BPuhl’s Blog

A little bit of everything without actually being much of anything

RODC’s and BitLocker

Posted by BPuhl on July 31, 2008

I’m not entirely sure why this keeps coming up, but I keep getting e-mails asking whether we are using BitLocker drive encryption on our regional domain controllers, specifically on our RODC’s.  The problem isn’t the frequency of the question (about once a week now), nor the answer (no, we aren’t)…no…My issue is that when people keep asking me, and I tell them no, then they want to argue the point.  I keep wondering to myself whether maybe I’m wrong, and we should be?  It happens often (me being wrong)…

So here’s the definitive answer of the moment:  Yes, MSIT is deploying Windows Server 2008 Read Only Domain Controllers to the vast majority of our regional locations.  We are working closely with some other teams, to ultimately host those RODC’s inside of Hyper-V as virtual machines, but for right now, they are dedicated servers.  Many of them are running server core, some of them are not.  And none of them are running BitLocker.

The reason that we’re not running BitLocker is the result of “Brian’s careful analysis”, which looks something like the following:  BitLocker has 4 TPM based modes of operation (not counting the non-TPM mode).  These are:

  1. TPM Only
  2. TPM + USB Key
  3. TPM + PIN
  4. TPM + PIN + USB Key

Operationally, there is some administrative overhead to configuring BitLocker on the server, so at minimum the value that we get out of having it needs to be greater than what we put into it.  Out of these 4 options, TPM by itself doesn’t really give us a whole lot of value, because if our RODC grows legs and walks down to the pub, it’s going to boot up just fine as soon as it get’s some juice.  Options 3 and 4 both require PIN’s, and the absolute last thing that we want to have happen, is for someone to have to remote into the management board to enter a PIN from a thousand miles away, while the users in the site are all going upstream.  That’s why we configure our regional DC’s to automagically reboot after a crash – we want them back online.  Imagine what this would do to all of us who remotely bounce a server using shutdown.exe, and then ping -t until it comes back up….blah…

I was part of a hilarious conversation with some folks on the BitLocker team and the MSIT hardware team (who were pushing for us to use it).  They proposed that for option #2, TPM + USB, that we could leverage the USB ports on the motherboard, so that the USB key was actually inside the case (when the bad guys stole it).

Of course, every time I tell THAT story, the conversation devolves into the type of pyrotechnic ejection sequence which could be initiated when the server is pulled from the rack.  Just imagine undoing the screws, sliding the server out, and POOF – the USB key launches out of the case at high speed, impacting the ceiling, and shattering into a thousand tiny bits.

Telling Laura about this one day recently, she did pose an optimization – after all, the key breaking up on impact with the ceiling isn’t completely reliable – so instead, she was opting for the small trap door container above the server.  The explosive still fires, the USB key still launches, but when it’s in the container in the ceiling, the door slides shut to “catch” the key, and keep it safe from the bad guys (who are walking away with the server).  Does it feel like we’re boarding on the ridiculous?

Like I said above..maybe I’m wrong here…but personally, I’d rather have my servers running after a reboot (without manual intervention), and I’d prefer it if they didn’t come armed with explosives.  Call me crazy.


Oh yeah – and before the marketing, BitLocker, or anyone else jumps down my throat – I’m ONLY talking about not wanting to run BitLocker on my RODC’s.  Both of my laptops have been BitLocker’d since pre-Vista-RTM, and are re-BitLocker’d after each flatten & rebuild.


4 Responses to “RODC’s and BitLocker”

  1. John Negus said

    Hi Brian,

    Although I found your article very amusing and I totally agree (mostly). I can think of one benefit of using BitLocker (TPM Only)on a DC in a remote location. It is my experience that you can’t always guarantee the security policies in all your remote locations are kept too. It could be possible, one day, that your DC could go for a long meaningful walk into the sunset. The bad people accompanying your DC might not be able to crack the ultra-strong password that all of your administrators use and be forced to remove the HD to try to access the data on it. KABOOM ….foiled by BitLocker. Sure the bad guys may be part of Mi5 and able to work out ways around that, but you can’t always count on that and it is better to at least try to make it as hard as possible for those pesky bad guys.

    Regards, John

  2. Laura said

    First of all: okay, “You’re crazy.”

    Second: as one of the people who has disagreed with you on this, let me offer a counter-argument to #1, above. (#’s 2, 3, and 4 I’m completely on-board with you – though we would’ve missed the amusement of designing ejection sequences and shattering USB key protocols if we hadn’t had the debate, I feel compelled to point out. :-))

    So, you don’t like TPM-only because it doesn’t buy you anything. And in a case where the RODC walks away and someone fires it up “normally”, you’re absolutely right: once the box boots normally, BitLocker wipes its hands and says “Okay, my job’s done here. I’m going to go get some coffee, call me the next time you reboot.”

    But let’s play a percentages game here. Most “bad guys” who walk away with a box (especially if they figure it’s a DC or something of similar PII value, and have anything resembling a brain in their heads) aren’t going to attempt an online attack against the DIT – the mathematics of the attack would simply take too long. What are they going to do instead? They’re going to yoink the drive and slave it into another box to do an offline attack.

    Oh wait, you just yoinked the drive…a Mister…Locker? wants to talk to you before you go any further?

    Now having made my counter-argument, I’ll make your redirect for you so you don’t have to: the administrative overhead of configuring BL on your RODCs probably doesn’t cut it for you from a CBA standpoint, given all of the other controls you’ve put into building yourselves a bunch of lovely data centres with all kinds of happy physical security. So that’s you, that’s MSIT, and in your particular case I’d probably come down on the “Yeah, not gonna bother” side right along with you.

    But if we generalize the argument for a moment: I think you’d be willing to stipulate that there might be 1 or 2 customers on the planet who can’t necessarily vouch for the physical security of their RODCs (I mean, isn’t that one of the reason y’all gave us RODC’s in the first place?). And if that’s the case, might not BitLocker even in TPM-only mode put one more potentially worthwhile layer on their particular onion?

    (And yes, if you’re smart about your PRP then there aren’t that many secrets to whack away at to begin with, , etc. etc. etc.)

  3. Pamela said

    Along a similar vein, in the case where your server takes a walk and the baaad bad men couldn’t care LESS what’s on it but simply sell the parts on Ebay, at least some schmuck doesn’t end up calling the NY Times about this one time (at band camp) where he bought a drive on Ebay and it turned out to have all your stuff on it…

    Personally, I think you need to have the USB key inside the case, but made out of Papyrus and surrounded by vinegar, so that as soon as anyone picks up the box and shakes it enough to cause the vinegar to touch the Papyrus, it dissolves and the secret is forever lost.

    Yeah. That’s the way to go for sure 🙂

  4. Marscha said

    Regarding the TPM options it was clear for me to use TPM only, that’s what we do here also with our notebooks.
    But I also would like to have RODCs virtualized.
    Then there’s no TPM available!
    The idea is to have a WS08 with Hyper-V which is “owned” by the branch IT (which is sometimes just the finance or some other non-IT guy).
    The RODC should still be owned by central IT, so BL would be nice, but I do not see how to implement this with a Hyper-V guest.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: