• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 434
  • Last Modified:

Encrypt user documents over multiple sites

Hi Experts

We have a windows domain managed by server 2003 working over 3 sites connected by VPN's, we need to encrypt and backup all user data. We currently have folder redirects setup on the server so all user data can be backed up from the server, unfortunately though we found this to slow over the vpn so the users in the satalite offices store there files on a local nas box which is then backed up to the main server over night.

So one solution would be to use EFS on the redirected documents, this would work for the main office which still use their my docs folders, the trouble is how do we encrypt the user data in the satellite offices who aren't using my docs.
  • 3
  • 2
1 Solution
Rich RumbleSecurity SamuraiCommented:
EFS is not the solution you want for this. You have to backup the users keys as well as the data, and the EFS data is not easily accessed after backing up:

The two things you need in your situation are compression and encryption. Maybe 3 things if you can find a good product, normalization too. Normalization is not repeating files when backing up. You and 4 other people at work have downloaded the boss's power point slides to my documents, why do you need to back up 5 copies, why not one with 5 flags that say users v,w,x,y,z have this file too.
Amanda does all of those things: http://www.zmanda.com/download-amanda.php

If you want to understand more about using encryption have a look at my other article:
coreccAuthor Commented:
Hi, thanks for your reply, ive had a look through your links, some very useful info there, thanks.

I think we should be able to recover the encrypted data using our backup software storagecraft as it takes bit level backup images, I will check this though.

Im not to concerned about the security issues you mention about EFS as the data is not that sensitive, the client is also not concerned its just a requirement of our clients client, so as long as we can say were using encryption that's all that matters.

So really all we need is a way of encrypting data on a nas or a way of redirecting my docs for certain users to a nas box.
Rich RumbleSecurity SamuraiCommented:
EFS is not what is thought of as traditional encryption however, you may say you're using it, but your kinda not at the same time. The users would be otherwise unaware that their data is encrypted, it's" transparent" to them. Meaning the keys are kept in the lock essentially. You couldn't pass SOX, PCI-DSS or HIPAA for example using EFS where the keys are not exported or kept separate.
http://support.microsoft.com/kb/223316 This explains fully that EFS is not secure when it's just enabled. You will also need to make sure you have setup a recovery agent for your or your clients entire domain, which will mean you need a Certificate Authority to be setup which is touched on here: http://technet.microsoft.com/en-us/library/cc962107.aspx

EFS is a pain, and it's security a joke unless you follow the 10+ best practice steps. If someone were to be held accountable for the encryption being used, you wouldn't want to be using EFS.

You could script 7zip to both compress and encrypt files in a more secure manner :) Encryption is only as good as the weakest link, and if it's transparent encryption the weakest link is the keys residing on the computer with no password to protect them.

Setting up a CA isn't needed 100%, but for "ease" of administering EFS, it is:http://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx

There are soo many caveats to EFS :)
Encrypted file system considerations
Folder Redirection has implications for encrypted files that are located in redirected folders.
    Files redirected to a server can be encrypted by Encrypting File System (EFS) only if an administrator has designated the remote server as trusted for delegation. Administrators can establish a service or computer as trusted for delegation to allow that service or computer to complete delegated authentication, receive a ticket for the user who makes the request, and then access information for that user.
    Encrypted files are decrypted before being transmitted over the network. File encryption only protects the files while they reside on the disk.

Do not rely on EFS to encrypt users files when transmitted over the network
  When using the Encrypting File System (EFS) to encrypt files on a remote server, encrypted data is not encrypted when in transit over the network, but only when stored on disk.
The exceptions to this are when your system includes Internet Protocol security (IPSec) or Web Distributed Authoring and Versioning (WebDAV). IPSec encrypts data while it is transported over a TCP/IP network. If the file is encrypted before being copied or moved to a WebDAV folder on a server, it will remain encrypted during the transmission and while it is stored on the server.
coreccAuthor Commented:
Thanks for the advice, I think I just need to find a nas that offers encryption.
Rich RumbleSecurity SamuraiCommented:
Encryption how? When the whole disk is encrypted, and the OS is running, the disk (NAS) looks like any other HDD/Share/Folder/Partition. It's essentially "decrypted" when the OS is running and the drive is mounted. This is good to protect from physical theft, when they try to access the data after physically stealing it, they won't be able to. They would have to have a login to be able to boot up and mount the drives to read it.

Encryption is not easy to use, and correctly so for now. Your making the data unreadable unless you know the secret. If the users don't know the secret, and are just able to access the data, even if it's technically encrypted where it's being stored, when they make a copy of it or access it, it doesn't retain the encryption. That goes for any solution. TrueCrypt for example, when you create a TC container, you "mount" it a a drive. It looks unencrypted when you've mounted it, because you entered the secret. If you lose power, or someone steals the drive/usb etc, it's safe because they don't know the secret. When a TC container is mounted it's no different than an EFS or even PGP encrypted folder. The difference with EFS is the secret is given automatically when the user logs in, and with TC/PGP you have to input it after login typically. The user is in more control of the encryption.

Encryption is not always a solution, it's mostly a problem that can work in the good guys favor... doing it correctly is always a challenge. There are lot's of ways to protect data, and encryption seems to be the go to, but it's no the only way :)

You want to encrypt your backup data, you need to compress it first because encryption and compression are mutually exclusive. Each backup could be encrypted with the same password, but make sure that it has to be entered for each backup not just once where you could see all backups.

Again you can use 7zip or other programs to not only compress but to also securely encrypt backup files. You even have the option to not compress with 7zip.

You can do both, full disk and individual, that's a good thing.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now