Solved

Looking for an encryption solution

Posted on 2014-01-07
15
434 Views
Last Modified: 2016-11-23
Greetings,
We have a client who has a Server 2008 R2 box acting as DC and Exchange server as well as a 2003 Terminal Server which we will be replacing soon with a 2012 RDS server.  There are approximately 20 workstations, and about 5 of them are laptops.  All have been replaced within the last year and are Windows 7 Pro machines - all Dell hardware.

The customer has approached us with security concerns.  They want to, in their words, "encrypt all the workstations".  They originally wanted to encrypt the server as well but after talking to them, we learned they really only need one share/volume encrypted on the server (it is a requirement for some data from a 3rd party they work with).  Personally, I think all of this is way overkill with the exception of the laptops and the share/volume on the server - I understand the need for security there.  

I have used TrueCrypt and Bitlocker briefly in the past, but I'm not sure either of these options would really work for us.  Bitlocker is an option for the laptops but would require upgrading to Ultimate, and I haven't heard many good things about TrueCrypt.  I did set up a Bitlocker-encrypted partition on the server and shared it out, but if the server is rebooted it needs to be "unlocked" from the server which I don't think would work too well for them.  Does anyone have any suggestions?  A solution which could be AD-integrated would be ideal.  The best solution would be seamless, as users don't want to have to remember an additional password and we are concerned about data recovery should a system fail or other circumstances.  We also don't want noticeable performance degradation.

In summary, we are looking for a solution or solutions which will allow a share on the server to be encrypted to store sensitive information, as well as a solution for the workstations (specifically the laptops - not convinced the desktops need it, feel free to convince me otherwise) which will provide data security in case a machine is lost or stolen BUT will allow for data recovery should hardware fail.  Suggestions are much appreciated.
0
Comment
Question by:SundanceRyan
  • 5
  • 4
  • 3
  • +2
15 Comments
 
LVL 34

Accepted Solution

by:
Dan Craciun earned 167 total points
ID: 39764315
Have you asked your clients what are they trying to achieve? Protection against what?
Is the server in danger of being stolen? Cause in that case an alarm system would be a better choice.
And if they worry about being compromised remotely, encryption won't help, as it's completely transparent to the OS. In other words, once you're in Windows and you mounted the encrypted partition, it's as if the hdd is not encrypted.
If they worry about hardware being confiscated by the authorities, in most countries they'll be legally forced to give up the encryption key anyway.

Plus, recovery from an encrypted and failing hdd is not likely. But that is not a problem, since you have backups anyway. Which backups are independent of the encryption scheme used.

So yes, for laptops it might be a good idea to encrypt the data. Another good idea is to not keep data on the laptops, and instead use a VPN/RDP solution to remote into TS or a local station.

PS: I've been using TrueCrypt for years (I use it to encrypt portable hdds, which are easy to lose), with no issues whatsoever (apart from forgotten passwords).

HTH,
Dan
0
 
LVL 1

Author Comment

by:SundanceRyan
ID: 39764331
Dan,
Thank you for the response.  You hit on exactly what we've been trying to explain to them.

I did some more planning and research tonight and we may go with a Synology NAS with hardware encryption for the 3rd party data that needs to be encrypted.  The laptops will use TrueCrypt or Bitlocker and use full-disk encryption.

I'll leave this topic open for a few days in case anyone else has input.
0
 
LVL 23

Expert Comment

by:Dirk Kotte
ID: 39764415
windows 7 pro enables bitlocker also!
so bitlocker is the simplest way to secure the mobile devices.
at the server we use SafeGuard from Sophos (originally Utimaco).
Works Ad integrated and has a workstation option also.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 167 total points
ID: 39764609
Truecrypt is currently being more formally evaluated, but nobody has managed to poke any holes in it yet (its one of those open source things that seems too good to be true :)

Downside of Truecrypt is recoverability, but you can work around that easily enough by pre-installing each laptop with a known, common key, making a recovery disk iso (which you then store securely on the server with an offsite backup) then changing the password to a unique one per laptop.

TC on laptops is a very good idea, and given the low number of them, a more formal enterprise class key/unlock management solution is an unnecessary expense (plus of course, any closed-source American ones should be presumed compromised now :)
0
 
LVL 1

Author Comment

by:SundanceRyan
ID: 39764902
Thanks for the input dkotte and DaveHowe.

Dkotte, you are incorrect about Win7 pro and Bitlocker; its one of the differences between 7 Pro and Ultimate.  Bitlocker is only available on Ultimate (and Enterprise) versions of Windows 7.

DaveHowe:  That's a good idea.  I think documentation is going to be key with whatever we do.  Do you notice a significant performance loss with full disk encryption with truecrypt?  I only used it to encrypt a volume on my computer.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39764958
I have noticed almost none. In all cases, the bottleneck is the disk drive spindle speed, not the truecrypt (YMMV of course; I use a single layer of AES encryption, if you double or triple that, there would be significant overhead from the crypto moving large files, but again, a modern laptop should be at least dual core and not really need to care so much)
0
 
LVL 23

Expert Comment

by:Dirk Kotte
ID: 39764960
sorry, mistook pro and enterprise
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 39765532
Hi.

we may go with a Synology NAS with hardware encryption for the 3rd party data that needs to be encrypted - what would that mean, who would unlock that NAS? Please tell us the exact model number you are looking at.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39765568
That's actually a good question - last time I looked at Synology, they were using eCryptFS (a software solution similar to TrueCrypt) and had no hardware solution at all....
0
 
LVL 1

Author Comment

by:SundanceRyan
ID: 39765968
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39766069
Your device auto-mounts the encrypted container. That is never secure and can be circumvented - if, yes if, the attacker knows what he is doing.
So you should tell us how important it is for you, to get the best out of it.
0
 
LVL 1

Author Comment

by:SundanceRyan
ID: 39766851
I'm looking for a method to encrypt shared data that is also easy and as seamless as possible for the end users.  I understand auto mounting isn't as secure, but I also don't want to be getting tons of calls because users can't access their data.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39766861
I had not tried to talk you out of it, yet. We just need to know if you have to fulfill some requirement or if it's just good will. For good will, the NAS encryption can be seen as sufficient.
0
 
LVL 1

Author Closing Comment

by:SundanceRyan
ID: 39767001
Thanks for all the input - I divided points among all who contributed.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39767383
yeah. Even EFS will meet a customer requirement of "the data must be encrypted" without actually having to provide any protection for the data :)
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question