When you think about security technologies that are used to secure your data, most likely one of the first technologies that you think of is encryption.
There are many different levels of encryption and technologies that can implement it.
When it comes to Windows Server, what technologies can you use to encrypt your data so that bad guys can’t steal your information or use it in an unauthorized way?
The latest versions of Windows Server include many different encryption technologies that make a lot of sense to secure your corporate data from being used inappropriately. This includes virtualization and cloud technologies.
In this post, we will take a look at Windows Server encryption technologies and use cases to get an overview of the technologies themselves and how they are used.
Windows Server Encryption Technologies and Use Cases
Most likely your Windows Server environment has changed since the traditional days of on-premises Windows Servers only serving out file shares and Active Directory. Your environment today no doubt includes virtualized environments and in particular to Windows, Hyper-V environments. Also, you may have Microsoft Azure resources you are making use of in addition to your on-premises data center. When it comes to Windows Server environments today, using encryption in areas other than simply mobile workers is certainly a best practice when it comes to security.
Let’s take a look at the following Windows Server encryption technologies:
- Virtual Trusted Platform Module (vTPM)
- Shielded VMs
- Encrypted Virtual Networks and IPsec
Let’s look at these individually and see how they can benefit you and your environment from a security perspective.
BitLocker is a technology that has gained popularity especially with mobile users who make use of laptops day-to-day. BitLocker encrypts your data at a hard drive level. If a thief steals a laptop and simply takes the hard drive out, mounts it in another machine to bypass your Windows login, the data on the hard drive is encrypted and unreadable. So, it is a great security mechanism to be used for the mobile workforce.
The use case for encryption has greatly expanded with today’s highly virtualized environments existing in potentially unsecured locations. BitLocker encryption has to have a way to unencrypt the drive when the machine boots which with virtual environments can be problematic.
The two methods that are used to decrypt the drives are either plugging some sort of device in with the key to allow the BitLocker encrypted drive to boot or a Trusted Platform Module that is a small chip with the information to decrypt the drive contained therein.
Virtual Trusted Platform Module
Since you don’t really have access to these means of decryption, the Virtual Trusted Platform Module helps to solve this problem starting in Windows Server 2016.
With vTPM, you now have the ability to make the Trusted Platform Module available to VMs so they can effectively be encrypted for security purposes. The vTPM is essentially a virtualized version of the Trusted Platform Module. Microsoft makes this possible with something they call the Isolated User Mode or IUM. IUM is an isolated runtime environment that hosts security applications inside virtualization-based security on the Hyper-V host. VBS is used to secure and protect the state of the virtual TPM chip.
Shielded VMs are essentially the product or result of the two other technologies mentioned, BitLocker and vTPM. Shielded VMs are encrypted at the hard drive level, much like a physical laptop hard drive is encrypted using BitLocker. In the case of the shielded VM, the VHDX file of the virtual machine is encrypted with BitLocker to make it unreadable.
Using the vTPM module, BitLocker is able to encrypt the VHDX. Shielded VMs also have the capability to be locked down so they only run on healthy or approved Hyper-V hosts. It does this by using a method called attestation.
In Windows Server 2019, there are two attestation modes:
- Active Directory-based attestation – Windows 2016
- Key mode attestation – Windows 2019
- TPM-based attestation
Microsoft has also extended the support of Shielded VMs to hosting VMs having Linux as the guest OS in Windows Server 2019.
Encrypted Virtual Networks and IPsec
Encrypting a hard drive or the virtual hard drive of a virtual machine is one aspect of encryption.
What about when your data traverses the network? Using Microsoft’s SDN technology there is a new capability called encrypted virtual networks. When traffic is communicated between virtual machines and between Hyper-V servers, you can now flag an entire subnet for encryption of the data. All traffic that is communicated over these subnets can be encrypted for security.
The great thing about the virtual network encryption is it requires no changes to your virtual machines or applications as it is encrypted at the network level. With Windows Server 2019 SDN, you can encrypt any virtual network using certificates for the encryption process.
IPsec is another way that packets can be encrypted during network communication. IPsec is typically used in use cases such as Remote Access or VPN technologies to secure the network traffic traversing untrusted network zones. IKEv2 tunnels and Direct Access both use IPsec.
Encrypting File System (EFS)
Encrypting File System is a more granular way to encrypt data inside a client or server operating system. You can use EFS to only encrypt a particular document or folder if you want. This is done by EFS utilizing a user certificate as part of the encryption/decryption process so it heavily relies on a PKI infrastructure for successful deployment.
EFS is a little less desirable to use than BitLocker or other technologies mentioned in that the encryption keys are tied to a user password. If the user account is compromised so is EFS. EFS also relies on a specific user to decide the data that is encrypted as opposed to BitLocker that encrypts everything regardless of the user account.
Encrypting your data is absolutely necessary today. With more sensitive data now being stored, transmitted, and existing in on-premises and cloud environments, keeping it secure by effectively using encryption helps to ensure that unauthorized users do not have access to your data.
New technologies such as Shielded VMs are made possible by more traditional technologies being retrofitted to work with virtualized technologies as in the case of virtual TPM and BitLocker being applied to VMs and their virtual hard disks. As for data in-flight, the new encrypted network technologies and also more traditional network encryption like IPsec are finding new ways to secure data as it is transmitted across the wire.
Securing data by encryption today requires you use multiple technologies to secure data both at-rest and in-flight. This can be effectively done across physical servers, virtual servers, and network communication both on-premises and in the public cloud.