Using Microsoft BitLocker Drive Encryption on Dell Compellent Storage Center

Source: www.delltechcenter.com

This document provides an overview of Microsoft BitLocker Drive Encryption and details using BitLocker on Dell Compellent Storage Center volumes.

To download the document, please click here.

What’s new in Windows Server 2012 R2 Access and Information Protection?

What's new in Windows Server 2012 R2 (RTM)?
What's new in Windows Server 2012 R2 Storage?
What's new in Windows Server 2012 R2 Server Virtualization?
What's new in Windows Server 2012 R2 Networking?
What's new in Windows Server 2012 R2 Server Management and Automation?
What's new in Windows Server 2012 R2 VDI?
What's new in Windows Server 2012 R2 Access and Information Protection?
What's new in Windows Server 2012 R2 Web Application and Platform?
What's New in Windows Server 2012 R2 Essentials?
Whats new in Windows Server 2012 R2 in Web Application and Platform, Active Directory, Print Services and Clustering?

 

What’s New in Remote Access in Windows Server 2012 R2?

There are a number of new Remote Access server and client features in Windows Server® 2012 R2 Preview and Windows® 8.1 Preview. The new server features include:

  • Multi-tenant Site-to-site VPN Gateway
  • Multi-tenant Remote Access VPN Gateway
  • Border Gateway Protocol (BGP)
  • Web Application Proxy

The new Windows 8.1 Preview Remote Access client features include:

  • Auto-triggered VPN
  • Enhanced VPN Client PowerShell configuration
  • Enhanced VPN IPsec
  • Create and Edit VPN profiles in PC settings

 

New and changed functionality in security and protection in Windows Server 2012 R2?

Feature or Technology Overview What changed in Windows Server 2012 R2 Preview What changed in Windows Server 2012
Access Control Access Control and Authorization Overview 

Access control helps protect files, applications, and other resources from unauthorized use.

The Protected Users security group and Authentication Policy Silos add more credentials protection. They are administered through Active Directory Domain Services. 

A restricted administration mode is available in the Remote Desktop Services (RDS) client.

For more information see, Credentials Protection and Management.

Added the ability to use dynamic rules-based policies to protect shared folders and files. For more information, see Dynamic Access Control: Scenario Overview 

Redesigned the Access Control List Editor (ACL editor) to more clearly present key information needed to assess and manage access control. For more information, see Enhanced ACL Editor.

AppLocker AppLocker Overview 

AppLocker provides policy-based access control management for applications.

To assist you in process analysis, AppLocker captures command information for each process at runtime, and writes that data to the security log and states, ”The system is attempting to launch a process with the following attributes:” Added functionality to set rules on app packages, which helps manage Windows Store apps. For more information, see Packaged Apps and Packaged App Installer Rules in AppLocker.
BitLocker BitLocker Overview 

BitLocker Drive Encryption enables you to encrypt all data that is stored on the operating system volume and configured data volumes for computers running supported versions of Windows. By using a Trusted Platform Module (TPM), it can help ensure the integrity of early startup components.

Broadening support for additional platforms. 

For more information, see What’s New in BitLocker for Windows 8.1 and Windows Server 2012 R2.

Added improvements for provisioning and encryption methods, the ability for standard users to change their PINs, support for encrypted hard drives, and a network unlock feature. For more information, see What’s New in BitLocker for Windows 8 and Windows Server 2012.
Credential Locker Credential Locker Overview 

Credential Locker is managed through the Control Panel by Credential Manager, and supports mostly consumer scenarios.

Enhancement of credential storage through web authentication broker-capable apps, and ability to select a default credential for each site 

For more information, see Credentials protection and management.

Added ability to program Windows Store apps to use Credential Locker, and improvements to credential roaming (which is set to be disabled for domain-joined computers. For more information, see New and changed functionality.
Encrypted Hard Drive Encrypted Hard Drive 

Encrypted Hard Drive is a feature that is provided with BitLocker to enhance data security and management.

Device encryption is available on most editions of Windows. 

For more information, see Device encryption.

Introduced in Windows Server 2012 and Windows 8. For more information, seeSupport for Encrypted Hard Drives for Windows.
Exchange ActiveSync Policy Engine Exchange ActiveSync Policy Engine Overview 

Set of APIs that enable apps to apply EAS policies on desktops, laptops, and tablets to protect data that is synchronized from the cloud, such as data from Exchange Server.

In certain cases, biometrics sign-in methods are not disabled when the failed-attempts limit is exceeded. 

For more information, see New and changed functionality.

Introduced in Windows Server 2012.
Group Managed Service Accounts Group Managed Service Accounts Overview 

The group Managed Service Account provides the same functionality as the standalone Managed Service Account within the domain, and it extends that functionality over multiple servers.

No changes. Added the group Managed Service Account. For more information, see What’s New for Managed Service Accounts.
Kerberos Kerberos Authentication Overview 

Kerberos protocol is an authentication mechanism that verifies the identity of a user or host.

Change of behavior when the account is in the Protected User security group. 

For more information, see Credentials protection and management.

Reduced authentication failures due to larger service tickets, added changes for developers and IT professionals, and added configuration and maintenance improvements. For more information, see What’s New in Kerberos Authentication.
Local Computer Policy Settings Security Policy Settings Overview 

Security policy settings are the configurable rules that the operating system follows when it determines the permissions to grant in response to a request for access to resources.

