devices. You can easily install BitLocker, turn BitLocker on and off, and manage BitLocker by using Group Policy. To return to our scenario, as a result of turning on BitLocker throughout your infrastructure, you can feel confident that your employees' computers and removable media and your server are protected. Additionally, you've applied Group Policy to automatically enforce these settings. Thanks to BitLocker, you've backed up and protected your critical data.
For more information about the topics covered here, watch the following video:
You can also refer to the following resources for more detailed information and step-by-step instructions for using BitLocker: