Enabling BitLocker on Exchange Servers
The optimal security architecture for Exchange for both Exchange Server 2013 and Exchange Server 2016 recommends enabling BitLocker on fixed data drives that store Exchange database files. In order to configure disk encryption, we first define:
What is BitLocker?
BitLocker is a built-in volume encryption solution for Microsoft Windows that provides enhanced protection against data theft, for example, in cases of theft or loss of computers or hard drives.
BitLocker was first introduced in Windows Vista and Windows Server 2008. Since the first release of BitLocker, several improvements have been made, including data volume encryption, encryption of only disk space used, and redundancy flexibility.
By default, BitLocker uses AES encryption in cipher block chaining mode (CBC) with a 128-bit (default) or 256-bit key.
')
For more information, see BitLocker Overview on Microsoft TechNet .
How can BitLocker be deployed?
There are several ways to deploy BitLocker on Exchange servers.
1. Encrypt the operating system volume and Exchange data volumes using either network unlock, Data Recovery agents and PKI infrastructure or using TPM (the recommended approach).
2. Encrypt only Exchange data volumes.
To use BitLocker for FIPS compliance, keep in mind:
Volume Encryption Method
There are two ways to encrypt a volume:
1. Encryption of the entire volume. Use this option if you need to encrypt volumes that already contain existing messaging data. For example, to encrypt an entire 3 TB disk, this will take more than 8 hours.
2. Encrypt only used space. Use this option for new installations or new disks on which data is not yet available.
Before you begin encrypting the entire volume, make sure that the servers are in maintenance mode to prevent exposure to end users. You can note a significant decrease in performance (~ 90% of processor usage) and a decrease in the free space of the volume with the OS (~ 2 GB) while the volume is encrypted. In addition, ensure that BitLocker is deployed at the same time on no more than one DAG server to maintain availability.
Encryption script volume from OS and Exchange data volumes
BitLocker provides maximum protection when used with the TPM module. The TPM is a hardware component installed on the server, and we recommend using TPM chip version 2.0. It works with BitLocker, helping to protect user data, as well as ensuring that the server was not tampered with while it was not available.
In particular, BitLocker can use TPM to verify the integrity of early boot components and boot configuration data. This helps ensure that BitLocker makes the encrypted disk available only if these components have not been tampered with and the encrypted disk resides in the source server.
BitLocker helps ensure the integrity of the startup process by following these steps:
Environment setup
The steps below assume that Exchange Server is running Windows Server 2012 R2 or later.
1. Create an organizational unit (OU) containing the Exchange servers, if one does not exist.
Start PowerShell with the appropriate Active Directory permissions.
2. Create a GPO and link it to the OU that contains the Exchange servers.
3. Install the BitLocker module on Exchange servers.
4. Enable TPM on Exchange servers.
5. Enable the storage of TPM recovery information in Active Directory.
6. Configure Bitlocker settings in a GPO.
Exchange Data Encryption Script
In a situation where TPM cannot be used (for example, the server does not have TPM, or is virtualized), encrypting the OS system volume requires the use of a password or USB key to allow the operating system to boot correctly. Since this can negatively affect the Exchange services, you can refuse to encrypt the OS system volume. Instead, you can encrypt data volumes. Since the OS system volume is not encrypted, the OS cannot automatically unlock the encrypted volumes upon boot. Thus, one of two conditions must be met:
1. The administrator manually enters the recovery key and unlocks each disk after the OS boots.
2. A scheduled task is running to unlock encrypted volumes during OS boot.
The following steps describe how to set up a scheduled task and assume that Exchange Server is running Windows Server 2012 R2 or later.
What is BitLocker?
BitLocker is a built-in volume encryption solution for Microsoft Windows that provides enhanced protection against data theft, for example, in cases of theft or loss of computers or hard drives.
