bitlocker windows

How to enable BITLOCKER on EXCHANGE servers

The Exchange Architecture recommends enabling BitLocker on fixed data drives that store Exchange database files for Exchange Server 2013 and Exchange Server 2016.

What is BitLocker?

BitLocker is the built-in Microsoft Windows feature for full disk encryption that offers enhanced protection against data theft on stolen or lost computers or hard disks.

BitLocker first appeared in Windows Vista and Windows Server 2008. Since then, BitLocker functionality has expanded and now includes encrypting data volumes, encrypting only used disk space, and provisioning flexibility.

Windows BitLocker enables data protection on volumes with 128-bit (default) and 256-bit key using AES (Advanced Encryption Standard) encryption algorithm.

How to deploy BitLocker?

BitLocker can be deployed on Exchange servers using the following methods.

  1. Encrypting the operating system volume, as well as, the Exchange data volumes either via TPM (recommended) or with the help of network unlock, the Data Recovery Agent and PKI infrastructure.
  2. Only encrypting the Exchange data volumes.

To use BitLocker in a FIPS-compliant manner, note that:

In case that you are not using Windows Server 2012 R2 or later as the base OS, then you cannot utilize recovery passwords for BitLocker. For more details, see What’s New in BitLocker and KB 947249.

Volume Encryption Method

There are two approaches for volume encryption:

  1. Encrypting the entire volume. This option works best when you need to encrypt volumes which already comprise existing messaging data. With a 3TB disk, it will take more than 8 hours to encrypt the disk completely.
  2. Encrypting the used space only. This method works for new deployments or for new disks without existing data.

Prior to beginning the encryption of an entire volume, make sure to set the servers in maintenance mode to prevent impact to end users. Performance can significantly deteriorate (~90% CPU usage) and free OS volume space will be limited (less than ~2GB) while the volume is being encrypted. Remember to deploy BitLocker on one DAG server at a time to ensure availability.

OS Volume and Exchange Data Volume Encryption Scenario

BitLocker provides the most protection when used with a TPM. The TPM is a hardware component installed in the server and we recommend a TPM 2.0 chip. It works with BitLocker to help protect user data and to ensure that a server has not been tampered with while the system was offline.

Specifically, BitLocker can use a TPM to verify the integrity of early boot components and boot configuration data. This helps ensure that BitLocker makes the encrypted drive accessible only if those components have not been tampered with and the encrypted drive is located in the original server.

BitLocker helps ensure the integrity of the startup process by taking the following actions:

Checks that the early boot file integrity has been maintained, and helps ensure that there has been no malicious modification of those files, such as with boot sector viruses or rootkits.

Enhances protection to mitigate offline software-based attacks. Any alternative software that might start the system does not have access to the decryption keys for the Windows operating system drive.

Locks the system when it is tampered with. If any monitored files have been modified, the system does not start. This alerts the administrator to the tampering, because the system fails to start as usual. In the event that system lockout occurs, follow the BitLocker recovery process which includes unlocking the system with a password or a USB key.

Important: A TPM can only be used in a physical server deployment. Virtualized servers are not capable of using a TPM. If you encrypt the guest operating system volume, a password or USB key must be used to allow the guest operating system to boot.

Setting up the Environment

The steps below assume the Exchange Server operating system is Windows Server 2012 R2 or later.

Important: When enabling BitLocker on existing Exchange servers, it is important to place the servers in maintenance mode to prevent the encryption process from affecting the end user experience.

  1. Create an Organizational Unit to contain the Exchange servers, if one does not already exist. Open PowerShell with the appropriate Active Directory permissions.
New-ADOrganizationalUnit "Exchange Servers" -path "dc=contoso,dc=com"

$ExchangeOU = Get-ADOrganizationalUnit -Filter ‘Name -like "Exchange Servers"’

Get-ADComputer "Exchange Server" | Move-ADObject -TargetPath $ExchangeOU.DistinguishedName

2. Create group policy object and link it to the Exchange Servers OU.

Import-Module grouppolicy #RSAT должен быть установлен

New-GPO -Name "Exchange Server BitLocker Policy" -Domain contoso.com

New-GPLink -Name "Exchange Server BitLocker Policy" -Enforced "yes" -Target $ExchangeOU.DistinguishedName

3. Install the BitLocker module on the Exchange servers.

  • Open PowerShell with local administrative privileges.
  • ExecuteInstall-WindowsFeature BitLocker -Restart.
  • Reboot the server.

4. Enable TPM on the Exchange servers.

  • Refer to your hardware vendor’s BIOS manual for details on how to enable/activate the TPM.
  • Verify the TPM state by using the Trusted Platform Module Management tool (msc).

