RODC’s and BitLocker
Posted by BPuhl on July 31, 2008
I’m not entirely sure why this keeps coming up, but I keep getting e-mails asking whether we are using BitLocker drive encryption on our regional domain controllers, specifically on our RODC’s. The problem isn’t the frequency of the question (about once a week now), nor the answer (no, we aren’t)…no…My issue is that when people keep asking me, and I tell them no, then they want to argue the point. I keep wondering to myself whether maybe I’m wrong, and we should be? It happens often (me being wrong)…
So here’s the definitive answer of the moment: Yes, MSIT is deploying Windows Server 2008 Read Only Domain Controllers to the vast majority of our regional locations. We are working closely with some other teams, to ultimately host those RODC’s inside of Hyper-V as virtual machines, but for right now, they are dedicated servers. Many of them are running server core, some of them are not. And none of them are running BitLocker.
The reason that we’re not running BitLocker is the result of “Brian’s careful analysis”, which looks something like the following: BitLocker has 4 TPM based modes of operation (not counting the non-TPM mode). These are:
- TPM Only
- TPM + USB Key
- TPM + PIN
- TPM + PIN + USB Key
Operationally, there is some administrative overhead to configuring BitLocker on the server, so at minimum the value that we get out of having it needs to be greater than what we put into it. Out of these 4 options, TPM by itself doesn’t really give us a whole lot of value, because if our RODC grows legs and walks down to the pub, it’s going to boot up just fine as soon as it get’s some juice. Options 3 and 4 both require PIN’s, and the absolute last thing that we want to have happen, is for someone to have to remote into the management board to enter a PIN from a thousand miles away, while the users in the site are all going upstream. That’s why we configure our regional DC’s to automagically reboot after a crash – we want them back online. Imagine what this would do to all of us who remotely bounce a server using shutdown.exe, and then ping -t until it comes back up….blah…
I was part of a hilarious conversation with some folks on the BitLocker team and the MSIT hardware team (who were pushing for us to use it). They proposed that for option #2, TPM + USB, that we could leverage the USB ports on the motherboard, so that the USB key was actually inside the case (when the bad guys stole it).
Of course, every time I tell THAT story, the conversation devolves into the type of pyrotechnic ejection sequence which could be initiated when the server is pulled from the rack. Just imagine undoing the screws, sliding the server out, and POOF – the USB key launches out of the case at high speed, impacting the ceiling, and shattering into a thousand tiny bits.
Telling Laura about this one day recently, she did pose an optimization – after all, the key breaking up on impact with the ceiling isn’t completely reliable – so instead, she was opting for the small trap door container above the server. The explosive still fires, the USB key still launches, but when it’s in the container in the ceiling, the door slides shut to “catch” the key, and keep it safe from the bad guys (who are walking away with the server). Does it feel like we’re boarding on the ridiculous?
Like I said above..maybe I’m wrong here…but personally, I’d rather have my servers running after a reboot (without manual intervention), and I’d prefer it if they didn’t come armed with explosives. Call me crazy.
Oh yeah – and before the marketing, BitLocker, or anyone else jumps down my throat – I’m ONLY talking about not wanting to run BitLocker on my RODC’s. Both of my laptops have been BitLocker’d since pre-Vista-RTM, and are re-BitLocker’d after each flatten & rebuild.