Encryption for files, folders and Network shares to protect data from hackers

I am looking for the best solution for encrypting our data on servers and workstations to protect it in the event it got stolen by hackers.  Not just physically stolen, but data extraction through hacker attacks and bots.

Our systems are Windows servers and workstations.

I need a reasonable solution and I need to know what to expect when I use the encryption...I am somewhat worried that encrypting might cause stuff to stop working or make the data un-retrievable in the case of a system crash...

I'm not that familiar with encryption and what different types are used for and what is the best for me.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Windows has bitlocker for the harddisk encryption and efs for the file encryption. The active directory and gpo support the recovery of the encryption keys..

Brief on bitlocker and efs

Recovery for bitlocker

Best practice for efs deployment
btanExec ConsultantCommented:
But I will also suggest checking out truecrypt With its container scheme... It also support hdd encryption. But it will be lacking in enterprise support which we wouldn't expect much from open tool though.


Rich RumbleSecurity SamuraiCommented:
Encryption such as TrueCrypt or Bitlocker protect your data ONLY from offline attacks, meaning a computer or HD is physically in the attacker's possession and the system is powered OFF. If the system is in sleep or hibernation, an attacker can resume the session even if it's locked, and grab the encryption keys.
There is a saying:
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. — Bruce Schneier
That means we don't know what you are trying to protect, and just saying encryption will solve the problem is not necessarily the best idea. Security is always a trade off, and you have to have some acceptable risk... BTW you should NOT be able to recover encrypted data, that's the point of the encryption is to protect if from being recovered by the wrong hands. So you should have backups of the data, rather than an easy to recover encryption platform. You can recover securely with encryption solutions, but that is a long and drawn out process.
Exploring SQL Server 2016: Fundamentals

Learn the fundamentals of Microsoft SQL Server, a relational database management system that stores and retrieves data when requested by other software applications.

rand1964Author Commented:
I am trying to protect company proprietary data and employee personal information data that is stored on our file server.  It is physically locked up and safe so I am not worried about it being physically stolen.  
I want to protect the data as it moves through the network to HR or Accounting and also mostly from hackers that would attempt to steal our data.
Rich RumbleSecurity SamuraiCommented:
Hacker/intruder protection is a process, and encryption isn't the only thing that helps or prevents them from their goal. It can be one step that makes a good bit of difference though, but you have to understand a few things about encryption first.
TrueCrypt, PGP and others create containers, they can be files, folders, drives or partitions. These containers are encrypted all the time, but when they are opened they look like normal files/folders/partitions/drives, and they look and behave like plain-text. It's only at rest (when closed/unmounted) that they are secure. Encrypted sessions are a little different, and your probably fimilar with HttpS connections (ssl/tls) when using Gmail/hotmail etc... the data sent over those sessions is uniquely encrypted between you and the server and sniffing that data would not yield any plain-text data for a very very long time.

Protecting HR or Accounting data should be a multi-step process, locking down file and folder permissions to select groups or users. Remove admin rights from places that don't need it, you can always recover data using an admin account at a later time, it doesn't have to always be included.Maybe you have HR use terminal service (rdp) to a more secure computer or set of computers. Set the file permissions on the hr/acct folders to the most restrictive you can. Set the permissions on database access to the most restrictive possible, again if the admin account doesn't need access remove it, you can probably add it in later. If you yourself do not need access, remove your account, if you do need access, try using a group you can add yourself into instead, then remove yourself from that group when your done.
What I'm getting at is it's a process, it's never set-it and forget-it. You can encrypt a database or a file, but you have to keep the keys secure, from malware like keyloggers. You also need to make sure your users aren't doing things that undermine the security like copying unencrypted files to their desktops for example, this is why I suggest using another secure computer that they RDP into to do the HR or the Accounting work, so it's separate and locked down from other areas of the network.
> Not just physically stolen, but data extraction through hacker attacks and bots.
short answer: impossible (if you mean all data on your system)
long answer: you can only get close this requirement if you ensure that all your data is properly encrypted and only decrypted if necessary right before used

If all these attacks (bots, whatever) are an issue for you, is "stealing" data using screenshots an issue too? If so, my short answer becomes even shorter: impossible.
btanExec ConsultantCommented:
Disallow remote admin where possible else enforce 2FA for such login for those privileged account..know solution such as cyberark that does the identity mgmt stuff..the idea is to also be wary on insider threats. Security is a process and a long one to keep monitoring for anomalies and up the defences constantly.

For secure channel it can even be a simple ssl or tls or ipsec riding on top of the data that is encrypted too. Simply also as long as it is networked, attacker will try to penetrate in and make are the password is complex minimally
If you use https and secure ftp protocols, your network traffic should be sufficiently encrypted.

