Q: How will BitLocker Drive Encryption and Trusted Platform Module (TPM) support in Windows Server 2008 help address the risks associated with physically insecure domain controllers (DCs)?
A: Although Server 2008’s read-only domain controller (RODC) functionality goes a long way toward preventing an attacker from exploiting physical access to a DC to change Active Directory (AD) objects, such as users and groups, an attacker could still temporarily exploit the DC to break into other systems in the domain or forest. BitLocker encrypts the entire volume on the system’s hard disk drive. Because the volume is encrypted, even an attacker with physical access can’t successfully alter data on the volume to introduce malware into the OS or to disable the OS’s security features. The key to preventing physical access attacks is to secure the OS boot process and encrypt the media where the OS and AD is stored, and the combination of BitLocker and a TPM do just that. The TPM checks the hardware and configuration settings against its secure memory to verify that nothing has been tampered with before letting the OS boot. Then, the TPM lets Windows boot and supplies it with the encryption key required to decrypt information read from BitLocker-encrypted volumes on the hard disk drive. The combination of BitLocker, a TPM, and RODCs make it impractical for someone to try to exploit physically vulnerable DCs.