AMD T-type
Supreme [H]ardness
- Joined
- Aug 26, 2002
- Messages
- 4,590
Recently a project has come up that has made me question some things about BitLocker from a technical application aspect.
These are mostly rhetorical questions, but I felt the need to ask them out loud and wasn't sure where to post this, so I was hoping there could be some discussion about it.
Recently one of my clients opted for a third party to run a security audit on their network for compliance. One of the recommendations this company made is that we enable BitLocker on our server. I mean, why not? It's a beefy server, it wouldn't affect performance almost at all, so why not just turn it on?
Well, the server is in a locked network closet, that is already in a locked office, of which is in a locked building (after hours). Since the server is mostly just a file server, the drive is unlocked 100% of the time so the shares function properly. So why use BitLocker at all?
Another amusing tidbit I noticed while reading articles online. Since our server is just a file server, and the data partition is a completely separate RAID array, and there is no PHI data on the boot drive, I opted not to enable BitLocker on the boot drive. However, while coming across articles online, many of them recommended that if enabling BitLocker on the boot drive that you use a USB drive to unlock it, while at the same time leaving it in the server so that if you have to reboot it remotely, then you don't have any issue. Well then what's the fucking point of even having it on in the first place if the KEY is plugged into it 24/7?
Another thing is that my client ordered this server without a TPM chip in it. What was surprising to me was that I have always read in order to use BitLocker without a TPM chip you need to edit the registry to allow for it. Surprisingly however, on Server 2012 R2, it allowed me to simply install the feature, open the BitLocker control panel, and turn it on for the data partition no questions asked. Did this change in R2? Why didn't it fuss about not having a TPM?
All of our laptops run SSD's utilizing SED capabilities and pre-boot authentication to unlock them, that is managed by a dashboard so that in the case of loss we can prove an asset was indeed encrypted. I just don't see the point of all the server hoopla if the machine is in a physically secure location.
I feel like the answer is simply "you don't need it" but was looking for any other reasons or opinions from others that would be helpful.
These are mostly rhetorical questions, but I felt the need to ask them out loud and wasn't sure where to post this, so I was hoping there could be some discussion about it.
Recently one of my clients opted for a third party to run a security audit on their network for compliance. One of the recommendations this company made is that we enable BitLocker on our server. I mean, why not? It's a beefy server, it wouldn't affect performance almost at all, so why not just turn it on?
Well, the server is in a locked network closet, that is already in a locked office, of which is in a locked building (after hours). Since the server is mostly just a file server, the drive is unlocked 100% of the time so the shares function properly. So why use BitLocker at all?
Another amusing tidbit I noticed while reading articles online. Since our server is just a file server, and the data partition is a completely separate RAID array, and there is no PHI data on the boot drive, I opted not to enable BitLocker on the boot drive. However, while coming across articles online, many of them recommended that if enabling BitLocker on the boot drive that you use a USB drive to unlock it, while at the same time leaving it in the server so that if you have to reboot it remotely, then you don't have any issue. Well then what's the fucking point of even having it on in the first place if the KEY is plugged into it 24/7?
Another thing is that my client ordered this server without a TPM chip in it. What was surprising to me was that I have always read in order to use BitLocker without a TPM chip you need to edit the registry to allow for it. Surprisingly however, on Server 2012 R2, it allowed me to simply install the feature, open the BitLocker control panel, and turn it on for the data partition no questions asked. Did this change in R2? Why didn't it fuss about not having a TPM?
All of our laptops run SSD's utilizing SED capabilities and pre-boot authentication to unlock them, that is managed by a dashboard so that in the case of loss we can prove an asset was indeed encrypted. I just don't see the point of all the server hoopla if the machine is in a physically secure location.
I feel like the answer is simply "you don't need it" but was looking for any other reasons or opinions from others that would be helpful.