none
Windows Server 2008 R2 Enterprise and Bitlocker on DC

    Question

  • Hello,

    I would like to know if its a good idea/possible to run Bitlocker on a Domain Controller that has a few VM machine running on it. 
    Would there be any  ramifications/possible drawbacks?

    Thank you.


    Monday, February 11, 2013 10:26 AM

Answers

  • Hiya,

    why would you want to encrypt your server volumes? Concerned about physical hard disk theft of your server(s)?

    Unless you have a direct threat that relates to the above or a specific requirement, I wouldn't recommend to implement drive encryption on a server.

    My justification for not recommending that, is that your adding unnecessary administrative as well as performance overhead on your server. Which would result in decreased performance, with no added value.

    Monday, February 11, 2013 11:01 AM
  • The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 and a Trusted Computing Group (TCG)-compliant BIOS implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.

    http://www.arabitpro.com

    Monday, February 11, 2013 11:53 AM
  • The ramifications / drawbacks are:

    1. You will have another encryption key to backup
    2. You will have some performance degradation (exactly how much depends on your hardware and server loads)
    3. You will need to account for bitlocker when doing updates / reboots - sometimes you may need physical / KVM access to reset a bitlocker lockout
    Monday, February 11, 2013 12:36 PM

All replies

  • Hiya,

    why would you want to encrypt your server volumes? Concerned about physical hard disk theft of your server(s)?

    Unless you have a direct threat that relates to the above or a specific requirement, I wouldn't recommend to implement drive encryption on a server.

    My justification for not recommending that, is that your adding unnecessary administrative as well as performance overhead on your server. Which would result in decreased performance, with no added value.

    Monday, February 11, 2013 11:01 AM
  • The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 and a Trusted Computing Group (TCG)-compliant BIOS implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.

    http://www.arabitpro.com

    Monday, February 11, 2013 11:53 AM
  • The ramifications / drawbacks are:

    1. You will have another encryption key to backup
    2. You will have some performance degradation (exactly how much depends on your hardware and server loads)
    3. You will need to account for bitlocker when doing updates / reboots - sometimes you may need physical / KVM access to reset a bitlocker lockout
    Monday, February 11, 2013 12:36 PM
  • I suppose that you can do this. But what value will this add?

    Monday, February 11, 2013 3:04 PM