Integrating encryption to a file server on a domain

Posted on 2012-03-22
Last Modified: 2012-04-16
We are implementing group policies throughout the network, but our programmer is asking for a separate type of encryption for our SFTP server that contains txt files.  The reason for this is in the event that our network is breached from the outside, there is encryption in place from having those files accessed.  Is it overkill to put encryption software on this server once the group policies are in place or would it be necessary?
Question by:JFrusci
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 57

Expert Comment

by:Mike Kline
ID: 37753688
If the files are sensitive than that extra layer of security is not really overkill in my opinion.  Layers of security are a good thing when it comes to sensitive info.


LVL 38

Expert Comment

by:Rich Rumble
ID: 37754011
It's always best to use a layered defense. Trouble is with most encryption is 3rd party and requires 3rd party software to access when sharing. The Zip format is one that is very universal and supports encryption, however this encryption is weak. For example, in XP and later OS's you can right-click a file and "sent to" compressed folder, then open that compressed folder and add a password. This is nice and easy, but the encryption used is very substandard. Using more modern Zip crypto, AES-256 is much perffered, however XP and later OS's even windows 8, don't know natively how to deal with that encryption. Installing a 3rd party like Winzip/PkZip/Winrar/7zip allows for access.
So depending on your comfort level, you can use older zip crypto that is very compatible and practically universally understood by popular OS's (apple/mac/linux/windows) or you can use stronger encryption that requires a 3rd party software to open. There are free 3rd parties, and there are even "self extracting" archives that can be made and password protected. Security is always a tradeoff, be it time, money, ease of use etc... you are only as strong as the weakest link in the chain.

Author Comment

ID: 37758179
Would EFS be a good option for this?
LVL 57

Expert Comment

by:Mike Kline
ID: 37758203
LVL 38

Accepted Solution

Rich Rumble earned 500 total points
ID: 37758336
EFS is only good on the local system, but if your transferring with SFTP, that might be just the thing. Bitlocker is for offline attacks, does not protect your data when the OS is booted, like when a hacker get's into your network. EFS is based on accounts, so it's possible to use, but the program accessing the data will have to run under a user account as opposed to the System account. You do not want EFS certificates in the system account, I don't even think it's possible. EFS has a laundry list of best practices, because it can be easy to recover data from, esp using tools like AEFSDR from Elcomsoft or the Passware passsword suite. These tools make short work of EFS if you don't follow the laundry list:
EFS should be applied at the FOLDER level not the file level so that plain-text copies are not easily "undeleted".

Depending on the data, I'd use Zip-AES crypto before I'd use EFS. Make sure before trying EFS that you do so on a TEST/DEVELOPMENT environment, and make sure you have a complete backup. Otherwise you may have to purchase a AEFSDR license to get your data back :)

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question