BitLocker was first introduced in Windows Vista and Windows Server 2008. Since the first release of BitLocker, several improvements have been made, including data volume encryption, encryption of only disk space used, and redundancy flexibility.
By default, BitLocker uses AES encryption in cipher block chaining mode (CBC) with a 128-bit (default) or 256-bit key.
')
For more information, see BitLocker Overview on Microsoft TechNet .
How can BitLocker be deployed?
There are several ways to deploy BitLocker on Exchange servers.
1. Encrypt the operating system volume and Exchange data volumes using either network unlock, Data Recovery agents and PKI infrastructure or using TPM (the recommended approach).
2. Encrypt only Exchange data volumes.
To use BitLocker for FIPS compliance, keep in mind:
- Trusted Platform Module (TPM) version 1.2 is not FIPS compliant and uses SHA1. You must use TPM version 2.0 for FIPS compliance.
- To effectively use the network unlock function, you must take into account the basic requirements .
- If you are not using Windows Server 2012 R2 or later as the base operating system, then you cannot use BitLocker recovery passwords. For more information, see What's New in BitLocker and KB 947249 .
Volume Encryption Method
There are two ways to encrypt a volume:
1. Encryption of the entire volume. Use this option if you need to encrypt volumes that already contain existing messaging data. For example, to encrypt an entire 3 TB disk, this will take more than 8 hours.
2. Encrypt only used space. Use this option for new installations or new disks on which data is not yet available.
Before you begin encrypting the entire volume, make sure that the servers are in maintenance mode to prevent exposure to end users. You can note a significant decrease in performance (~ 90% of processor usage) and a decrease in the free space of the volume with the OS (~ 2 GB) while the volume is encrypted. In addition, ensure that BitLocker is deployed at the same time on no more than one DAG server to maintain availability.
Encryption script volume from OS and Exchange data volumes
BitLocker provides maximum protection when used with the TPM module. The TPM is a hardware component installed on the server, and we recommend using TPM chip version 2.0. It works with BitLocker, helping to protect user data, as well as ensuring that the server was not tampered with while it was not available.
In particular, BitLocker can use TPM to verify the integrity of early boot components and boot configuration data. This helps ensure that BitLocker makes the encrypted disk available only if these components have not been tampered with and the encrypted disk resides in the source server.
BitLocker helps ensure the integrity of the startup process by following these steps:
- It checks that the integrity of early boot files is preserved and helps ensure that there are no malicious changes to these files (for example, infection of the boot sector virus or rootkits).
- Strengthens protection to mitigate software attacks while the server is unavailable. Any alternative software that can run the system does not have access to the decryption keys for the Windows system volume.
- Lock system in case of forgery. If any of the monitored files have been changed, the system simply will not start. If the system does not start normally, then this is a signal to the administrator about the fraud. In the event that a system lock occurs, follow the BitLocker recovery procedure, which includes the process of unlocking the system with a password or USB key.
Important: TPM can only be used on physical servers. Virtual servers are not able to use TPM. If you have encrypted the guest operating system volume, then without fail, use a password or USB key to boot the guest operating system.
Environment setup
The steps below assume that Exchange Server is running Windows Server 2012 R2 or later.
Important: When BitLocker is enabled on existing Exchange servers, it is important to place the servers in maintenance mode to avoid the impact of the encryption process on end users.
1. Create an organizational unit (OU) containing the Exchange servers, if one does not exist.
Start PowerShell with the appropriate Active Directory permissions.
New-ADOrganizationalUnit "Exchange Servers" -path "dc=contoso,dc=com" $ExchangeOU = Get-ADOrganizationalUnit -Filter 'Name -like "Exchange Servers"' Get-ADComputer "Exchange Server" | Move-ADObject -TargetPath $ExchangeOU.DistinguishedName 2. Create a GPO and link it to the OU that contains the Exchange servers.
