ad-assurance - [AD-Assurance] bitlocker and virtual DCs--namely, can you do it?
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: Brian Arkills <>
- To: "" <>
- Subject: [AD-Assurance] bitlocker and virtual DCs--namely, can you do it?
- Date: Wed, 29 May 2013 17:08:57 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport07.merit.edu; dkim=neutral (message not signed) header.i=none
|
There was a question raised in a past call about this, but I believe it went unanswered and not captured by an action item. Here's the answer: Yes. Basically, as long as the volume the VHD is stored on has Bitlocker encryption, then the VM has the Bitlocker at-rest protection. http://download.microsoft.com/download/4/1/d/41d3cbff-6a2d-457e-a6ab-0e1607629c16/Windows_Server_2008_Hyper-V_and_BitLocker_Drive_Encryption_(2008-05-27).docx covers using Bitlocker with HyperV, and this is directly applicable to a VM that
is a DC. This, of course, doesn't preclude the other risks around a VM. Which brings in two other marginally related resources: Running Domain Controllers in Hyper-V http://technet.microsoft.com/en-us/library/dd363553(v=ws.10).aspx and Best Practices for Securing Active Directory (just released, and yes this is a Microsoft paper despite the odd URL) This latter paper is interesting for our purposes, although quite large (314 pages). I'm still trying to digest it, and uncovering other new things from it, like: Mitigating Pass-the-Hass Attacks and Other Credential Theft Techniques which includes sections like "Why can't Microsoft release an update to address this issue?" and "How can your organization mitigate the risk of a PtH attack?" Lots of interesting material here ... -B |
- [AD-Assurance] bitlocker and virtual DCs--namely, can you do it?, Brian Arkills, 05/29/2013
Archive powered by MHonArc 2.6.16.