Integrating encryption to a file server on a domain

We are implementing group policies throughout the network, but our programmer is asking for a separate type of encryption for our SFTP server that contains txt files.  The reason for this is in the event that our network is breached from the outside, there is encryption in place from having those files accessed.  Is it overkill to put encryption software on this server once the group policies are in place or would it be necessary?
Who is Participating?
Rich RumbleConnect With a Mentor Security SamuraiCommented:
EFS is only good on the local system, but if your transferring with SFTP, that might be just the thing. Bitlocker is for offline attacks, does not protect your data when the OS is booted, like when a hacker get's into your network. EFS is based on accounts, so it's possible to use, but the program accessing the data will have to run under a user account as opposed to the System account. You do not want EFS certificates in the system account, I don't even think it's possible. EFS has a laundry list of best practices, because it can be easy to recover data from, esp using tools like AEFSDR from Elcomsoft or the Passware passsword suite. These tools make short work of EFS if you don't follow the laundry list:
EFS should be applied at the FOLDER level not the file level so that plain-text copies are not easily "undeleted".

Depending on the data, I'd use Zip-AES crypto before I'd use EFS. Make sure before trying EFS that you do so on a TEST/DEVELOPMENT environment, and make sure you have a complete backup. Otherwise you may have to purchase a AEFSDR license to get your data back :)
Mike KlineCommented:
If the files are sensitive than that extra layer of security is not really overkill in my opinion.  Layers of security are a good thing when it comes to sensitive info.


Rich RumbleSecurity SamuraiCommented:
It's always best to use a layered defense. Trouble is with most encryption is 3rd party and requires 3rd party software to access when sharing. The Zip format is one that is very universal and supports encryption, however this encryption is weak. For example, in XP and later OS's you can right-click a file and "sent to" compressed folder, then open that compressed folder and add a password. This is nice and easy, but the encryption used is very substandard. Using more modern Zip crypto, AES-256 is much perffered, however XP and later OS's even windows 8, don't know natively how to deal with that encryption. Installing a 3rd party like Winzip/PkZip/Winrar/7zip allows for access.
So depending on your comfort level, you can use older zip crypto that is very compatible and practically universally understood by popular OS's (apple/mac/linux/windows) or you can use stronger encryption that requires a 3rd party software to open. There are free 3rd parties, and there are even "self extracting" archives that can be made and password protected. Security is always a tradeoff, be it time, money, ease of use etc... you are only as strong as the weakest link in the chain.
JFrusciAuthor Commented:
Would EFS be a good option for this?
Mike KlineCommented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.