Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Integrating encryption to a file server on a domain

Posted on 2012-03-22
Medium Priority
Last Modified: 2012-04-16
We are implementing group policies throughout the network, but our programmer is asking for a separate type of encryption for our SFTP server that contains txt files.  The reason for this is in the event that our network is breached from the outside, there is encryption in place from having those files accessed.  Is it overkill to put encryption software on this server once the group policies are in place or would it be necessary?
Question by:JFrusci
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 57

Expert Comment

by:Mike Kline
ID: 37753688
If the files are sensitive than that extra layer of security is not really overkill in my opinion.  Layers of security are a good thing when it comes to sensitive info.


LVL 38

Expert Comment

by:Rich Rumble
ID: 37754011
It's always best to use a layered defense. Trouble is with most encryption is 3rd party and requires 3rd party software to access when sharing. The Zip format is one that is very universal and supports encryption, however this encryption is weak. For example, in XP and later OS's you can right-click a file and "sent to" compressed folder, then open that compressed folder and add a password. This is nice and easy, but the encryption used is very substandard. Using more modern Zip crypto, AES-256 is much perffered, however XP and later OS's even windows 8, don't know natively how to deal with that encryption. Installing a 3rd party like Winzip/PkZip/Winrar/7zip allows for access.
So depending on your comfort level, you can use older zip crypto that is very compatible and practically universally understood by popular OS's (apple/mac/linux/windows) or you can use stronger encryption that requires a 3rd party software to open. There are free 3rd parties, and there are even "self extracting" archives that can be made and password protected. Security is always a tradeoff, be it time, money, ease of use etc... you are only as strong as the weakest link in the chain.

Author Comment

ID: 37758179
Would EFS be a good option for this?
LVL 57

Expert Comment

by:Mike Kline
ID: 37758203
LVL 38

Accepted Solution

Rich Rumble earned 2000 total points
ID: 37758336
EFS is only good on the local system, but if your transferring with SFTP, that might be just the thing. Bitlocker is for offline attacks, does not protect your data when the OS is booted, like when a hacker get's into your network. EFS is based on accounts, so it's possible to use, but the program accessing the data will have to run under a user account as opposed to the System account. You do not want EFS certificates in the system account, I don't even think it's possible. EFS has a laundry list of best practices, because it can be easy to recover data from, esp using tools like AEFSDR from Elcomsoft or the Passware passsword suite. These tools make short work of EFS if you don't follow the laundry list:
EFS should be applied at the FOLDER level not the file level so that plain-text copies are not easily "undeleted".

Depending on the data, I'd use Zip-AES crypto before I'd use EFS. Make sure before trying EFS that you do so on a TEST/DEVELOPMENT environment, and make sure you have a complete backup. Otherwise you may have to purchase a AEFSDR license to get your data back :)

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question