Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Encrypting specific shares on Server 2008 file server?

Posted on 2014-09-24
13
366 Views
Last Modified: 2014-09-25
Does anyone have a run down or some good favorities saved on configuring data encryption on a windows file server share that's accessed by entire departments?
0
Comment
Question by:Ben Hart
  • 6
  • 6
13 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 40341947
Hi.

If I may ask: why would you want to configure certain shares and not the entire partition?
Secondly: are you familiar with bitlocker and EFS and know the difference of both?
3rd: do you know what you are protected against and what not if you use each of those?
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40341958
1st: Because some data is going to be deemed sensitive, and per our parent company in the near future sensitive data must be encrypted.
2nd: Bitlocker encrypts an OS drive/volume only.  EFS does whatever you tell it to yes?
3rd: I assumed both protected against theft.. but Bitlocker is not protecting anything when the machine is powered up and the users enters the passcode correct?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40341998
1 Hmm, the question is not answered. I asked because I would recommend to encrypt the whole partition. That would be a lot easier unless you need EFS-features, which leads us to 2
2 correct on Bitlocker. EFS is meant to encrypt things per-user and not like bitlocker, per machine. Is that needed? Do you need different access level at the shares?
3 EFS does not protect against theft if a recovery agent comes along. See http://technet.microsoft.com/en-us/library/cc512680.aspx
By default, the data recovery agent is defined to be the administrator account. On stand-alone workstations and workgroup machines, the administrator account is the local administrator; on domain-joined machines, the administrator account is the first domain controller’s administrator account.
So if someone gets the credentials of a recovery agent along with your machine, he can undo EFS' protection.
But why I really asked number three is because many people don't get the difference between protection at rest (server shut down) and protection of data in transit. While on the network, the files are open (not decrypted but unlocked) to local server users and while being transferred through the network, they are not encrypted.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 14

Author Comment

by:Ben Hart
ID: 40342019
maybe further explaining what we're looking for might help?  Like i said earlier, our parent company wants us to designate critical data as important enough to be encrypted.  That will be worked out with the departments head.. however I do not know the best way of going about doing this.  Whether 3rd party appliance or software or using EFS/BL.  The data shares will most likely be access by folks from multiple departments so being able to designate access based on group membership will be advantageous. but, quite obviously, I'd like to implement something with the least amount of admin overhead, and being able to recover/decrypt these files with a specific recovery agent or specified domain account is required.

Another part of this project will be looking towards encrypting the entire drives of mobile users.. but that's for another thread.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40342081
"The data shares will most likely be access by folks from multiple departments so being able to designate access based on group membership will be advantageous." - this can be done using NTFS permissions alone.
I recommend to use bitlocker. The key could be provided by a TPM chip if your server features one (enterprise level servers often do, some need to upgrade their hardware with one to use it). Or, without TPM, you would need to enter that key manually at server start ("no...", I can hear you say ;), or using a script that reads it from a network share of a physically secured computer.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40342265
NTFS perms have nothing to do with encryption though, unless I'm not getting what you mean entirely.  I know what NTFS security is and that's not what we're looking to do here, we are looking specifically at encryption.  I just meant to say that these encrypted folders (shares) will not be accessed by the entire company.  Now if who is accessing what has no bearing on encryption then we can ignore that part, I only mention that because I noticed that with EFS you can specify individual users but not groups.

Now in addition to this.. before the end of this year we *should* be getting a Netapp in that site.. so the data would be migrated off the individual windows servers and onto the filer.  I realize that will change the entire way the encryption is obtained and administered.  I just want to give you the full picture.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40342353
The end of the year is quite close, so drop Bitlocker and let's look at what you can do on your Netapp. I guess it will feature some kind of built-in encryption, but you should name the model you are going to buy and then I could do a shot investigation.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40342375
FAS2552 is what we've got specced and quoted.

however I will still need to focus on Bitlocker for windows laptops.  which probably means I need to generate a new question thread.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40342383
Yes, generate a new thread, I'll be with you, we have our whole domain bitlocked.
As for the netapp, I'll look at the model soon.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40342412
Awesome, much obliged.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40343727
I've requested that this question be deleted for the following reason:

After conversing with McKnife it seem my original question is null.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40342464
Hm, I would have kept this one open. It was about the server side of the concept. Should I object in order to cancel the closure?
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40343019
McKnife gave valuable information
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question