If you need to send larger packages of data, you can use 7-zip to strongly encrypt the data.
how does SSL/TLS protect from/against bots, trojans, screenshots?
just wondering ...

Was your comment directed to me?

If so, I was addressing the parts of the question related to protection of data during transport.
If your PC gets infected with a key logger, your passwords may be compromised.
If your PC is the target of ransomware, your encrypted files may be doubly encrypted, rendering them unavailable to you (lost).
According to the sources in this Bruce Schneier post, even full-disk encryption may be breakable for $300.
Rich RumbleSecurity SamuraiCommented:
It's not breakable... it's exploitable via Firewire/PCMCIA (and always will be) if you can resume a sleeping or hibernating laptop. The encryption keys being in memory are how things work, the author isn't worried about physical access which the elcomsoft product needs, Passware btw has been doing the same thing in their product for a year or more.

I tried to explain, FDE only protects data from physical theft/possession, and only if it's not hibernating/sleeping or just simply locked when stolen. Someone mentioned two factor auth for network login, this is not the same as network logON. If malwate sits on a machine, and wait's for you to VPN into work, even if your using 2FA, after your authenticated the network is wide open at the networked level, meaning \\ip.ip.ip.ip will use the users already established creds, and an attacker using pass-thehash or pass-the-pass (see mimikatz) would have no trouble getting around on the network.

The author needs to define the data to be protected, and create secure steps and processes to access that data. Typically that means ACL's at the network and file/DB levels based on Group's or users, and or on IP's. Encryption can also be used, but typically keys need to be shared among users if it's something like a TC file or PGP file. Database's that are encrypted can offer an Role Based Access Control and managing the DB keys becomes the main security issue.
2FA would be great at the TerminalServer/RDP level as long as the server the users are RDP'ing to doesn't offer any other network access. Keep the data that needs to be secured walled off in some single server that has little or no access to anything other that the users who need to access it. Encrypting the data in a walled off server may actually be overkill, each layer of complexity is the enemy of security. If you have a common area file server, lots of people can view or access then use encryption, if you can make a nice secure single server area that few can access easily then maybe you don't need encryption. It's about balance and tradeoffs, not about a ton of what-if's... once an encrypted container is "open" it looks like PlainText to you and a would be attacker, you need ways to keep a would be attacker off your PC more than you need the encryption. Patch and AV updates are a given, there is much more you can do.
ssl/tls/https was mentioned in sevaral comments, hence my question (as I cannot imagine how it helps protecting stolen data or devices)

anyway, my short and probably not very helpfull comments are just to show that the answer to the requirement asked for is very simple: impossible (or simply do not store anything on electronic devices)
I'm aware that this will not help much, but it answers: best solution (see question)

to give more appropriate answers, the author needs to tell what "best" should be

if someone can't imagine what can be done with stolen devices, see the 29c3 talk about microprobing here http://heise.de/-1775185 ; then see the 300$ link above too ...
btanExec ConsultantCommented:
29C3 has a couple of few note and in particular, the FDE attack is one takeaway on top of past cold boot attack...nothing is safe (being conservative at most time) when we start to open ourselves to embrace the technology. but we strive minimally to deter and make perpetrator work harder.

DarinTCHSenior CyberSecurity EngineerCommented:
It seems some of my peers are being nice when they mention security is best delivered as a multi layered approach

Worrying about thieves inside your house and what they may damage is a valid concern
we would probably agree a more desirable solution would be to secure the house so that they could not gain entry in the first place.

To that end--what versions of Windows are you running - Desktop and Server
and what are your 4-6 primary business applications

Locking the server rooma dn controlling access to USB drives is great
but data can be contolled @ the drive level - Bitlocaker was mentioned
at the Data Level - NTFS...EFS REFS
are you worried it will be stolen OR copromised and changed
access to systems should be controlled by hardware and software
Firewalls - ACL - Permissions - many many varied arenas
applications security will vary depending on your answer and whether it is email or a database

transmission of data from one location to another may present other security risks
some can be mitigated others are....less likely to be exploited

tell us a little more about you environment and we can provide more pointed solutions
rand1964Author Commented:
I need to keep thieves out...not your average thief but state sponsored attacks...like from China...I won't say anymore.

What am I running?  Windows 2008R2 and Windows 7 along with a few remaining XP boxes.

SQL Server, Exchange Server, Deltek, Cobra, SharePoint...etc..

Seems they like using Phishing attacks to get in...