Import-Module grouppolicy #RSAT New-GPO -Name "Exchange Server BitLocker Policy" -Domain contoso.com New-GPLink -Name "Exchange Server BitLocker Policy" -Enforced "yes" -Target $ExchangeOU.DistinguishedName 3. Install the BitLocker module on Exchange servers.
- Start PowerShell with local administrator privileges.
- Run Install-WindowsFeature BitLocker -Restart.
- Reboot the server.
4. Enable TPM on Exchange servers.
- Contact the hardware manufacturer of the hardware BIOS for details on how to enable / activate the TPM module.
- Check TPM status using the Trusted Platform Module Management tool (tpm.msc).
5. Enable the storage of TPM recovery information in Active Directory.
- Open the Exchange console with an account that has the necessary permissions in Active Directory to use the access control entries.
- Run:
Add-ADPermission $ExchangeOU.DistinguishedName -User "NT AUTHORITY\SELF" -AccessRights ReadProperty,WriteProperty -Properties msTPM-OwnerInformation,msTPM-TpmInformationForComputer -InheritedObjectType Computer -InheritanceType Descendents
6. Configure Bitlocker settings in a GPO.
- Open the Group Policy Management Console (gpmc.msc).
- Navigate the hierarchy to the OU containing the Exchange servers.
- Right-click the Exchange Server BitLocker Policy and select Edit.
- Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, and open BitLocker Drive Encryption.
In the right pane, double-click Choose drive encryption method and cipher strength. Select the Enabled option. If you want to use the AES algorithm with 256-bit encryption, select it and click OK.
- Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, open BitLocker Drive Encryption, open Operating System Drives.
In the right pane, double-click Require additional authentication at startup. Select the Enabled option. If you want to disable or change any of the authentication methods, do it, and click OK.
- In the right pane, double-click Choose how BitLocker-protected operating system drives can be recovered. Select the Enabled option. Select Do not enable BitLocker for operating system drives. Click OK.
- In the right pane, double-click Enforce drive encryption type on operating system drives. Select the Enabled option. Select the option Used Space Only encryption for the encryption type. Click OK.
- Open Computer Configuration, open Policies, then Administrative Templates, then Windows Components, then BitLocker Drive Encryption, now open Fixed Data Drives
In the right pane, double-click Choose how BitLocker-protected fixed drives can be recovered. Select Enabled. Select Do not enable BitLocker for fixed data drives. Click OK.
- In the right pane, double-click Enforce drive encryption type on fixed drives. Select Enabled. Select the option Used Space Only encryption for the encryption type. Click OK.
- Open Computer Configuration, the next step Policies, then Administrative Templates, then open System, then Trusted Platform Module Services.
In the right pane, double-click Turn on TPM backup to Active Directory Domain Services. Select Enabled. Click OK.
- Ensure that Group Policy applies to Exchange servers.
$Servers = Get-AdComputer -SearchBase $ExchangeOU.DistinguishedName -Filter Foreach ($Server in $Servers) {invoke-gpupdate -Computer $Servers.Name -Force -Target Computer} - Enable OS encryption.
Create a recovery key: manage-bde -protectors -add -RecoveryPassword C:
Run the following command on the system OS disk: manage-bde -on C: –usedspaceonly - Enable data volume encryption (C: \ ExchangeVolumes \ ExVol1 determines the mount point for the Exchange data volume, replace if necessary).
Create a recovery key: manage-bde -protectors -add -RecoveryPassword "C: \ ExchangeVolumes \ ExVol1"
Perform the following steps for each Exchange database volume: manage-bde -on "C: \ ExchangeVolumes \ ExVol1" –usedspaceonly
Perform the following steps for each Exchange database volume to enable automatic unlocking: Enable-BitLockerAutoUnlock -MountPoint "C: \ ExchangeVolumes \ ExVol1"Note: Bad disk sectors can lead to volume encryption failures with BitLocker. For more information, please see Event ID 24588 .
