Integrating encryption to a file server on a domain

We are implementing group policies throughout the network, but our programmer is asking for a separate type of encryption for our SFTP server that contains txt files.  The reason for this is in the event that our network is breached from the outside, there is encryption in place from having those files accessed.  Is it overkill to put encryption software on this server once the group policies are in place or would it be necessary?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
If the files are sensitive than that extra layer of security is not really overkill in my opinion.  Layers of security are a good thing when it comes to sensitive info.


Rich RumbleSecurity SamuraiCommented:
It's always best to use a layered defense. Trouble is with most encryption is 3rd party and requires 3rd party software to access when sharing. The Zip format is one that is very universal and supports encryption, however this encryption is weak. For example, in XP and later OS's you can right-click a file and "sent to" compressed folder, then open that compressed folder and add a password. This is nice and easy, but the encryption used is very substandard. Using more modern Zip crypto, AES-256 is much perffered, however XP and later OS's even windows 8, don't know natively how to deal with that encryption. Installing a 3rd party like Winzip/PkZip/Winrar/7zip allows for access.
So depending on your comfort level, you can use older zip crypto that is very compatible and practically universally understood by popular OS's (apple/mac/linux/windows) or you can use stronger encryption that requires a 3rd party software to open. There are free 3rd parties, and there are even "self extracting" archives that can be made and password protected. Security is always a tradeoff, be it time, money, ease of use etc... you are only as strong as the weakest link in the chain.
JoeTechnologyAuthor Commented:
Would EFS be a good option for this?
Mike KlineCommented:
Rich RumbleSecurity SamuraiCommented:
EFS is only good on the local system, but if your transferring with SFTP, that might be just the thing. Bitlocker is for offline attacks, does not protect your data when the OS is booted, like when a hacker get's into your network. EFS is based on accounts, so it's possible to use, but the program accessing the data will have to run under a user account as opposed to the System account. You do not want EFS certificates in the system account, I don't even think it's possible. EFS has a laundry list of best practices, because it can be easy to recover data from, esp using tools like AEFSDR from Elcomsoft or the Passware passsword suite. These tools make short work of EFS if you don't follow the laundry list:
EFS should be applied at the FOLDER level not the file level so that plain-text copies are not easily "undeleted".

Depending on the data, I'd use Zip-AES crypto before I'd use EFS. Make sure before trying EFS that you do so on a TEST/DEVELOPMENT environment, and make sure you have a complete backup. Otherwise you may have to purchase a AEFSDR license to get your data back :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.