Avatar of corecc
corecc asked on

Encrypt user documents over multiple sites

Hi Experts

We have a windows domain managed by server 2003 working over 3 sites connected by VPN's, we need to encrypt and backup all user data. We currently have folder redirects setup on the server so all user data can be backed up from the server, unfortunately though we found this to slow over the vpn so the users in the satalite offices store there files on a local nas box which is then backed up to the main server over night.

So one solution would be to use EFS on the redirected documents, this would work for the main office which still use their my docs folders, the trouble is how do we encrypt the user data in the satellite offices who aren't using my docs.
Windows Server 2003EncryptionVPN

Avatar of undefined
Last Comment
Rich Rumble

8/22/2022 - Mon
Rich Rumble

EFS is not the solution you want for this. You have to backup the users keys as well as the data, and the EFS data is not easily accessed after backing up:

The two things you need in your situation are compression and encryption. Maybe 3 things if you can find a good product, normalization too. Normalization is not repeating files when backing up. You and 4 other people at work have downloaded the boss's power point slides to my documents, why do you need to back up 5 copies, why not one with 5 flags that say users v,w,x,y,z have this file too.
Amanda does all of those things: http://www.zmanda.com/download-amanda.php

If you want to understand more about using encryption have a look at my other article:

Hi, thanks for your reply, ive had a look through your links, some very useful info there, thanks.

I think we should be able to recover the encrypted data using our backup software storagecraft as it takes bit level backup images, I will check this though.

Im not to concerned about the security issues you mention about EFS as the data is not that sensitive, the client is also not concerned its just a requirement of our clients client, so as long as we can say were using encryption that's all that matters.

So really all we need is a way of encrypting data on a nas or a way of redirecting my docs for certain users to a nas box.
Rich Rumble

EFS is not what is thought of as traditional encryption however, you may say you're using it, but your kinda not at the same time. The users would be otherwise unaware that their data is encrypted, it's" transparent" to them. Meaning the keys are kept in the lock essentially. You couldn't pass SOX, PCI-DSS or HIPAA for example using EFS where the keys are not exported or kept separate.
http://support.microsoft.com/kb/223316 This explains fully that EFS is not secure when it's just enabled. You will also need to make sure you have setup a recovery agent for your or your clients entire domain, which will mean you need a Certificate Authority to be setup which is touched on here: http://technet.microsoft.com/en-us/library/cc962107.aspx

EFS is a pain, and it's security a joke unless you follow the 10+ best practice steps. If someone were to be held accountable for the encryption being used, you wouldn't want to be using EFS.

You could script 7zip to both compress and encrypt files in a more secure manner :) Encryption is only as good as the weakest link, and if it's transparent encryption the weakest link is the keys residing on the computer with no password to protect them.

Setting up a CA isn't needed 100%, but for "ease" of administering EFS, it is:http://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx

There are soo many caveats to EFS :)
Encrypted file system considerations
Folder Redirection has implications for encrypted files that are located in redirected folders.
    Files redirected to a server can be encrypted by Encrypting File System (EFS) only if an administrator has designated the remote server as trusted for delegation. Administrators can establish a service or computer as trusted for delegation to allow that service or computer to complete delegated authentication, receive a ticket for the user who makes the request, and then access information for that user.
    Encrypted files are decrypted before being transmitted over the network. File encryption only protects the files while they reside on the disk.

Do not rely on EFS to encrypt users files when transmitted over the network
  When using the Encrypting File System (EFS) to encrypt files on a remote server, encrypted data is not encrypted when in transit over the network, but only when stored on disk.
The exceptions to this are when your system includes Internet Protocol security (IPSec) or Web Distributed Authoring and Versioning (WebDAV). IPSec encrypts data while it is transported over a TCP/IP network. If the file is encrypted before being copied or moved to a WebDAV folder on a server, it will remain encrypted during the transmission and while it is stored on the server.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

Thanks for the advice, I think I just need to find a nas that offers encryption.
Rich Rumble

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question