Windows Server 2008 R2 Unleashed (263 page)

1330

CHAPTER 32

Optimizing Windows Server 2008 R2 for Branch Office

Communications

2. In the Local Group Policy Object Editor, expand Local Computer Policy, Computer

Configuration, Administrative Templates, Windows Components, BitLocker Drive

Encryption, and then select Operating System Drives.

3. In the right pane, double-click Require Additional Authentication at Startup.

4. Enable the BitLocker Group Policy settings by selecting the Enabled option, and

then click OK, as displayed in Figure 32.10.

ptg

FIGURE 32.10

Enabling additional authentication options for BitLocker support.

5. Apply the new Group Policy settings by typing gpupdate.exe /force at the com-

mand prompt.

BitLocker Drive Encryption utilizing a USB device can now be configured by completing

the following steps:

1. Click Start, Control Panel, and double-click BitLocker Drive Encryption.

2. Enable BitLocker Drive Encryption by clicking Turn On BitLocker on the BitLocker

Drive Encryption page.

3. Review the message on the BitLocker Drive Encryption Platform Check page, and

then click Continue with BitLocker Drive Encryption to start the BitLocker process.

4. If necessary, the installation will prepare the system for BitLocker, then click Next.

Configuring BitLocker Drive Encryption on a Windows Server 2008 R2 Branch

1331

Office Domain Controller

5. Because a TPM does not exist in this example, select the option Require a Startup

USB Key at Every Startup, and then click Next. This option can be found on the Set

BitLocker Startup Preferences page.

6. Ensure a USB memory device has been inserted into the system. Then on the Save

Your Startup Key page, specify the removable drive to which the startup key will be

saved, and then click Save.

32

7. The Save the Recovery Password page is then invoked. The administrator has the

ability to save the BitLocker recovery password on a USB drive or to a folder on the

system. In addition, the third option allows for printing of the password. Choose

the desired storage alternative for saving the recovery password, and then click Next

to continue.

NOTE

It is a best practice to make additional copies of the recovery password and store them

in a secure location like a vault. For maximum security, the recovery password should

not be stored on the local system nor should the password be printed on paper. In

addition, do not store the recovery password and the startup key on the same media.

ptg

8. On the Encrypt the Volume page, ensure the Run BitLocker System Check option is

enabled, and then click Continue. The system check guarantees BitLocker can access

and read the recovery and encryption keys before encrypting the volume.

NOTE

Do not bypass the option to run a system check before encrypting the volume. Data

loss can occur if there is an error reading the encryption or recovery key.

9. Insert the USB memory device containing the startup key into the system, and then

click Restart Now. The Encryption in Progress status bar is displayed showing the

completion status of the disk volume encryption.

NOTE

The USB device must be plugged in to the system every time the system starts to boot

and gain access to the encrypted volume. If the USB device containing the startup key

is lost or damaged, you must use the Recovery mode and provide the recovery key to

start the system.

Enabling BitLocker Drive Encryption on Additional Data Volumes

There might be situations when BitLocker Drive Encryption is warranted not only on the

volume containing the operating system files, but also on the data volumes. This is espe-

cially common with domain controllers in branch offices where a lack of physical security

and theft are concerns.

1332

CHAPTER 32

Optimizing Windows Server 2008 R2 for Branch Office

Communications

When encrypting data volumes with BitLocker, the keys generated for the operating

system volume are independent of the drive volume. However, encryption of a data

volume is similar to the encryption process of the operating system volume.

Follow these steps to enable BitLocker Drive Encryption for server data volumes:

1. Click Start, Run, and then type cmd. Click OK to launch a command prompt.

2. From within the command prompt, type manage-bde -on : -rp –rk

:\.

NOTE

Replace the argument with the desired volume drive letter that you want to

encrypt. In addition, replace the argument with the drive letter of a

USB device. The USB device is utilized to store the recovery key.

The data volume must be unlocked each time the server is rebooted. This can be accom-

plished through a manual or automatic process. The syntax to manually unlock a data

volume after every restart consists of the following two options:

ptg

. manage-bde -unlock : -rp

. manage-bde -unlock : -rk U:\

The first option uses the recovery password, whereas the second option takes advantage of

passing the recovery key to decrypt the data volume. As mentioned in the previous para-

graph, it is possible to enable automatic unlocking of a data volume by utilizing the

following syntax at the command prompt:

manage-bde –autounlock –enable :

This command creates a recovery key and stores it on the operating system volume. The

data volume is automatically unlocked after each system reboot.

Utilizing the BitLocker Recovery Password

There might be situations when you need to leverage the recovery password to gain access

to a volume that is encrypted with BitLocker. This situation might occur when there is an

error related to the TPM hardware, one of the boot files becomes corrupt or modified, or

if TPM is unintentionally cleared or disabled. The following instructions outline the

recovery steps:

1. Restart the system and the BitLocker Drive Encryption console will come into view.

2. Insert the USB device containing the recovery password, and then press Esc. If the

USB device is not available, bypass step 2 and proceed to step 3.