5. Allow TPM Recovery Information to be stored in Active Directory.

  • Open the Exchange Management Shell with an account that has the necessary permissions in Active Directory to apply access control entries.
  • Execute the following.


Add-ADPermission $ExchangeOU.DistinguishedName -User "NT AUTHORITY\SELF" -AccessRights ReadProperty,WriteProperty -Properties msTPM-OwnerInformation,msTPM-TpmInformationForComputer -InheritedObjectType Computer -InheritanceType Descendents

6. Configure the Bitlocker GPO settings.

  • Open the Group Policy Management Console (gpmc.msc).
  • Navigate the hierarchy to the Exchange Servers OU.
  • Right-click the Exchange Server BitLocker Policy and select Edit.
  • Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, and open BitLocker Drive Encryption.

In the right pane, double-click Choose drive encryption method and cipher strength. Select the Enabled option. If you want to use AES 256-bit encryption, select it and click OK.

Choose drive encryption method and cipher strength

  • Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, open BitLocker Drive Encryption, and finally, open Operating System Drives.
  • In the right pane, double-click Require additional authentication at startup. Select the Enabled option. If you want to disable or change any of the authentication methods, do so and click OK.

Additional-authentification-at-startup

  • In the right pane, double-clickChoose how BitLocker-protected fixed drives can be recovered. Select the Enabled  Select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option. Click OK.

Choose how BitLocker-protected fixed drives can be recovered

  • In the right pane, double-click Enforce drive encryption type on fixed drives. Select the Enabled option. Select the Used Space Only encryption option for the encryption type. Click OK.

Used Space Only encryption

  • Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, open BitLocker Drive Encryption, and finally, open Fixed Data Drives.
  • In the right pane, double-click Choose how BitLocker-protected fixed drives can be recovered. Select the Enabled option. Select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option. Click OK.

Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives

  • In the right pane, double-click Enforce drive encryption type on fixed drives. Select the Enabledoption. Select the Used Space Only encryption option for the encryption type. Click OK.

Used Space Only encryption option

  • Open Computer Configuration, open Policies, open Administrative Templates, open System, and open Trusted Platform Module Services.
  • In the right pane, double-click Turn on TPM backup to Active Directory Domain Services. Select the Enabled option. Click OK.

Turn on TPM backup to Active Directory Domain Services

  • Ensure the group policy is applied to the Exchange servers.


$Servers = Get-AdComputer -SearchBase $ExchangeOU.DistinguishedName -Filter

Foreach ($Server in $Servers) {invoke-gpupdate -Computer $Servers.Name -Force -Target Computer}

  • Enable OS encryption.
  • Create a recovery key: manage-bde -protectors -add -RecoveryPassword C:
  • Execute the following against the operating system drive: manage-bde -on C: –usedspaceonly
  • Enable data volume encryption (C:\ExchangeVolumes\ExVol1 defines the mount point for an Exchange data volume, replace as appropriate).

Create a recovery key: manage-bde -protectors -add -RecoveryPassword “C:\ExchangeVolumes\ExVol1”

Execute the following for each Exchange database volume: manage-bde -on “C:\ExchangeVolumes\ExVol1” –usedspaceonly

Execute the following for each Exchange database volume to enable automatic unlock: Enable-BitLockerAutoUnlock –MountPoint “C:\ExchangeVolumes\ExVol1”

Note: Bad disk sectors can result in BitLocker volume encryption failure. For more information, please see Event ID 24588.

In the situation where a TPM cannot be used (e.g., the server does not have a TPM, or it is virtualized), encrypting the OS volume requires the use of a password or USB key to allow the operating system to boot. As that can be detrimental for a service like Exchange, you could choose not to encrypt the OS volume. Instead, you only encrypt the fixed data volumes. Since the OS volume is not encrypted, the operating system cannot automatically unlock the encrypted volumes on boot. Therefore, one of two things must happen:

  1. An administrator manually enters the recovery key and unlocks each drive after OS boot.
  2. A scheduled task is invoked to unlock the encrypted volumes during OS boot.

The following steps outline how to setup the scheduled task and assume the Exchange Server operating system is Windows Server 2012 R2 or later.

  • Create an Organizational Unit to contain the Exchange servers, if one does not already exist.


New-ADOrganizationalUnit "Exchange Servers" -path "dc=contoso,dc=com"

$ExchangeOU = Get-ADOrganizationalUnit "Exchange Servers"

Get-ADComputer "Exchange Server" | Move-ADObject -TargetPath  ExchangeOU.DistinguishedName

  • Create group policy object and link it to the Exchange Servers OU.


