Solved

Looking for an encryption solution

Posted on 2014-01-07
15
432 Views
Last Modified: 2016-11-23
Greetings,
We have a client who has a Server 2008 R2 box acting as DC and Exchange server as well as a 2003 Terminal Server which we will be replacing soon with a 2012 RDS server.  There are approximately 20 workstations, and about 5 of them are laptops.  All have been replaced within the last year and are Windows 7 Pro machines - all Dell hardware.

The customer has approached us with security concerns.  They want to, in their words, "encrypt all the workstations".  They originally wanted to encrypt the server as well but after talking to them, we learned they really only need one share/volume encrypted on the server (it is a requirement for some data from a 3rd party they work with).  Personally, I think all of this is way overkill with the exception of the laptops and the share/volume on the server - I understand the need for security there.  

I have used TrueCrypt and Bitlocker briefly in the past, but I'm not sure either of these options would really work for us.  Bitlocker is an option for the laptops but would require upgrading to Ultimate, and I haven't heard many good things about TrueCrypt.  I did set up a Bitlocker-encrypted partition on the server and shared it out, but if the server is rebooted it needs to be "unlocked" from the server which I don't think would work too well for them.  Does anyone have any suggestions?  A solution which could be AD-integrated would be ideal.  The best solution would be seamless, as users don't want to have to remember an additional password and we are concerned about data recovery should a system fail or other circumstances.  We also don't want noticeable performance degradation.

In summary, we are looking for a solution or solutions which will allow a share on the server to be encrypted to store sensitive information, as well as a solution for the workstations (specifically the laptops - not convinced the desktops need it, feel free to convince me otherwise) which will provide data security in case a machine is lost or stolen BUT will allow for data recovery should hardware fail.  Suggestions are much appreciated.
0
Comment
Question by:SundanceRyan
  • 5
  • 4
  • 3
  • +2
15 Comments
 
LVL 34

Accepted Solution

by:
Dan Craciun earned 167 total points
Comment Utility
Have you asked your clients what are they trying to achieve? Protection against what?
Is the server in danger of being stolen? Cause in that case an alarm system would be a better choice.
And if they worry about being compromised remotely, encryption won't help, as it's completely transparent to the OS. In other words, once you're in Windows and you mounted the encrypted partition, it's as if the hdd is not encrypted.
If they worry about hardware being confiscated by the authorities, in most countries they'll be legally forced to give up the encryption key anyway.

Plus, recovery from an encrypted and failing hdd is not likely. But that is not a problem, since you have backups anyway. Which backups are independent of the encryption scheme used.

So yes, for laptops it might be a good idea to encrypt the data. Another good idea is to not keep data on the laptops, and instead use a VPN/RDP solution to remote into TS or a local station.

PS: I've been using TrueCrypt for years (I use it to encrypt portable hdds, which are easy to lose), with no issues whatsoever (apart from forgotten passwords).

HTH,
Dan
0
 
LVL 1

Author Comment

by:SundanceRyan
Comment Utility
Dan,
Thank you for the response.  You hit on exactly what we've been trying to explain to them.

I did some more planning and research tonight and we may go with a Synology NAS with hardware encryption for the 3rd party data that needs to be encrypted.  The laptops will use TrueCrypt or Bitlocker and use full-disk encryption.

I'll leave this topic open for a few days in case anyone else has input.
0
 
LVL 23

Expert Comment

by:Dirk Kotte
Comment Utility
windows 7 pro enables bitlocker also!
so bitlocker is the simplest way to secure the mobile devices.
at the server we use SafeGuard from Sophos (originally Utimaco).
Works Ad integrated and has a workstation option also.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 167 total points
Comment Utility
Truecrypt is currently being more formally evaluated, but nobody has managed to poke any holes in it yet (its one of those open source things that seems too good to be true :)

Downside of Truecrypt is recoverability, but you can work around that easily enough by pre-installing each laptop with a known, common key, making a recovery disk iso (which you then store securely on the server with an offsite backup) then changing the password to a unique one per laptop.

TC on laptops is a very good idea, and given the low number of them, a more formal enterprise class key/unlock management solution is an unnecessary expense (plus of course, any closed-source American ones should be presumed compromised now :)
0
 
LVL 1

Author Comment

by:SundanceRyan
Comment Utility
Thanks for the input dkotte and DaveHowe.

Dkotte, you are incorrect about Win7 pro and Bitlocker; its one of the differences between 7 Pro and Ultimate.  Bitlocker is only available on Ultimate (and Enterprise) versions of Windows 7.

DaveHowe:  That's a good idea.  I think documentation is going to be key with whatever we do.  Do you notice a significant performance loss with full disk encryption with truecrypt?  I only used it to encrypt a volume on my computer.
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
I have noticed almost none. In all cases, the bottleneck is the disk drive spindle speed, not the truecrypt (YMMV of course; I use a single layer of AES encryption, if you double or triple that, there would be significant overhead from the crypto moving large files, but again, a modern laptop should be at least dual core and not really need to care so much)
0
 
LVL 23

Expert Comment

by:Dirk Kotte
Comment Utility
sorry, mistook pro and enterprise
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 166 total points
Comment Utility
Hi.

> we may go with a Synology NAS with hardware encryption for the 3rd party data that needs to be encrypted - what would that mean, who would unlock that NAS? Please tell us the exact model number you are looking at.
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
That's actually a good question - last time I looked at Synology, they were using eCryptFS (a software solution similar to TrueCrypt) and had no hardware solution at all....
0
 
LVL 1

Author Comment

by:SundanceRyan
Comment Utility
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Your device auto-mounts the encrypted container. That is never secure and can be circumvented - if, yes if, the attacker knows what he is doing.
So you should tell us how important it is for you, to get the best out of it.
0
 
LVL 1

Author Comment

by:SundanceRyan
Comment Utility
I'm looking for a method to encrypt shared data that is also easy and as seamless as possible for the end users.  I understand auto mounting isn't as secure, but I also don't want to be getting tons of calls because users can't access their data.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
I had not tried to talk you out of it, yet. We just need to know if you have to fulfill some requirement or if it's just good will. For good will, the NAS encryption can be seen as sufficient.
0
 
LVL 1

Author Closing Comment

by:SundanceRyan
Comment Utility
Thanks for all the input - I divided points among all who contributed.
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
yeah. Even EFS will meet a customer requirement of "the data must be encrypted" without actually having to provide any protection for the data :)
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now