I run a Windows Server 2003 network here at a school district. I'm wondering about encryption for the servers here. Just to provide extra disk protection incase the server drives are ever compromised.
Does anyone here run software like truecrypt to encrypt a full hard drive? I'd also like to do this on all the school laptops.
As for the servers, if anybody does full drive encrypt their servers and use onthefly encryption and decryption, how does it work with RAID arrays? Am I going to lose my data when I boot the server next because the Dell PowerEdge hardware raid utility can't find the volume?
Thanks!
- Follow via:
- RSS
- Email Alert
Question
0
Votes
[ANSWERED] Should I disk encrypt my servers?
Updated - 1st Feb 2008
Answers (2)
0
Votes
probably not
Disk encryption is generally valuable only when the system isn't running. This means it's generally far less important for servers, which are usually expected to be running all the time. You probably don't need disk encryption for your servers. This is not always true, and I don't know enough about your particular circumstance to be able to give a 100% certain answer -- but chances are good that disk encryption is not what you need for the servers.
On the other hand . . . volume encryption on laptops is an excellent idea. This is especially true if they are likely to carry sensitive information, of course. Mobile systems are the most important to secure with disk encryption.
TrueCrypt is a good disk encryption solution for MS Windows systems. You could definitely do far worse -- it's a lot better than the disk encryption offered by Microsoft.
On the other hand . . . volume encryption on laptops is an excellent idea. This is especially true if they are likely to carry sensitive information, of course. Mobile systems are the most important to secure with disk encryption.
TrueCrypt is a good disk encryption solution for MS Windows systems. You could definitely do far worse -- it's a lot better than the disk encryption offered by Microsoft.
24th Jan 2008
Replies
Thanks for your reply! That's basically what I was thinking after awhile and I really like your thoughts for it. More important for physical security for servers probably eh?
I'll definitely secure the laptops as since I'm working in a school district they can contain medical information, student information, government student records etc. so I'll definitely be locking those down.
What I'm wondering now is for backing up information, how do you recommend doing that? Using something like a simple Windows Backup utility would be able to add a password to the overall backup file, but as you mentioned the Windows encryption isn't exactly the strongest and a few searches on google will find you a top result for freeware for cracking EFS and Windows encryption.
What methods does everyone here use for Backing up and encrypting either on the fly or...off...the fly...?
I'll definitely secure the laptops as since I'm working in a school district they can contain medical information, student information, government student records etc. so I'll definitely be locking those down.
What I'm wondering now is for backing up information, how do you recommend doing that? Using something like a simple Windows Backup utility would be able to add a password to the overall backup file, but as you mentioned the Windows encryption isn't exactly the strongest and a few searches on google will find you a top result for freeware for cracking EFS and Windows encryption.
What methods does everyone here use for Backing up and encrypting either on the fly or...off...the fly...?
link470
25th Jan 2008
usually you only want to encrypt business critical information [or that information required by law to encrypt].
We use Backup Exec 11c which allows encryption ....
here's a MS article on encyption:
http://support.microsoft.com/kb/223178
make sure the recovery agent isn't lost. lock it up in a lock box somewhere....
We use Backup Exec 11c which allows encryption ....
here's a MS article on encyption:
http://support.microsoft.com/kb/223178
make sure the recovery agent isn't lost. lock it up in a lock box somewhere....
CG IT
25th Jan 2008
In general, I'd say that you should have backups done via a backup server on-site, and duplicate (encrypted) backups sent to a second location off-site. Have your mobile systems run client-initiated backups whenever they connect to the network via wire locally, and have everything else do backups on a preconfigured server-initiated backups schedule during office downtimes with low network traffic.
A common scheme involves periodic full backups and frequent incremental backups. For instance, you might do something like this:
0. Create and store cryptographic hashes of each filesystem just before doing a full backup, in every case.
1. Servers do full backups on Sunday, incremental backups the rest of the week.
2. Workstations and laptops do full backups during downtime on every day of the week other than Sunday and Saturday. Have them all in a queue so that backups are performed for some reasonable amount of time each day, then the next systems in line to be backed up are done the next day during downtime. Don't worry if it takes you a month to get through them all, in general -- the theory is that servers have the data that needs to be backed up more often. How you fit your laptops into this is often some kind of compromise, as people typically don't want to leave laptops at work doing backups while they're at home. Kinda defeats the purpose of having a laptop.
3. Always maintain at least two full backups before reusing storage space from a previous backup. In other words, don't reuse the space used for a given backup until that same machine has at least two newer backups.
4. Do incremental backups for everything on the network often -- every day or every other day for each system. Keep incremental backups on the same schedule as full backups, and start new incremental backups from each new full backup. The rsync tool works great for this, if you're working with Unix or Linux systems.