Exchange Data Encryption Script
In a situation where TPM cannot be used (for example, the server does not have TPM, or is virtualized), encrypting the OS system volume requires the use of a password or USB key to allow the operating system to boot correctly. Since this can negatively affect the Exchange services, you can refuse to encrypt the OS system volume. Instead, you can encrypt data volumes. Since the OS system volume is not encrypted, the OS cannot automatically unlock the encrypted volumes upon boot. Thus, one of two conditions must be met:
1. The administrator manually enters the recovery key and unlocks each disk after the OS boots.
2. A scheduled task is running to unlock encrypted volumes during OS boot.
The following steps describe how to set up a scheduled task and assume that Exchange Server is running Windows Server 2012 R2 or later.
- Create an organizational unit (OU) containing the Exchange servers, if one does not exist.
New-ADOrganizationalUnit "Exchange Servers" -path "dc=contoso,dc=com" $ExchangeOU = Get-ADOrganizationalUnit "Exchange Servers" Get-ADComputer "Exchange Server" | Move-ADObject -TargetPath ExchangeOU.DistinguishedName - Create a GPO and link it to the OU that contains the Exchange server.
Import-Module grouppolicy #RSAT New-GPO -Name "Exchange Server BitLocker Policy" -Domain contoso.com New-GPLink -Name "Exchange Server BitLocker Policy" -Enforced "yes" -Target $ExchangeOU.DistinguishedName - Create a BitLocker service account for a scheduled task (_bitlockersvc).
- Create a security group to manage BitLocker by placing the security group in a secure container.
New-ADGroup -name "Exchange BitLocker Management" -groupscope Universal -path "cn=users,dc=coe,dc=local" Add-ADGroupMember "Exchange BitLocker Management" -members "_bitlockersvc", "Organization Management" - Install the BitLocker module on Exchange servers
Install-WindowsFeature BitLocker - Reboot the server.
- Add the BitLocker security group to the local administrators group on all Exchange servers
- Grant the BitLocker security group access to the msFVE-RecoveryPassword AD object. This allows accounts to access the recovery password.
$ExchangeOU = Get-OrganizationalUnit "Exchange Servers" DSACLS $ExchangeOu.DistinguishedName /I:T /G "contoso\Exchange BitLocker Management:CA;msFVE-RecoveryPassword" - Configure BitLocker encryption settings in a GPO.
- Ensure that Group Policy applies to Exchange servers.
$Servers = Get-AdComputer -SearchBase $ExchangeOU.DistinguishedName -Filter Foreach ($Server in $Servers) {invoke-gpupdate -Computer $Servers.Name -Force -Target Computer} - Enable data volume encryption (C: \ ExchangeVolumes \ ExVol1 determines the mount point for the Exchange data volume, replace if necessary).
Perform the following steps for each Exchange database volume: Manage-bde -on "C: \ ExchangeVolumes \ ExVol1" -rp -usedspaceonly - Ensure that recovery keys are stored in Active Directory.
a. Download BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory
b. Run Get-BitLockerRecoveryInfo.vbs
c. If the script does not return any data, back up the recovery keys by loading and executing BDEAdBackup.vbs . - Create a script that unlocks data volumes when the OS boots.
Save the file below in the scripts directory (for example, c: \ bitlocker).UnlockDrives.ps1 $computer = Get-ADComputer $env:computername $RecoveryInformations = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $computer.distinguishedname -properties * $vols = gwmi win32_encryptablevolume -Namespace "Root\CIMV2\Security\MicrosoftVolumeEncryption" $lockedvols = $vols | ? {$_.GetLockStatus().LockStatus -eq 1} $vols[0].GetKeyProtectors().VolumeKeyProtectorID foreach($lockedvol in $lockedvols) { $RecoveryInformations | % {$lockedvol.UnlockWithNumericalPassword($_."msFVE-RecoveryPassword")} } - Create a scheduled task that will start at system startup and unlock data volumes, replacing the items highlighted in bold.
