Integrating encryption to a file server on a domain

Posted on 2012-03-22
Last Modified: 2012-04-16
We are implementing group policies throughout the network, but our programmer is asking for a separate type of encryption for our SFTP server that contains txt files.  The reason for this is in the event that our network is breached from the outside, there is encryption in place from having those files accessed.  Is it overkill to put encryption software on this server once the group policies are in place or would it be necessary?
Question by:JFrusci
  • 2
  • 2
LVL 57

Expert Comment

by:Mike Kline
ID: 37753688
If the files are sensitive than that extra layer of security is not really overkill in my opinion.  Layers of security are a good thing when it comes to sensitive info.


LVL 38

Expert Comment

by:Rich Rumble
ID: 37754011
It's always best to use a layered defense. Trouble is with most encryption is 3rd party and requires 3rd party software to access when sharing. The Zip format is one that is very universal and supports encryption, however this encryption is weak. For example, in XP and later OS's you can right-click a file and "sent to" compressed folder, then open that compressed folder and add a password. This is nice and easy, but the encryption used is very substandard. Using more modern Zip crypto, AES-256 is much perffered, however XP and later OS's even windows 8, don't know natively how to deal with that encryption. Installing a 3rd party like Winzip/PkZip/Winrar/7zip allows for access.
So depending on your comfort level, you can use older zip crypto that is very compatible and practically universally understood by popular OS's (apple/mac/linux/windows) or you can use stronger encryption that requires a 3rd party software to open. There are free 3rd parties, and there are even "self extracting" archives that can be made and password protected. Security is always a tradeoff, be it time, money, ease of use etc... you are only as strong as the weakest link in the chain.

Author Comment

ID: 37758179
Would EFS be a good option for this?
LVL 57

Expert Comment

by:Mike Kline
ID: 37758203
LVL 38

Accepted Solution

Rich Rumble earned 500 total points
ID: 37758336
EFS is only good on the local system, but if your transferring with SFTP, that might be just the thing. Bitlocker is for offline attacks, does not protect your data when the OS is booted, like when a hacker get's into your network. EFS is based on accounts, so it's possible to use, but the program accessing the data will have to run under a user account as opposed to the System account. You do not want EFS certificates in the system account, I don't even think it's possible. EFS has a laundry list of best practices, because it can be easy to recover data from, esp using tools like AEFSDR from Elcomsoft or the Passware passsword suite. These tools make short work of EFS if you don't follow the laundry list:
EFS should be applied at the FOLDER level not the file level so that plain-text copies are not easily "undeleted".

Depending on the data, I'd use Zip-AES crypto before I'd use EFS. Make sure before trying EFS that you do so on a TEST/DEVELOPMENT environment, and make sure you have a complete backup. Otherwise you may have to purchase a AEFSDR license to get your data back :)

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now