Encryption for files, folders and Network shares to protect data from hackers

Windows has bitlocker for the harddisk encryption and efs for the file encryption. The active directory and gpo support the recovery of the encryption keys..

Brief on bitlocker and efs
http://windows.microsoft.com/is-IS/windows7/Whats-the-difference-between-BitLocker-Drive-Encryption-and-Encrypting-File-System

Recovery for bitlocker
http://technet.microsoft.com/en-us/library/cc766200(v=ws.10).aspx#BKMK_RecoveryPass

Best practice for efs deployment
http://technet.microsoft.com/en-us/library/cc875821.aspx#ECAA

But I will also suggest checking out truecrypt With its container scheme... It also support hdd encryption. But it will be lacking in enterprise support which we wouldn't expect much from open tool though.

http://www.truecrypt.org/docs/?s=sharing-over-network

http://www.truecrypt.org/docs/?s=sharing-over-network

Encryption such as TrueCrypt or Bitlocker protect your data ONLY from offline attacks, meaning a computer or HD is physically in the attacker's possession and the system is powered OFF. If the system is in sleep or hibernation, an attacker can resume the session even if it's locked, and grab the encryption keys.
There is a saying:
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. — Bruce Schneier
That means we don't know what you are trying to protect, and just saying encryption will solve the problem is not necessarily the best idea. Security is always a trade off, and you have to have some acceptable risk... BTW you should NOT be able to recover encrypted data, that's the point of the encryption is to protect if from being recovered by the wrong hands. So you should have backups of the data, rather than an easy to recover encryption platform. You can recover securely with encryption solutions, but that is a long and drawn out process.
-rich

Hacker/intruder protection is a process, and encryption isn't the only thing that helps or prevents them from their goal. It can be one step that makes a good bit of difference though, but you have to understand a few things about encryption first.
TrueCrypt, PGP and others create containers, they can be files, folders, drives or partitions. These containers are encrypted all the time, but when they are opened they look like normal files/folders/partitions/drives, and they look and behave like plain-text. It's only at rest (when closed/unmounted) that they are secure. Encrypted sessions are a little different, and your probably fimilar with HttpS connections (ssl/tls) when using Gmail/hotmail etc... the data sent over those sessions is uniquely encrypted between you and the server and sniffing that data would not yield any plain-text data for a very very long time.

Protecting HR or Accounting data should be a multi-step process, locking down file and folder permissions to select groups or users. Remove admin rights from places that don't need it, you can always recover data using an admin account at a later time, it doesn't have to always be included.Maybe you have HR use terminal service (rdp) to a more secure computer or set of computers. Set the file permissions on the hr/acct folders to the most restrictive you can. Set the permissions on database access to the most restrictive possible, again if the admin account doesn't need access remove it, you can probably add it in later. If you yourself do not need access, remove your account, if you do need access, try using a group you can add yourself into instead, then remove yourself from that group when your done.
What I'm getting at is it's a process, it's never set-it and forget-it. You can encrypt a database or a file, but you have to keep the keys secure, from malware like keyloggers. You also need to make sure your users aren't doing things that undermine the security like copying unencrypted files to their desktops for example, this is why I suggest using another secure computer that they RDP into to do the HR or the Accounting work, so it's separate and locked down from other areas of the network.
-rich

Disallow remote admin where possible else enforce 2FA for such login for those privileged account..know solution such as cyberark that does the identity mgmt stuff..the idea is to also be wary on insider threats. Security is a process and a long one to keep monitoring for anomalies and up the defences constantly.

For secure channel it can even be a simple ssl or tls or ipsec riding on top of the data that is encrypted too. Simply also as long as it is networked, attacker will try to penetrate in and make are the password is complex minimally

If your PC gets infected with a key logger, your passwords may be compromised.
If your PC is the target of ransomware, your encrypted files may be doubly encrypted, rendering them unavailable to you (lost).
According to the sources in this Bruce Schneier post, even full-disk encryption may be breakable for $300.
http://www.schneier.com/blog/archives/2012/12/breaking_hard-d.html

It's not breakable... it's exploitable via Firewire/PCMCIA (and always will be) if you can resume a sleeping or hibernating laptop. The encryption keys being in memory are how things work, the author isn't worried about physical access which the elcomsoft product needs, Passware btw has been doing the same thing in their product for a year or more.

I tried to explain, FDE only protects data from physical theft/possession, and only if it's not hibernating/sleeping or just simply locked when stolen. Someone mentioned two factor auth for network login, this is not the same as network logON. If malwate sits on a machine, and wait's for you to VPN into work, even if your using 2FA, after your authenticated the network is wide open at the networked level, meaning \\ip.ip.ip.ip will use the users already established creds, and an attacker using pass-thehash or pass-the-pass (see mimikatz) would have no trouble getting around on the network.