So you all think encryption is not the answer, but to lock down the house somehow?
DarinTCHSenior CyberSecurity EngineerCommented:
following my previous illus
Encryption is locking your jewels in a safe in the house...
still a very important concept...but more needs to be done
to lock the house down

Security CIA
C=Confidentiality - covers Encryption - important but doesn't cover everything
I=Integrity - Data doesnt change (sometime we discuss encapsulation here)
A=Availability -
read some articles ...even wiki on Information security

update everything- secure everything  - use WSUS and a vulnerability scanner
update your network hardware and firewalls
most state sposored attacks or phishing I've faced exploit known vulnerabilities
btanExec ConsultantCommented:
If we are worried of state sponsored perpetrator, I will say one of the key trait of them is being persistent and stealthy in combination. But they minimally need a hole and gap to pluck and break in so,  make your home ground well defended internally as shared so far by all. But don't missed out network and perimeter or possible exit point as those perpetrator is running down those crown jewels you have.

Data leakage via outbound or egress legitimate traffic, device externally make accessible like external usb storage or similar are few of the common exit point. They don't give chance of those low hanging fruits like unmatched system exposed publicly, old web server and sharing site, web vulnerability from OWASP top 10  that they most likely perform intense recon to fingerprint and surface those "weak" systems. They become their target entry point to further pivot into the corporate network.  That is why we will also want to have segregated network from internet and internet and guard the gateway if data is to flow from internet into internal, one way where possible. Endpoint may become bridge such as remote user doing VPN and surfing internet - disallow split tunneling and do NAC prior to granting entry...

Overall, encryption is just touching confidentality - we need more than that hence my "rant" on the above (pardon me going off tangent of the question)

Can check out this ENISA paper - Proactive Defence (there are evaluation and recommendation chapter which you may find it useful in your environment context, not really just for CERT though, we can get some pt out of it. Also see interesting summary in pg20, 22 and 107)

Rich RumbleSecurity SamuraiCommented:
Hire someone one, you won't do this yourself, Google couldn't stop state-sponsored attacks, you won't either, esp using windows only, it's just too easy. Again encryption will not be what saves your data, it will be everything else.
.. and to complete rich's comment:
security is a process, not a product

1. get/hire someone who's used to security for your systems (don't believe sales people!)
2. tell your people what security is, and what they should look for, what to care about
3. setup a proper network firewall at your perimeter to the internet
4. separate your internal (sql, sharepoint, ...) from external servers (smptp), best: use physically and logically separated IP networks
5. allow access to you systems only by using secured protocolls
6. install proper AV and intrusion detection (HIDS) on each system
7. setup a security policy how to deal with sensitive data
8. setup a process to controll all settings and configurations continously
9. goto 2.

to be improved in many ways, I'm pretty sure others will add what I missed ;-)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rand1964Author Commented:
We have a firewall
We have AV
The firewall is our ids at the moment
Number 4 and number 6 (ids) are problems because I simply cannot get upper management to spend money on IT.  They prefer to blame me, makes it easier than buying servers and appliances.
For years I have asked for money for an IDS/IPS and servers and licenses for "front ends" for our Exchange and Sharepoint to no avail.  They won't even spend he money to upgrade from the 32 bit XP machines we have to 64 bit Windows 7.

I am stuck...I get the blame...they question my competence and yet they won't purchase anything or hire any help.  I currently do everything...I can't monitor logs all day and do everything else.

plus, it's probably these same nuts that are in charge that are clicking on the phishing links.
> .. cannot get upper management to spend money on IT ...
no money for protection, that's thiefs heaven ;-)

so it sounds that you first need step 2. and 9. for your management, that's what all experts here explain again and again

however, what's the problem being blaimed if you still get paid for doing all with nothing?
rand1964Author Commented:
This is as good a place to stop as any...I think the answer is clear that encryption is not a magic bullet.  Looks like some serious attempts to "educate" uninterested employees on security is the answer.
rand1964Author Commented:
Thanks to everyone for the answers and the discussion.  Moral of this story...security isn't free and if your management isn't serious about it and won't back you...do your best or go somewhere else.
yippie, another person who learned the (digital) security lesson ;-)
Good luck.
Rich RumbleSecurity SamuraiCommented:
While there are plenty of free tools out there, it takes time and thus money to learn to use them. Windows and Linux have so many unused or under-used security settings that most people never know are there. But there must be discipline in the process or it all falls apart. There is no set it and forget it solutions.
rand1964Author Commented:
I am setting up an ubuntu snort box right now, but I have to learn how to use it and who is going to monitor logs while I am busy handling stupid help desk calls?
Rich RumbleSecurity SamuraiCommented:
Might try the Security Onion download, might help you get a handle on things as it makes using IDS and such easier to setup: http://securityonion.blogspot.com/
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.