Solved

Encrypting specific shares on Server 2008 file server?

Posted on 2014-09-24
13
376 Views
Last Modified: 2014-09-25
Does anyone have a run down or some good favorities saved on configuring data encryption on a windows file server share that's accessed by entire departments?
0
Comment
Question by:Ben Hart
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
13 Comments
 
LVL 55

Expert Comment

by:McKnife
ID: 40341947
Hi.

If I may ask: why would you want to configure certain shares and not the entire partition?
Secondly: are you familiar with bitlocker and EFS and know the difference of both?
3rd: do you know what you are protected against and what not if you use each of those?
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40341958
1st: Because some data is going to be deemed sensitive, and per our parent company in the near future sensitive data must be encrypted.
2nd: Bitlocker encrypts an OS drive/volume only.  EFS does whatever you tell it to yes?
3rd: I assumed both protected against theft.. but Bitlocker is not protecting anything when the machine is powered up and the users enters the passcode correct?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40341998
1 Hmm, the question is not answered. I asked because I would recommend to encrypt the whole partition. That would be a lot easier unless you need EFS-features, which leads us to 2
2 correct on Bitlocker. EFS is meant to encrypt things per-user and not like bitlocker, per machine. Is that needed? Do you need different access level at the shares?
3 EFS does not protect against theft if a recovery agent comes along. See http://technet.microsoft.com/en-us/library/cc512680.aspx
By default, the data recovery agent is defined to be the administrator account. On stand-alone workstations and workgroup machines, the administrator account is the local administrator; on domain-joined machines, the administrator account is the first domain controller’s administrator account.
So if someone gets the credentials of a recovery agent along with your machine, he can undo EFS' protection.
But why I really asked number three is because many people don't get the difference between protection at rest (server shut down) and protection of data in transit. While on the network, the files are open (not decrypted but unlocked) to local server users and while being transferred through the network, they are not encrypted.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 14

Author Comment

by:Ben Hart
ID: 40342019
maybe further explaining what we're looking for might help?  Like i said earlier, our parent company wants us to designate critical data as important enough to be encrypted.  That will be worked out with the departments head.. however I do not know the best way of going about doing this.  Whether 3rd party appliance or software or using EFS/BL.  The data shares will most likely be access by folks from multiple departments so being able to designate access based on group membership will be advantageous. but, quite obviously, I'd like to implement something with the least amount of admin overhead, and being able to recover/decrypt these files with a specific recovery agent or specified domain account is required.

Another part of this project will be looking towards encrypting the entire drives of mobile users.. but that's for another thread.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40342081
"The data shares will most likely be access by folks from multiple departments so being able to designate access based on group membership will be advantageous." - this can be done using NTFS permissions alone.
I recommend to use bitlocker. The key could be provided by a TPM chip if your server features one (enterprise level servers often do, some need to upgrade their hardware with one to use it). Or, without TPM, you would need to enter that key manually at server start ("no...", I can hear you say ;), or using a script that reads it from a network share of a physically secured computer.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40342265
NTFS perms have nothing to do with encryption though, unless I'm not getting what you mean entirely.  I know what NTFS security is and that's not what we're looking to do here, we are looking specifically at encryption.  I just meant to say that these encrypted folders (shares) will not be accessed by the entire company.  Now if who is accessing what has no bearing on encryption then we can ignore that part, I only mention that because I noticed that with EFS you can specify individual users but not groups.

Now in addition to this.. before the end of this year we *should* be getting a Netapp in that site.. so the data would be migrated off the individual windows servers and onto the filer.  I realize that will change the entire way the encryption is obtained and administered.  I just want to give you the full picture.
0
 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 40342353
The end of the year is quite close, so drop Bitlocker and let's look at what you can do on your Netapp. I guess it will feature some kind of built-in encryption, but you should name the model you are going to buy and then I could do a shot investigation.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40342375
FAS2552 is what we've got specced and quoted.

however I will still need to focus on Bitlocker for windows laptops.  which probably means I need to generate a new question thread.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40342383
Yes, generate a new thread, I'll be with you, we have our whole domain bitlocked.
As for the netapp, I'll look at the model soon.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40342412
Awesome, much obliged.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40343727
I've requested that this question be deleted for the following reason:

After conversing with McKnife it seem my original question is null.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40342464
Hm, I would have kept this one open. It was about the server side of the concept. Should I object in order to cancel the closure?
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40343019
McKnife gave valuable information
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question