The author needs to define the data to be protected, and create secure steps and processes to access that data. Typically that means ACL's at the network and file/DB levels based on Group's or users, and or on IP's. Encryption can also be used, but typically keys need to be shared among users if it's something like a TC file or PGP file. Database's that are encrypted can offer an Role Based Access Control and managing the DB keys becomes the main security issue.
2FA would be great at the TerminalServer/RDP level as long as the server the users are RDP'ing to doesn't offer any other network access. Keep the data that needs to be secured walled off in some single server that has little or no access to anything other that the users who need to access it. Encrypting the data in a walled off server may actually be overkill, each layer of complexity is the enemy of security. If you have a common area file server, lots of people can view or access then use encryption, if you can make a nice secure single server area that few can access easily then maybe you don't need encryption. It's about balance and tradeoffs, not about a ton of what-if's... once an encrypted container is "open" it looks like PlainText to you and a would be attacker, you need ways to keep a would be attacker off your PC more than you need the encryption. Patch and AV updates are a given, there is much more you can do.
-rich

ssl/tls/https was mentioned in sevaral comments, hence my question (as I cannot imagine how it helps protecting stolen data or devices)

anyway, my short and probably not very helpfull comments are just to show that the answer to the requirement asked for is very simple: impossible (or simply do not store anything on electronic devices)
I'm aware that this will not help much, but it answers: best solution (see question)

to give more appropriate answers, the author needs to tell what "best" should be

if someone can't imagine what can be done with stolen devices, see the 29c3 talk about microprobing here http://heise.de/-1775185 ; then see the 300$ link above too ...
;-)

29C3 has a couple of few note and in particular, the FDE attack is one takeaway on top of past cold boot attack...nothing is safe (being conservative at most time) when we start to open ourselves to embrace the technology. but we strive minimally to deter and make perpetrator work harder.

http://www1.cs.fau.de/sed

It seems some of my peers are being nice when they mention security is best delivered as a multi layered approach

Worrying about thieves inside your house and what they may damage is a valid concern
BUT
we would probably agree a more desirable solution would be to secure the house so that they could not gain entry in the first place.

To that end--what versions of Windows are you running - Desktop and Server
and what are your 4-6 primary business applications

Locking the server rooma dn controlling access to USB drives is great
but data can be contolled @ the drive level - Bitlocaker was mentioned
at the Data Level - NTFS...EFS REFS
are you worried it will be stolen OR copromised and changed
access to systems should be controlled by hardware and software
Firewalls - ACL - Permissions - many many varied arenas
applications security will vary depending on your answer and whether it is email or a database

transmission of data from one location to another may present other security risks
some can be mitigated others are....less likely to be exploited

tell us a little more about you environment and we can provide more pointed solutions

following my previous illus
Encryption is locking your jewels in a safe in the house...
still a very important concept...but more needs to be done
to lock the house down

Security CIA
C=Confidentiality - covers Encryption - important but doesn't cover everything
I=Integrity - Data doesnt change (sometime we discuss encapsulation here)
A=Availability -
+
A=Accountability
++Non-repudiation
read some articles ...even wiki on Information security

update everything- secure everything  - use WSUS and a vulnerability scanner
update your network hardware and firewalls
most state sposored attacks or phishing I've faced exploit known vulnerabilities

If we are worried of state sponsored perpetrator, I will say one of the key trait of them is being persistent and stealthy in combination. But they minimally need a hole and gap to pluck and break in so,  make your home ground well defended internally as shared so far by all. But don't missed out network and perimeter or possible exit point as those perpetrator is running down those crown jewels you have.

Data leakage via outbound or egress legitimate traffic, device externally make accessible like external usb storage or similar are few of the common exit point. They don't give chance of those low hanging fruits like unmatched system exposed publicly, old web server and sharing site, web vulnerability from OWASP top 10  that they most likely perform intense recon to fingerprint and surface those "weak" systems. They become their target entry point to further pivot into the corporate network.  That is why we will also want to have segregated network from internet and internet and guard the gateway if data is to flow from internet into internal, one way where possible. Endpoint may become bridge such as remote user doing VPN and surfing internet - disallow split tunneling and do NAC prior to granting entry...

Overall, encryption is just touching confidentality - we need more than that hence my "rant" on the above (pardon me going off tangent of the question)

Can check out this ENISA paper - Proactive Defence (there are evaluation and recommendation chapter which you may find it useful in your environment context, not really just for CERT though, we can get some pt out of it. Also see interesting summary in pg20, 22 and 107)

http://www.enisa.europa.eu/activities/cert/support/proactive-detection

Hire someone one, you won't do this yourself, Google couldn't stop state-sponsored attacks, you won't either, esp using windows only, it's just too easy. Again encryption will not be what saves your data, it will be everything else.
-rich