Import-Module grouppolicy #RSAT должен быть установлен

New-GPO -Name "Exchange Server BitLocker Policy" -Domain contoso.com

New-GPLink -Name "Exchange Server BitLocker Policy" -Enforced "yes" -Target $ExchangeOU.DistinguishedName

  • Create BitLocker scheduled task service account (_bitlockersvc).
  • Create security group for BitLocker management, placing the security group in a protected container.


New-ADGroup -name "Exchange BitLocker Management" -groupscope Universal -path "cn=users,dc=coe,dc=local"

Add-ADGroupMember "Exchange BitLocker Management" -members "_bitlockersvc", "Organization Management"

  • Install the BitLocker module on the Exchange servers.


Install-WindowsFeature BitLocker

  • Reboot the server.
  • Add BitLocker security management group to local administrators group on the Exchange servers.
  • Grant the BitLocker security management group permissions to access the msFVE-RecoveryPassword AD object. This allows the accounts to access the recovery password.


$ExchangeOU = Get-OrganizationalUnit "Exchange Servers"

DSACLS $ExchangeOu.DistinguishedName /I:T /G "contoso\Exchange BitLocker Management:CA;msFVE-RecoveryPassword"

  • Configure the BitLocker GPO settings.
  • Ensure the group policy is applied to the Exchange servers.


$Servers = Get-AdComputer -SearchBase $ExchangeOU.DistinguishedName -Filter

Foreach ($Server in $Servers) {invoke-gpupdate -Computer $Servers.Name -Force -Target Computer}

Create the script that unlocks the volumes when the operating system boots.

Save the below file to your script directory (e.g., c:\bitlocker).



UnlockDrives.ps1

$computer = Get-ADComputer $env:computername $RecoveryInformations = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $computer.distinguishedname -properties *
$vols = gwmi win32_encryptablevolume -Namespace "Root\CIMV2\Security\MicrosoftVolumeEncryption"
$lockedvols = $vols | ? {$_.GetLockStatus().LockStatus -eq 1}
$vols[0].GetKeyProtectors().VolumeKeyProtectorID foreach($lockedvol in $lockedvols)
{
$RecoveryInformations | % {$lockedvol.UnlockWithNumericalPassword($_."msFVE-RecoveryPassword")}
}

  • Create the scheduled task to run at system start and unlock the volumes, replacing the bold items.

Save the below file to your script directory.

  • Executeschtasks /create /s $env:computername /ru contoso\_svcexbitlocker /rp /XML c:\Bitlocker\UnlockDrivesAtStart.xml /TN UnlockDrivesAtStart.

System Changes

It’s important to keep in mind that any of the following system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected volumes:

  • Moving the BitLocker-protected drive into a new computer.
  • Installing a new motherboard with a new TPM.
  • Turning off, disabling, or clearing the TPM.
  • Changing any boot configuration settings.
  • Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
  • Applying BIOS/UEFI firmware updates.

As part of your customary procedure, it’s best to suspend BitLocker encryption (via the Suspend-BitLocker cmdlet) before introducing any changes to the server. Additionally, make sure to test any hardware and software configuration changes in a lab setting (that has BitLocker enabled) before deploying in production.

Also, be sure to develop a standard operating procedure about how to recover in the event the BitLocker recovery must be performed. This will ensure that downtime is minimized. For more information, please see the BitLocker Recovery Guide.

Disk Maintenance Activities

During the server’s lifecycle, disks will die. As part of your standard operating procedures, you need to ensure that when a disk is replaced the new volume is formatted and encrypted via BitLocker.

In the event you are using AutoReseed to recover from failed disks, you have two options: format and encrypt the disks prior to usage, or encrypt after failure.

Format and encrypt the disks prior to usage

In this scenario, your standard operating procedure will be to prevent Disk Reclaimer from formatting hot spare disks. Instead, you will format and encrypt all hot spare disks prior to usage.

  1. Disable Disk Reclaimer on the DAG: Set-DatabaseAvailabilityGroup -AutoDagDiskReclaimerEnabled $false
  2. Format and encrypt all hot spares. Do not assign mount points or drive letters.
  3. As disks fail, AutoReseed will assign the hot spare volumes, replacing the failed volumes, and reseed the afflicted database copies.
  4. Schedule a maintenance window. Replace the failed disks. Format and encrypt.

Encrypt after failure

In this scenario, your standard operating procedure will be to allow Disk Reclaimer to format hot spare disks (default behavior). After the spare is formatted and databases are reseeded, you will encrypt the disk.