Group Policy Administrative Templates can also be used for security management.

No changes in local security policy settings. 

For improved process auditing, Audit Process Creation was added to theSystem node of Administrative Templates under Computer Configuration.

Added new security policies to improve security management. For more information, see New and changed functionality.
NTLM NTLM Overview 

The NTLM authentication protocols are based on a challenge-and-response mechanism that proves to a server or domain controller that a user knows the password associated with an account.

Change of behavior when the account is in the Protected User security group. 

For more information, see Protected Users Security Group.

No changes.
Passwords Passwords Overview 

The most common method for authenticating a user’s identity is to use a secret passphrase or password as part of the sign-in process.

No changes. 

Microsoft offers other means for proving identity. For more information, seeSmart Card Overview and Virtual smart cards.

No changes.
Security Auditing Security Auditing Overview 

Security auditing can help identify attacks (successful or not) that pose a threat to your network, or attacks against resources that you have determined are of value through a risk assessment.

No changes. Added expression-based audit policies, and improvements in the ability to audit new types of securable objects and removable storage devices. For more information, see What’s New in Security Auditing.
Security Configuration Wizard Security Configuration Wizard 

The Security Configuration Wizard is an attack-surface reduction tool that helps administrators create security policies that are based on the minimum functionality required for a server’s roles.

No changes. No changes.
Smart Cards Smart Card Overview 

Smart cards provide a tamper-resistant and portable security solution for tasks such as authenticating clients, signing in to domains, signing code, and securing email.

The process to enroll TPM-enabled devices as a virtual smart card device has improved. APIs are added to simplify the enrollment process, making it easier to enroll a device with a virtual smart card regardless of whether they are domain joined and regardless of the hardware. Changed the smart card sign-in experience, service start and stop behavior, and smart card transactions, by adding support for Windows RT devices and Windows 8 applications. For more information, see What’s New in Smart Cards.
Software Restriction Policies Software Restriction Policies 

Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run.

No changes. No changes. 

Added greater flexibility for AppLocker to control programs in your enterprise. For more information, see AppLocker Technical Overview.

TLS/SSL (Schannel SSP) TLS/SSL (Schannel SSP) Overview 

Schannel is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols.

Supports server-side “TLS/SSL Session Resumption without Server-Side State extension” (also known as RFC 5077). 

Addition of the client-side Application Protocol Negotiation

For more information, see New and changed functionality in Windows Server 2012 R2.

Changed how trusted issuers for client authentication can be managed, added TLS support for Server Name Indicator (SNI) Extensions, and added Datagram Transport Layer Security (DTLS) for the provider. For more information, see New and changed functionality in Windows Server 2012.
Trusted Platform Module (TPM) Trusted Platform Module Technology Overview 

Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions.

Improvements to the TPM Key Storage Provider for platform and key attestation. 

For more information, see Malware resistance and What’s New for the TPM in Windows 8.1.

Improved administration and functionality, including automated provisioning and management, Measured Boot with support for attestation, TPM-based Virtual Smart Card, and secure storage for critical elements. For more information, seeNew and changed functionality.
User Account Control (UAC) User Account Control Overview 

UAC helps mitigate the impact of malicious programs.

No changes. Refined to allow easier administration of UAC configuration and messages. For more information, see New and changed functionality.
Virtual Smart Card Virtual smart cards offer multifactor authentication and compatibility with many smart card infrastructures, and offer users the convenience of not having to carry a physical card, so users are more likely to follow their organization’s security guidelines rather than working around them. 

Understanding and Evaluating Virtual Smart Cards

The process to enroll TPM-enabled devices as a virtual smart card device has improved. APIs are added to simplify the enrollment process, making it easier to enroll a device with a virtual smart card regardless of whether they are domain joined and regardless of the hardware. 

For more information, see Virtual smart cards

Introduced in Windows Server 2012.
Windows Biometric Frameworkand Windows Biometrics Windows Biometric Framework Overview 

The Windows Biometric Framework (WBF) is a set of services and interfaces that permit consistent development and management of biometric devices, such as fingerprint readers. WBF improves the reliability and compatibility with biometric services and drivers.

Enhanced the client and associated APIs. 

For more information, see Fingerprint biometrics.

Better integration of fingerprint readers with Fast User Switching, and synchronization of passwords with fingerprints. For more information, see New and changed functionality
Windows Defender Windows Defender is a full-featured antimalware solution that is capable of detecting and stopping a wider range of potentially malicious software, including viruses. Available and enabled by default on Server Core installation options and Core System Server (without the user interface). 

For more information, see Windows Defender.

Upgraded from antispyware to a full-featured antimalware solution that is capable of detecting and stopping a wider range of potentially malicious software, including viruses.

 

What’s New in BitLocker in Windows 8.1 and Windows Server 2012 R2?

The following is new functionality in BitLocker for Windows 8.1 Preview and Windows Server 2012 R2 Preview:

  • Support for device encryptionBitLocker is providing support for device encryption on x86 and x64-based computers with a TPM that supports connected stand-by. Previously this form of encryption was only available on Windows RT devices.