Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 386
  • Last Modified:

Encrypting specific shares on Server 2008 file server?

Does anyone have a run down or some good favorities saved on configuring data encryption on a windows file server share that's accessed by entire departments?
0
Ben Hart
Asked:
Ben Hart
  • 6
  • 6
1 Solution
 
McKnifeCommented:
Hi.

If I may ask: why would you want to configure certain shares and not the entire partition?
Secondly: are you familiar with bitlocker and EFS and know the difference of both?
3rd: do you know what you are protected against and what not if you use each of those?
0
 
Ben HartAuthor Commented:
1st: Because some data is going to be deemed sensitive, and per our parent company in the near future sensitive data must be encrypted.
2nd: Bitlocker encrypts an OS drive/volume only.  EFS does whatever you tell it to yes?
3rd: I assumed both protected against theft.. but Bitlocker is not protecting anything when the machine is powered up and the users enters the passcode correct?
0
 
McKnifeCommented:
1 Hmm, the question is not answered. I asked because I would recommend to encrypt the whole partition. That would be a lot easier unless you need EFS-features, which leads us to 2
2 correct on Bitlocker. EFS is meant to encrypt things per-user and not like bitlocker, per machine. Is that needed? Do you need different access level at the shares?
3 EFS does not protect against theft if a recovery agent comes along. See http://technet.microsoft.com/en-us/library/cc512680.aspx
By default, the data recovery agent is defined to be the administrator account. On stand-alone workstations and workgroup machines, the administrator account is the local administrator; on domain-joined machines, the administrator account is the first domain controller’s administrator account.
So if someone gets the credentials of a recovery agent along with your machine, he can undo EFS' protection.
But why I really asked number three is because many people don't get the difference between protection at rest (server shut down) and protection of data in transit. While on the network, the files are open (not decrypted but unlocked) to local server users and while being transferred through the network, they are not encrypted.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
Ben HartAuthor Commented:
maybe further explaining what we're looking for might help?  Like i said earlier, our parent company wants us to designate critical data as important enough to be encrypted.  That will be worked out with the departments head.. however I do not know the best way of going about doing this.  Whether 3rd party appliance or software or using EFS/BL.  The data shares will most likely be access by folks from multiple departments so being able to designate access based on group membership will be advantageous. but, quite obviously, I'd like to implement something with the least amount of admin overhead, and being able to recover/decrypt these files with a specific recovery agent or specified domain account is required.

Another part of this project will be looking towards encrypting the entire drives of mobile users.. but that's for another thread.
0
 
McKnifeCommented:
"The data shares will most likely be access by folks from multiple departments so being able to designate access based on group membership will be advantageous." - this can be done using NTFS permissions alone.
I recommend to use bitlocker. The key could be provided by a TPM chip if your server features one (enterprise level servers often do, some need to upgrade their hardware with one to use it). Or, without TPM, you would need to enter that key manually at server start ("no...", I can hear you say ;), or using a script that reads it from a network share of a physically secured computer.
0
 
Ben HartAuthor Commented:
NTFS perms have nothing to do with encryption though, unless I'm not getting what you mean entirely.  I know what NTFS security is and that's not what we're looking to do here, we are looking specifically at encryption.  I just meant to say that these encrypted folders (shares) will not be accessed by the entire company.  Now if who is accessing what has no bearing on encryption then we can ignore that part, I only mention that because I noticed that with EFS you can specify individual users but not groups.

Now in addition to this.. before the end of this year we *should* be getting a Netapp in that site.. so the data would be migrated off the individual windows servers and onto the filer.  I realize that will change the entire way the encryption is obtained and administered.  I just want to give you the full picture.
0
 
McKnifeCommented:
The end of the year is quite close, so drop Bitlocker and let's look at what you can do on your Netapp. I guess it will feature some kind of built-in encryption, but you should name the model you are going to buy and then I could do a shot investigation.
0
 
Ben HartAuthor Commented:
FAS2552 is what we've got specced and quoted.

however I will still need to focus on Bitlocker for windows laptops.  which probably means I need to generate a new question thread.
0
 
McKnifeCommented:
Yes, generate a new thread, I'll be with you, we have our whole domain bitlocked.
As for the netapp, I'll look at the model soon.
0
 
Ben HartAuthor Commented:
Awesome, much obliged.
0
 
Ben HartAuthor Commented:
I've requested that this question be deleted for the following reason:

After conversing with McKnife it seem my original question is null.
0
 
McKnifeCommented:
Hm, I would have kept this one open. It was about the server side of the concept. Should I object in order to cancel the closure?
0
 
David Johnson, CD, MVPOwnerCommented:
McKnife gave valuable information
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now