Encrypting your file server File Shares with Bitlocker - NIST 800-171

NIST 800-171 and CMMC requires that your CUI data be encrypted at rest and if you have a Windows Server File Server, that means Bitlocker, with key stored in Active Directory.

The NIST 800-171 requires contractors to protect the confidentiality of data at rest by employing FIPS-validated cryptography and manage the cryptographic keys that are used for the chosen cryptography employed in the information system.

Here are the quick and dirty steps for doing that.

Prerequisites:

• Turn on Bitlocker key storage on your domain controller
• Your server should be running on Hyper-V in this example and should be running in UEFI mode.
• Your Hyper-V server needs a TPM chip.  My server didn't have one, so I picked one up on ebay for $8 and installed it.
• If your server is running BIOS and not UEFI, then it's time to stand up a new file server, turn on bitlocker and migrate your file shares.  We use DFS namespaces, so that makes it invisible to the users when we move File Shares.

Here are the steps:

1. Shut down the server if it's running and turn on the TPM under Security in Hyper-V.
2. Turn on bitlocker for the C drive first, reboot.
3. Then turn on bitlocker for the data drives and enter a password.
4. Then under "Manage bitlocker" turn on auto-unlock. (This only works if the C drive has bitlocker on).

Reboot again and confirm that the drive unlocks on its own.

I tested this on my PC before I did it on the server.

Bitlocker did make my D drive inaccessible for a short time while it started the encryption, so I would do this when you have time for it to encrypt, like overnight on a Sunday.

If it's a new server, turn on bitlocker first and then move the file shares.

Here are my command line scripts to move a file share

1. Check your backups first!  

Backup your security in case things go south:

icacls E:\Group\* /save E:\ACL_info_G /T

Restore later if your file share comes over with no security:

icacls E:\Group\ /restore E:\ACL_info_G

Make sure someone didn't remove domain admins from a folder as that could block the migration and or Backups:

Set the Administrators group to owner on all files:

takeown /F E:\Group /R /A

Then Add the Domain Admins group to all of them: (Change MyDomain to yours)

icacls E:\Group /grant "MyDomain\Domain Admins":F /T /C

Robocopy for moving files and folder and all security 

(Run on the new server as admin)

--------------------------------------------

Robocopy \\SourceFileserver\E$\Group D:\Group /mir /copyall /MT:64 /R:0 /W:0

Robocopy Source Destination <-- don't get these mixed up!

/MT is the threads, leave it out to use the default of 8 during the day. (Don't slam the servers with 64 during the day)

/R:0 /W:0 makes it ignore errors and keep going

/mir is to mirror the source (not good for a sync since it can purge files)

/copyall is to copy all file info (like security)

After I cut over, I disable the file share on the old server and leave it for a week so we get some good backups before we delete it.

Then I like to run a Sync tool for a last check, just in case some files were saved at the end.  

Allway Sync is my prefered tool for this and it's free.