5. Use version control systems such as Subversion (TortoiseSVN is a great MS Windows client for Subversion) if you have shared resources that should be available for work off-site with your laptops.
6. Test your backups regularly. At minimum, have a machine with some storage space where you can "restore" backups, then check them against your stored cryptographic hashes to make sure they match. More rigorous testing may be warranted, depending on your circumstances. You should test off-site backups as well, though you generally don't need to test them as often.
7. You can create your off-site backups by simply creating a copy of each full backup and sending it to the off-site location (either through VPN or encrypted tunnel, or carried by hand). The purpose of off-site backups is to ensure you have imortant data even if the server closet gets flooded, or the building is struck by lightning, or burns down, or some yahoo fires up an electromagnet (not likely), or whatever.
8. Always, always make sure you secure your off-site backups and any network communications with the off-site facility so that nobody can do an MITM attack or sniff passwords, et cetera.
9. If you encrypt backups (sometimes a very good idea), make very certain you will not lose the passphrase or key to decrypt. Backups you cannot access are useless.
I wrote some TechRepublic articles that touch on some of these procedures, mostly dealing with open source software. If needed, I can link to them for you, but you should be able to find all of them here. If you follow the link to the "full listing" of IT Security weblog articles, you may find that they're not up to date at any given time, but I do periodically bring that listing up to date.
edit: typo
A common scheme involves periodic full backups and frequent incremental backups. For instance, you might do something like this:
0. Create and store cryptographic hashes of each filesystem just before doing a full backup, in every case.
1. Servers do full backups on Sunday, incremental backups the rest of the week.
2. Workstations and laptops do full backups during downtime on every day of the week other than Sunday and Saturday. Have them all in a queue so that backups are performed for some reasonable amount of time each day, then the next systems in line to be backed up are done the next day during downtime. Don't worry if it takes you a month to get through them all, in general -- the theory is that servers have the data that needs to be backed up more often. How you fit your laptops into this is often some kind of compromise, as people typically don't want to leave laptops at work doing backups while they're at home. Kinda defeats the purpose of having a laptop.
3. Always maintain at least two full backups before reusing storage space from a previous backup. In other words, don't reuse the space used for a given backup until that same machine has at least two newer backups.
4. Do incremental backups for everything on the network often -- every day or every other day for each system. Keep incremental backups on the same schedule as full backups, and start new incremental backups from each new full backup. The rsync tool works great for this, if you're working with Unix or Linux systems.
5. Use version control systems such as Subversion (TortoiseSVN is a great MS Windows client for Subversion) if you have shared resources that should be available for work off-site with your laptops.
6. Test your backups regularly. At minimum, have a machine with some storage space where you can "restore" backups, then check them against your stored cryptographic hashes to make sure they match. More rigorous testing may be warranted, depending on your circumstances. You should test off-site backups as well, though you generally don't need to test them as often.
7. You can create your off-site backups by simply creating a copy of each full backup and sending it to the off-site location (either through VPN or encrypted tunnel, or carried by hand). The purpose of off-site backups is to ensure you have imortant data even if the server closet gets flooded, or the building is struck by lightning, or burns down, or some yahoo fires up an electromagnet (not likely), or whatever.
8. Always, always make sure you secure your off-site backups and any network communications with the off-site facility so that nobody can do an MITM attack or sniff passwords, et cetera.
9. If you encrypt backups (sometimes a very good idea), make very certain you will not lose the passphrase or key to decrypt. Backups you cannot access are useless.
I wrote some TechRepublic articles that touch on some of these procedures, mostly dealing with open source software. If needed, I can link to them for you, but you should be able to find all of them here. If you follow the link to the "full listing" of IT Security weblog articles, you may find that they're not up to date at any given time, but I do periodically bring that listing up to date.
edit: typo
apotheon
26th Jan 2008
I only just got around to reading this now. I just wanted to thank you for typing up such an in depth article about my options. These sound fantastic. I had the main idea down but you pointed out a few extras and some other software alternatives for open source that I can use. REALLY appreciate the time taken. Thanks!
link470
1st Feb 2008
I'm glad you found it valuable. I hope things go smoothly for you.
apotheon
1st Feb 2008
0
Votes
Server=No, Laptop=Yes
There are better ways to protect the server than disk encryption....whenever the server is running, the files are unencrypted, so encryption only helps you if the server is lost or stolen.
For the laptops, I would recommend Encryption Plus from Guardian. Fast, idiot proof, and secure. Been running it for about three years on about 600 laptops with very few issues. Users have no problem with it, yet meets EAL-1 Common Criteria standards.
For the laptops, I would recommend Encryption Plus from Guardian. Fast, idiot proof, and secure. Been running it for about three years on about 600 laptops with very few issues. Users have no problem with it, yet meets EAL-1 Common Criteria standards.
25th Jan 2008
