You may have a server (i.e. a server that sits in the DMZ) that you want to really lock down and protect the contents of the server's hard drives including items that we don't necessarily assume are at risk such as the paging files, applications, and data used by applications. Windows Server 2008 embraces Microsoft's new encryption feature BitLocker that was created during the development cycle that produced Windows Vista and Windows Server 2008.
When I first examined BitLocker during Vista's development, I was hoping that Microsoft would include this feature when they rolled out Windows Server 2008 and they didn't disappoint me. BitLocker can be used to encrypt data volumes and the volume that contains the Windows operating system. BitLocker does have hardware requirements. To make full use of all BitLocker features, a server that has a compatible TPM microchip (TPM 1.2) and BIOS (meaning very recent server systems in which you have requested the TPM chip) is required. The TPM chip is where the encryption and decryption keys for BitLocker will be are stored.
BitLocker also requires that there are two volumes on the drive that contains the Windows Server 2008 operating system. You must create the volumes before you install Windows Server 2008, and both volumes must be formatted with the NTFS file system. One volume will be for the Windows operating system and BitLocker will encrypt this volume (protecting the OS files and other information such as password files). The second volume (which can be much smaller that the Windows OS volume) will serve as the active volume (so that the system boots) and will not be encrypted by BitLocker. The second volume, the system volume, must be at least 1.5 GB. Remember when you set up the volumes that this small volume is the active partition.
If you don't have a TPM compliant server box, you can still take advantage of some of BitLocker's features (yes, there is a workaround). However, you must be able to boot the server via a USB drive (from BIOS). The BitLocker key is then stored on the USB drive. After you configure the server volumes as previously discussed and install Windows Server 2008, you will have to edit the Local Group Policy, which by default, is configured so that TPM is required. Run gpedit.msc and then expand the Local Computer Policy, Computer Configuration, Administrative Templates, and Windows Components nodes. Then select the BitLocker Drive Encryption node. In the details panel double-click Control Panel Setup: Enable Advanced Startup Options. On the Control Pane Setup: Enable Advanced Startup Options Properties dialog box, click Enabled (near the top of the dialog box). The Allow BitLocker Without a Compatible TPM check box should also be checked.
Now (whether you are using TPM or the USB workaround) use the Add Features wizard from the Server Manager window and add the BitLocker Drive Encryption feature. You can then enable BitLocker via the BitLocker Drive Encryption icon in the Control Panel.
BitLocker, obviously, isn't going to help secure existing server installations including servers that you upgrade to Windows Server 2008 from earlier versions of the Microsoft's NOS that haven't been configured with the appropriate volumes. However, you can take advantage of it on new server installations and (believe it or not) any virtual servers that you configure using the Windows Server 2008 virtualization capabilities or third party virtualization platforms such as VMware. Give it a try!