3. Press Enter. You will be prompted to enter the recovery password manually.

4. Type in the recovery password, press Enter, and then restart the system.

Understanding and Deploying BranchCache

1333

Scenarios for when the Recovery Password Is Required

There are a number of different scenarios where a BitLocker recovery would need to be

performed; these include (but are not limited to):

. Changing or replacing the motherboard with a new TPM

32

. Changing the status of the TPM

. Updating the BIOS and or any other ROM on the motherboard

. Attempting to access a BitLocker-enabled drive on a different system.

. Entering the wrong PIN information too many times

. Losing or damaging the USB startup key

Removing BitLocker Drive Encryption

The course of action for turning off BitLocker Drive Encryption is the same for both TPM-

based hardware configurations and USB devices. When turning off BitLocker, two options

exist. You can either remove BitLocker entirely and decrypt a volume or you can

temporarily disable BitLocker so changes can still be made. The following steps depict the

ptg

process for removing and disabling BitLocker:

1. Click Start, Control Panel, and double-click BitLocker Drive Encryption.

2. Turn off BitLocker Drive Encryption by clicking Turn Off BitLocker on the BitLocker

Drive Encryption page.

3. The What Level of Decryption Do You Want dialog box will be invoked. Choose

either Disable BitLocker Drive Encryption or Decrypt the Volume.

Understanding and Deploying BranchCache

BranchCache is a new feature in Windows Server 2008 R2 and Windows 7 that is designed

to optimize wide area network (WAN) bandwidth usage by branch offices. To accomplish

this, BranchCache copies content from central office content servers and caches the

content at the branch office. Once cached, clients no longer have to traverse a WAN

connection to access content. Instead, the content is accessed directly from within the

branch office from caches on other peer Windows 7 machines or servers running the

BranchCache feature of Windows Server 2008 R2. Therefore, BranchCache helps improve

content access times by branch office servers and clients while also reducing the amount

of traffic on a WAN link.

NOTE

BranchCache is only supported on Windows Server 2008 R2 and Windows 7.

1334

CHAPTER 32

Optimizing Windows Server 2008 R2 for Branch Office

Communications

Important BranchCache Concepts

When working with BranchCache, the following important concepts should be taken into

consideration:

. There are two modes of operation in BranchCache: Distributed Cache mode and

Hosted Cache mode. If cached content is only being distributed using client comput-

ers, this is called Distributed Cache mode. Hosted Cache mode, however, is when the

content cache is being hosted by a server that is located within the branch office.

. BranchCache supports the optimization of file access as well as downloads over

HTTPS and IPSec.

. BranchCache protects content that is cached by encrypting it. Content can then

only be accessed by using identities, which are provided by the originating server to

authenticated clients that are members of the same domain as the content server.

Distributed Cache Mode

Distributed Cache mode is a peer-to-peer caching scheme that is used to cache intranet

website (communicating over HTTP or HTTPS) or file server (communicating over the

standard SMB protocol) content within a branch office without the need of a local hosted

cache server.

ptg

Server-Side Configuration

By default, BranchCache is not enabled. To enable it on a Web server or a file server, the

following steps need to be performed:

1.
Web (IIS) Server
—You would need to enable the BranchCache feature using Server

Manager.

2.
File Server (SMB)
—You would need to enable the BranchCache for Remote Files role

service, which is part of the File Services role using Server Manager.

Additionally, for file servers, the following things need to be completed:

1. Configure the Hash Publication for BranchCache GPO setting (Computer

Configuration\Policies\Administrative Templates\Network\Lanman Server).

Set this to: Allow Hash Publication Only for Shared Folders on Which

BranchCache Is Enabled.

2. Specify the HashStorageLimitPercent Registry value

(HKLM\CurrentControlSet\Service\LanmanServer\Parameters). This is the

maximum percentage of physical disk space used to store the publication hashes.

3. Lastly, tag your file shares by enabling BranchCache support for them. On the

Caching tab, select Only the Files and Programs That Users Specify Are Available

Offline. Then select Enable BranchCache, as shown in Figure 32.11.

Client-Side Configuration

Like the server-side configuration, the BranchCache feature must be enabled on Windows

7 clients. To enable this feature in Distributed Cache mode, there are two methods. The

Understanding and Deploying BranchCache

1335

32

FIGURE 32.11

Enabling file share BranchCache support.

first method is via Netsh. For example, run a command prompt (Run As Administrator)

and execute:

ptg

netsh branchcache set service mode=DISTRIBUTED

NOTE

Executing the previous command not only turns on and configures BranchCache, but

also configures Windows Firewall with the appropriate rules to allow BranchCache to

operate in this mode.

Needless to say, running a Netsh command is not the most efficient way of turning on

BranchCache. That is why most people will use the second method for configuring

BranchCache on clients in Distributed Cache mode, which is a GPO. Use the following

steps to complete this task:

1. Enable the Turn On BranchCache GPO setting (Computer

Configuration\Policies\Administrative Templates\Network\BranchCache).

2. Enable the Set BranchCache Distributed Cache Mode GPO setting (Computer

Other books

Catwalk by Sheila Webster Boneham
Public Enemy by Bill Ayers
Wicked Days by Lily Harper Hart
The Arena by Bradford Bates
Drawn Deeper by Brenda Rothert
The Case Officer by Rustmann, F. W.