Meeting the InCommon Assurance profile criteria using Active Directory

[Brian Arkills <>]

Assuming that's the question, then yes, I believe that's a valid approach. I'm not sure there is an obligation to only have DC VMs on those HyperV hosts though. I can't think of a reason related to silver assurance that demands that you isolate a DC VM, i.e. not have it share the same host infrastructure as other VMs.

 

To spin this question a bit further ... I'll probably deploy a DC on an Azure VM this calendar year to support our Azure IaaS strategic initiative. But Azure doesn't provide access to the HyperV hosts (that's the whole point of IaaS). And to my understanding they don't Bitlocker the underlying host. And you have no idea what other VMs are on the host your DC VM is on, so if there was some obligation related to a cross-VM hypervisor vulnerability, that'd also be out the window. I'm not worrying too much about these problems currently, but they are on my mind.

 

From: Brian Arkills
Sent: Friday, January 24, 2014 11:35 AM
To:
Subject: RE: BitLocker operational issues

 

I think you meant:

 

Would it work to add additional physical servers (HyperV hosts) and then perhaps restrict the DC’s to the subset of HyperV hosts that have Bitlocker full disk encryption, and not host other VMs on those HyperV hosts?

 

From: [] On Behalf Of Capehart,Jeffrey D
Sent: Friday, January 24, 2014 10:53 AM
To:
Subject: [AD-Assurance] RE: BitLocker operational issues

 

Ron,

 

[resurrecting discussion from last summer…]

 

Any update on BitLocker operational issues when using VM’s for Domain Controllers?  Would it work to add additional physical servers and then perhaps restrict the DC’s to the subset of VM’s that have Bitlocker full disk encryption, and not share other tenants?

 

Jeff

 

From: [] On Behalf Of Ron Thielen
Sent: Friday, June 07, 2013 8:15 PM
To:
Subject: [AD-Assurance] RE: BitLocker operational issues

 

Let me also be clear.  I am not saying that we shouldn’t point out that BitLocker may be reasonable for some institutions.  However as we used to say when presenting performance and capacity planning studies, YMMV (Your Mileage May Vary).  We should point that out as well.

 

Ron

 

From: [] On Behalf Of Ron Thielen
Sent: Friday, June 07, 2013 7:09 PM
To:
Subject: [AD-Assurance] RE: BitLocker operational issues

 

That depends on the risk you’re mitigating and how BitLocker on the Hyper-V host actually worked, regarding which I have no clue.  For example, would that still means that sectors were only decrypted when the virtual machine when to read a VHD sector which needed to be brought in from physical disks.  It is sort of analogous to the question of whether using TPM protected disks is sufficient.  The answer is “it depends.”

 

In my case, since we have a sort of site license for VMWare, it isn’t relevant.  We aren’t going to use Hyper-V.  We actually found the links I cited by going to VMWare first and checking whether they supported BitLocker on VMs.

 

Ron

 

From: [] On Behalf Of Michael W. Brogan
Sent: Friday, June 07, 2013 4:40 PM
To:
Subject: [AD-Assurance] RE: BitLocker operational issues

 

This link has a doc from MS that describes how to install Bitlocker on a Windows 2008 Hyper-V host.

http://www.microsoft.com/en-us/download/details.aspx?id=6416

 

The link you cited below says

 

“BitLocker does not support the encryption of VHDs, but does permit storage of VHDs on a BitLocker-protected drive.”

 

and

 

“BitLocker is not supported for use within a virtual machine. Do not run BitLocker Drive Encryption within a virtual machine. You can use BitLocker in the virtual machine management operating system to protect volumes that contain configuration files, virtual hard disks, and snapshots.”

 

So, just to understand better, is it the case that you can’t install Bitlocker in the tenant OS but it can be installed on the Hyper-V host? And, if the latter is true, wouldn’t the tenant benefit from the disk encryption provided by the host?

 

--Michael

 

 

From: [] On Behalf Of Ron Thielen
Sent: Friday, June 07, 2013 11:59 AM
To:
Subject: [AD-Assurance] BitLocker operational issues

 

I raised the question about BitLocker operational issues, because something was  nagging at the back of my mind.  I asked the Windows admins and they pointed me in the right direction.

 

It turns out that there is a significant issue that may affect some institutions.  BitLocker is not supported in virtual environments by either Microsoft or VMware.  We run some of our domain controllers on VMware VMs, so this is certainly an issue for us.

http://technet.microsoft.com/en-us/library/hh831507.aspx#BKMK_VHD

and

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2036142

 

I guess we have to decide whether to move our VMs to physical hardware and lose the advantages that virtualization provides or submit an alternative means statement for RC4.

 

Ron