Securing Exchange Server 2007 & Database Encryption with BitLocker?

My experience with BitLocker:
I use Windows BitLocker Drive Encryption (BitLocker) in my Windows Server Vista, 2008 & new Win 7 boxes. As i am trying this for a while, i thought to apply it with Exchange Server 2007 SP2 also; also wanted to see, whether i can make Exchange Server more stronger?

How i tried?

Step 1: I tried creating my new installation of Windows Server 2008 machine with SP updates
Step 2: Tried creating the BitLocker
Step 3: Tried creating the Exchange Server 2007 SP2

Let me share the steps that i followed. Also i want to share couple of basics about BitLocker, if you’re interested…

What’s a BitLocker?
BitLocker a security feature in the Windows Vista, Windows Server 2008, Windows 7 operating systems that can provide protection for the operating system on your computer and data stored on the operating system volume.

What BitLocker do?
Mainly it takes care of the following:

  • It encrypts all data stored on the Windows operating system volume. This includes the Windows operating system, hibernation and paging files, applications, and data used by applications.
  • It is configured by default to use a Trusted Platform Module [TPM] to help ensure the integrity of early startup components (components used in the earlier stages of the startup process), and "locks" any BitLocker-protected volumes so that they remain protected even if the computer is tampered with when the operating system is not running.

What makes BitLocker – the special?
What i learnt is… BitLocker is implemented in code in the early startup components ((master boot record (MBR), boot sector, boot manager, Windows Loader)), and as a filter driver that is an integral part of the operating system. When BitLocker is first enabled, existing data on the volume must be encrypted. You can continue to use the computer during this process. 

Also the BitLocker helps,

+ Address threats that may be caused by data theft or exposure from lost or stolen computers.
+ Data on a lost or stolen computer is vulnerable to unauthorized access if a software program is run on the computer or if the computer's hard disk drives are transferred to a different computer.
+ Reduce unauthorized data access by improving file and system protections.
+ Make data inaccessible when BitLocker-protected computers are decommissioned or recycled.

To get more information regarding the BitLocker Drive Encryption, you can refer this TechNet article. Also you can refer the BitLocker Encryption  Step-by-Step Guide for more information.

How this help us with Exchange Server to make it secure?
In Windows Server 2008, BitLocker protection can be extended to volumes used for data storage as well, along with the protection for the operating system on your computer.

BitLocker requires that the active partition (or called as system partition) be a non-encrypted partition. The Windows operating system is installed to a second partition that is encrypted by BitLocker. Whenever dealing with the encryption of data, especially in an enterprise environment, you must consider how that data can be recovered in the event of hardware failure, changes in personnel, or other situations in which encryption keys are lost.

How to do this?
BitLocker enables an IT administrator to encrypt the operating system volume and additional volumes on a Windows Server 2008-based computer. Let we try this out. By default, BitLocker is not installed in Windows Server 2008. You must add BitLocker from the Server Manager page in Windows Server 2008.

I tried installing from the command prompt.

  1. Click the Start button, click All Programs, click Accessories, Right-click Command Prompt, and click Run as administrator.

  2. If the User Account Control (UAC) dialog box appears, select Continue.

  3. At the command prompt, type the following:

    ServerManagerCmd -install BitLocker -restart

    This installs BitLocker if you have not already installed it.

  4. After you install and configure BitLocker, you must restart the server to enable the features that BitLocker provides.

Additionally, what more you can secure?
As per the TechNet article, you can use BitLocker to encrypt the volumes that host Exchange 2007 database files and transaction log files. Additionally, because the Exchange Storage Engine (ESE) works well with BitLocker, you do not experience a significant performance penalty when you encrypt the volumes that host the Exchange database files and transaction log files.

Do you know, this is supported by Microsoft CSS?
As per the TechNet article - because of rigorous testing and because of the integration of BitLocker in Windows Server 2008, Microsoft Customer Support Services fully supports Exchange 2007 for use with BitLocker-encrypted volumes.


Technorati Tags: Exchange Server 2007,BitLocker,Windows Server 2008,Exchange Storage Engine,CSS,Microsoft,Protection,Encryption,Secured,Drive Encryption,Exchange,ESE,Exchange Database,Performance,Log files,ServerManagerCmd