a. Save the file in the scripts directory.
b. Run schtasks / create / s $ env: computername / ru contoso \ _svcexbitlocker / rp / XML c: \ Bitlocker \ UnlockDrivesAtStart.xml / TN UnlockDrivesAtStartSpoiler header<?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-04-16T12:07:14.9465954</Date> <Author>contoso\exadmin</</Author> <Description>Script unlocks Exchange data drives at OS startup</Description> </RegistrationInfo> <Triggers> <BootTrigger> <Enabled>true</Enabled> </BootTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>contoso\_bitlockersvc</UserId> <LogonType>Password</LogonType> <RunLevel>HighestAvailable</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command> <Arguments>-Command .\UnlockDrives.ps1</Arguments> <WorkingDirectory>DIRECTORY_FOR_UNLOCKDRIVES.PS1</WorkingDirectory> </Exec> </Actions> </Task>
System changes
It is important to remember that any of the following changes in the system can lead to integrity check failures and prevent TPM from releasing the BitLocker key to decrypt protected volumes:- Moving a BitLocker encrypted drive to a new computer.
- Installing a new motherboard with a new TPM module.
- Shut down, shut down or clear TPM.
- Change any boot configuration settings.
- Change the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other components at the start of the boot or boot configuration data.
- Apply BIOS / UEFI firmware updates.
As part of your standard operating procedure, it is better to suspend BitLocker encryption (via the Suspend-BitLocker cmdlet) before making any changes to the server. In addition, make sure that any hardware and software configuration changes are successfully tested in a test environment (with BitLocker enabled) before deploying to production.
In addition, ensure that a standard operating recovery procedure is developed in case there is a need to restore BitLocker. This will minimize downtime. For more information, refer to the BitLocker Recovery Guide .
Disk Maintenance Works
During the life cycle of the server, the disks fail. As part of your standard operating procedures, you must make sure that when the disk is replaced with a new one, the volume is formatted and encrypted using BitLocker.
In case you use AutoReseed to restore a failed disk, you have two options: formatting and disk encryption before using or encryption after a failure.
Formatting and encrypting disks before use
In this case, your standard procedure should prevent formatting backup disks via Disk Reclaimer . Instead, you format and encrypt all backup disks before use.
1. Disable Disk Reclaimer on DAG: Set-DatabaseAvailabilityGroup -AutoDagDiskReclaimerEnabled $ false
2. Format and encrypt all backup disks. Do not assign mount points or drive letters.
3. As soon as the disks fail, AutoReseed will assign the backup disks, replacing the failed volumes, and re-fill the damaged copies of the databases.
4. Schedule maintenance time. Replace the failed drives. Format and encrypt new ones.
Encryption after failure
In this case, your standard procedure will allow Disk Reclaimer to format backup disks (default behavior). After the backup disk is formatted and the databases are full, you encrypt the disk.
1. In the event of a disk failure, AutoReseed allocates, redistributes, and formats a spare disk.
2. AutoReseed initiates a refill operation.
3. Using SCOM, or another management tool, you monitor events 1127 (initiates a database refill operation) and 826 (completion of the database refill process) that are located on the Microsoft-Exchange-HighAvailability / Seeding channel.
4. Schedule maintenance for the affected server and encrypt the new volume.
Conclusion
I hope this information will help you better understand BitLocker encryption and settings on Exchange servers. As indicated, the recommended approach is to use TPM to store recovery information, which allows the operating system to unlock data volumes automatically at boot time. However, if your servers do not have access to TPM, you can use encryption of data volumes only and develop a mechanism for unlocking volumes during the OS boot phase.
We will be happy to answer any questions you may have.
An article based on blogs.technet.com/b/exchange/archive/2015/10/20/enabling-bitlocker-on-exchange-servers.aspx
Yours, Servilon Team
Source: https://habr.com/ru/post/270015/
All Articles