  1. As disks fail, AutoReseed allocates, remaps and formats a spare disk.
  2. AutoReseed initiates reseed operations.
  3. Using SCOM, or another operations management tool, you will monitor for events 1127 (initiated reseed of a database) and 826 (completed reseed of a database) that are located in the Microsoft-Exchange-HighAvailability/Seeding crimson channel.
  4. Schedule a maintenance outage for the affected server and encrypt the new volume.

We hope that this post will help understanding BitLocker encryption and configuring BitLocker for Exchange servers. As demonstrated, the best approach is to use a TPM for storing the recovery data and to allow the operating system to unlock volumes automatically during boot. If your servers do not have access to a TPM, you can consider encrypting only the data volumes and making a mechanism to ensure that the data volumes unlock at OS boot.

Exchange Architecture recommends enabling BitLocker on fixed data drives that store Exchange database files, both for Exchange Server 2013 and Exchange Server 2016.

More articles about BitLocker

two factor authentification logo

Protect Your Emails with Two-Factor Authentication

The large number of hacks of celebrities’ email accounts reported by the media and widely discussed by the general public cause users to be greatly concerned about the safety of their data. So that’s what we are going to address in this article.

What is two-factor authentication and how can it help?

Two-factor authentication is a method of establishing identity using two different types of information. The first type is usually a user name and password, while the second type is provided in an SMS, smartphone app, OTP device or certificate.

SMS

There is a lot of information on the Internet on how two-factor authentication works via SMS.

In my opinion, if the potential monetization of hacking your account does not exceed $1000, this type of protection is acceptable. If you want to protect more valuable data, SMS is not quite the right approach. Your mobile phone could be stolen or your SIM card could be replaced. By the time you notice, the hacker will have already downloaded all your correspondence from the server. For example, the Gmail account of the Russian political activist Navalny was hacked and years of private email correspondence went public. His account was protected using SMS-based two-factor authentication. The recent attack on users of mobile banking clients also demonstrates the vulnerability of this method.

Significant disadvantages of this method include extreme inconvenience in protecting email, and problems for travelers and those frequently changing their SIM cards.

Mobile app

Authentication through a mobile application solves the problem of protecting the SIM card against copying or theft, and is more convenient for traveling. But the other problems remain.

OTP

OTP (One Time Password) devices probably provide the highest level of protection among all the methods. Devices that require you to enter a PIN code before use are particularly effective. No wonder every bank that cares about its reputation uses OTPs for clients’ financial transactions.

The main disadvantage is that they are not very convenient to use for email protection.

Protection with a certificate

This technology lets you restrict access to email using only user credentials on authorized devices by installing a special certificate on the device.

Unfortunately, this technology does not solve the protection problem that arises if a laptop or phone is stolen. However, disk encryption in combination with a fingerprint sensor completely solves the problem of protecting the laptop, and if an attacker manages to gain access to the email on a mobile phone, the damage is incomparably smaller than when all email is downloaded from servers. Of course, encrypting and protecting mobile devices can reduce the damage caused by this threat to zero.

The main advantage of this technology is its transparency for the user. After installing the certificate on the device, the user can work as usual without entering any codes. Even if the password is compromised, it can only be used on authorized devices.

Certificates can be either associated with a USB token (a popular solution among Russian banks) or a user device. In our opinion, this solution is more suitable for corporate users.

Of course, this technology only applies to corporate emails and introduces just one component to a system of data security measures.

We can protect mail on MS Exchange Server and clients using Exchange through ActiveSync and OWA. Unfortunately, the current version of MS Outlook does not support this solution.

In technical terms, two-factor authentication using a certificate is based on the corporate public key infrastructure (PKI). To grant access to a device, the system administrator installs a user certificate that contains a private key without the ability to export. The user can then use the Exchange Web Interface (OWA). By clicking on a corresponding link, the user receives a certificate request as the first authentication factor, and then enters his or her credentials in the web form as the second factor.

To use two-factor authentication, mobile devices must support ActiveSync version 12.0+. At present, it is supported by the following devices:

  • Apple iPhone / iPad with iOS 6.x and higher;
  • Smartphones and tablets with Android version 4.1.2 and higher;
  • Devices with Windows Phone 7 and higher.

An enterprise IT administrator uses the iPhone Configuration Utility (iPCU) to install an Apple devices profile with all necessary account information, user certificates, and the certification authority.

On devices running Android and Windows Phone, the administrator installs the created certificate chains and configures the user account, indicating which certificate to use for login. For large organizations, the process can be automated using dedicated Mobile Device Management (MDM) software which manages devices on various platforms (for example, on BES 12).

More articles about two-factor authentication