We help IT Professionals succeed at work.

Encrypt user documents over multiple sites

457 Views
Last Modified: 2013-12-11
Hi Experts

We have a windows domain managed by server 2003 working over 3 sites connected by VPN's, we need to encrypt and backup all user data. We currently have folder redirects setup on the server so all user data can be backed up from the server, unfortunately though we found this to slow over the vpn so the users in the satalite offices store there files on a local nas box which is then backed up to the main server over night.

So one solution would be to use EFS on the redirected documents, this would work for the main office which still use their my docs folders, the trouble is how do we encrypt the user data in the satellite offices who aren't using my docs.
Comment
Watch Question

Rich RumbleSecurity Samurai
CERTIFIED EXPERT
Top Expert 2006

Commented:
EFS is not the solution you want for this. You have to backup the users keys as well as the data, and the EFS data is not easily accessed after backing up:
https://www.experts-exchange.com/Security/Encryption/A_12132-Microsoft-EFS-Recovery.html

The two things you need in your situation are compression and encryption. Maybe 3 things if you can find a good product, normalization too. Normalization is not repeating files when backing up. You and 4 other people at work have downloaded the boss's power point slides to my documents, why do you need to back up 5 copies, why not one with 5 flags that say users v,w,x,y,z have this file too.
Amanda does all of those things: http://www.zmanda.com/download-amanda.php

If you want to understand more about using encryption have a look at my other article:
https://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich

Author

Commented:
Hi, thanks for your reply, ive had a look through your links, some very useful info there, thanks.

I think we should be able to recover the encrypted data using our backup software storagecraft as it takes bit level backup images, I will check this though.

Im not to concerned about the security issues you mention about EFS as the data is not that sensitive, the client is also not concerned its just a requirement of our clients client, so as long as we can say were using encryption that's all that matters.

So really all we need is a way of encrypting data on a nas or a way of redirecting my docs for certain users to a nas box.
Rich RumbleSecurity Samurai
CERTIFIED EXPERT
Top Expert 2006

Commented:
EFS is not what is thought of as traditional encryption however, you may say you're using it, but your kinda not at the same time. The users would be otherwise unaware that their data is encrypted, it's" transparent" to them. Meaning the keys are kept in the lock essentially. You couldn't pass SOX, PCI-DSS or HIPAA for example using EFS where the keys are not exported or kept separate.
http://support.microsoft.com/kb/223316 This explains fully that EFS is not secure when it's just enabled. You will also need to make sure you have setup a recovery agent for your or your clients entire domain, which will mean you need a Certificate Authority to be setup which is touched on here: http://technet.microsoft.com/en-us/library/cc962107.aspx

EFS is a pain, and it's security a joke unless you follow the 10+ best practice steps. If someone were to be held accountable for the encryption being used, you wouldn't want to be using EFS.

You could script 7zip to both compress and encrypt files in a more secure manner :) Encryption is only as good as the weakest link, and if it's transparent encryption the weakest link is the keys residing on the computer with no password to protect them.

Setting up a CA isn't needed 100%, but for "ease" of administering EFS, it is:http://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx
http://technet.microsoft.com/en-us/magazine/2007.03.securitywatch.aspx

There are soo many caveats to EFS :)
http://technet.microsoft.com/en-us/library/cc785925%28WS.10%29.aspx
Encrypted file system considerations
Folder Redirection has implications for encrypted files that are located in redirected folders.
    Files redirected to a server can be encrypted by Encrypting File System (EFS) only if an administrator has designated the remote server as trusted for delegation. Administrators can establish a service or computer as trusted for delegation to allow that service or computer to complete delegated authentication, receive a ticket for the user who makes the request, and then access information for that user.
    Encrypted files are decrypted before being transmitted over the network. File encryption only protects the files while they reside on the disk.
YUCK!

http://technet.microsoft.com/en-us/library/cc775853%28v=ws.10%29.aspx
Do not rely on EFS to encrypt users files when transmitted over the network
  When using the Encrypting File System (EFS) to encrypt files on a remote server, encrypted data is not encrypted when in transit over the network, but only when stored on disk.
The exceptions to this are when your system includes Internet Protocol security (IPSec) or Web Distributed Authoring and Versioning (WebDAV). IPSec encrypts data while it is transported over a TCP/IP network. If the file is encrypted before being copied or moved to a WebDAV folder on a server, it will remain encrypted during the transmission and while it is stored on the server.
-rich

Author

Commented:
Thanks for the advice, I think I just need to find a nas that offers encryption.
Security Samurai
CERTIFIED EXPERT
Top Expert 2006
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.