I recently discovered to my chagrin that Windows Home Server is not exactly a secure backup platform. Let me explain before I get in too much trouble…
On the plus side, The latest versions of WHS connectors can actually backup BitLocker and EFS volumes and it works with Vista 64 bit, and actually Windows Server 2008 (64 bit to boot) (though it’s not documented). I’m finding out that just about anything that works with Vista 64 bit, in the way of not just application software, but drivers as well, works with W2K8. Also, WHS is running on a W2K3 server which means you can have strong passwords, etc.
But, the plus side turns out to be the negative side if somebody happens to steal your WHS. The problem is that all that nice and secure information that was encrypted can now be restored without encryption, you just need to get access to the drive. But, alas, “I used a strong password that nobody would guess”. Once again, there’s a problem – WHS provides an administrative recovery console procedure if you happen to forget the password – THAT DOES NOT REQUIRE A PASSWORD – When you use that feature, you can now get your WHS that you forgot the password for, up and running again, and access all that useful backup information. Voila, your household thieve just graduated to become an identity thief and has information to all that “secure” bit-locked or EFS data.
You may be thinking, why not just run BitLocker on the WHS, that won’t work, it’s W2K3. What about running EFS on the protected volume. I don’t think that will work, these are raw volumes, and I don’t see anything to indicate that this would be supported. You’re not even supposed to be logging into that WHS even though remote desktop is available for it.
So, for those of us who don’t just worry about ours tuff being stolen, but what might happen to it afterwards (I live in California, after all), but we’d also like to backup our laptops and benefit from the nice automation features of WHS, what is one to do?
Alas, Virtualization to the rescue… The idea is that you secure your WHS inside of an environment that can’t be compromised. In my case, that is my Windows Server 2008 running on a Dell Precision workstation with BitLocker turned on. So, if somebody swipes my Precision (which is unlikely since they probably can’t lift it and get it out of the house for several minutes with our home alarm system blaring all the time…), then they have to crack that O/S before they can even see the WHS Virtual disks. Installing WHS on a virtual is a breeze, BTW, worked right out of the box. So, now I backup my Microsoft laptop as well as my Windows 2008 Server (yes, you can backup the server that actually contains the virtual WHS including the virtual machines to the WHS). I then backup the WHS virtual machine to a removable disk which can be put in the safety deposit box.
So, what do do with my other WHS, the “real” one that is actually running in a box. I still use that to do backups of family computers that don’t contain a lot of confidential information and use the file server features. There actually is no problem having more than 1 home server on the same network, just run the connector software install over on the machines that need to be changed over to a different WHS.
To make this a bit more clear, here is a diagram of my backup configuration:
So, how did I get to be so paranoid, don’t ask…