Windows 2000 Server - Encryption Security

Posted on 2005-04-13
Last Modified: 2013-12-04
So we've enabled file encryption for some shares on one of our Windows 2000 file servers.

We have one particular share that is very sensitive.  I'd like to know any thoughts on how to protect the keys.  My thoughts...

-We have a large group of domain admins.  Even they will be removed from Read permissions on this share.
-We need to keep the key somewhere secure so that if we have a server disaster and need to restore, we can get at it.

Thoughts?  Perhaps kept on a CD with our Information Security Office?  

Any other issues to think about when protecting access to an encrypted file share?

Question by:shanepresley
    LVL 12

    Accepted Solution

    The easiest way to go about this is to isolate the "sensitive" file share all together.

    Why make it more complex?

    Even if you have to go down the Virtual Machine (VM) route, isolate your most important information.  It's as simple as that.

    Only specific Domain admins and users have access rights to this VM.
    You can enable encryption to the whole system, not just this one share.
    You can add specific monitoring to this whole system and verify who has access, when, and determine who made changes.

    The philosophy revolves around segmentation and isolation--segmented and compartmentalized.
    At the highest levels of government, this is how they treat security.
    LVL 1

    Author Comment

    Thanks Phil.  I agree with segmentation and isolation.  But I still have questions about the encryption keys.  They need to be stored somewhere, securely.  If we lost that server, we would need to have the key somewhere to recover.  Is it as simple as keeping the keys with our security officer?

    LVL 12

    Expert Comment

    Yes. :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    As a Mac user and former AppleCare AHA & Senior Advisor, I'm constantly bombarded with questions about Macs and if they need Antivirus. This short article is my response to those questions.
    Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now