Solved

Encrypting specific shares on Server 2008 file server?

Posted on 2014-09-24
13
364 Views
Last Modified: 2014-09-25
Does anyone have a run down or some good favorities saved on configuring data encryption on a windows file server share that's accessed by entire departments?
0
Comment
Question by:Ben Hart
  • 6
  • 6
13 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 40341947
Hi.

If I may ask: why would you want to configure certain shares and not the entire partition?
Secondly: are you familiar with bitlocker and EFS and know the difference of both?
3rd: do you know what you are protected against and what not if you use each of those?
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40341958
1st: Because some data is going to be deemed sensitive, and per our parent company in the near future sensitive data must be encrypted.
2nd: Bitlocker encrypts an OS drive/volume only.  EFS does whatever you tell it to yes?
3rd: I assumed both protected against theft.. but Bitlocker is not protecting anything when the machine is powered up and the users enters the passcode correct?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40341998
1 Hmm, the question is not answered. I asked because I would recommend to encrypt the whole partition. That would be a lot easier unless you need EFS-features, which leads us to 2
2 correct on Bitlocker. EFS is meant to encrypt things per-user and not like bitlocker, per machine. Is that needed? Do you need different access level at the shares?
3 EFS does not protect against theft if a recovery agent comes along. See http://technet.microsoft.com/en-us/library/cc512680.aspx
By default, the data recovery agent is defined to be the administrator account. On stand-alone workstations and workgroup machines, the administrator account is the local administrator; on domain-joined machines, the administrator account is the first domain controller’s administrator account.
So if someone gets the credentials of a recovery agent along with your machine, he can undo EFS' protection.
But why I really asked number three is because many people don't get the difference between protection at rest (server shut down) and protection of data in transit. While on the network, the files are open (not decrypted but unlocked) to local server users and while being transferred through the network, they are not encrypted.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40342019
maybe further explaining what we're looking for might help?  Like i said earlier, our parent company wants us to designate critical data as important enough to be encrypted.  That will be worked out with the departments head.. however I do not know the best way of going about doing this.  Whether 3rd party appliance or software or using EFS/BL.  The data shares will most likely be access by folks from multiple departments so being able to designate access based on group membership will be advantageous. but, quite obviously, I'd like to implement something with the least amount of admin overhead, and being able to recover/decrypt these files with a specific recovery agent or specified domain account is required.

Another part of this project will be looking towards encrypting the entire drives of mobile users.. but that's for another thread.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40342081
"The data shares will most likely be access by folks from multiple departments so being able to designate access based on group membership will be advantageous." - this can be done using NTFS permissions alone.
I recommend to use bitlocker. The key could be provided by a TPM chip if your server features one (enterprise level servers often do, some need to upgrade their hardware with one to use it). Or, without TPM, you would need to enter that key manually at server start ("no...", I can hear you say ;), or using a script that reads it from a network share of a physically secured computer.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40342265
NTFS perms have nothing to do with encryption though, unless I'm not getting what you mean entirely.  I know what NTFS security is and that's not what we're looking to do here, we are looking specifically at encryption.  I just meant to say that these encrypted folders (shares) will not be accessed by the entire company.  Now if who is accessing what has no bearing on encryption then we can ignore that part, I only mention that because I noticed that with EFS you can specify individual users but not groups.

Now in addition to this.. before the end of this year we *should* be getting a Netapp in that site.. so the data would be migrated off the individual windows servers and onto the filer.  I realize that will change the entire way the encryption is obtained and administered.  I just want to give you the full picture.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 40342353
The end of the year is quite close, so drop Bitlocker and let's look at what you can do on your Netapp. I guess it will feature some kind of built-in encryption, but you should name the model you are going to buy and then I could do a shot investigation.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40342375
FAS2552 is what we've got specced and quoted.

however I will still need to focus on Bitlocker for windows laptops.  which probably means I need to generate a new question thread.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40342383
Yes, generate a new thread, I'll be with you, we have our whole domain bitlocked.
As for the netapp, I'll look at the model soon.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40342412
Awesome, much obliged.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40343727
I've requested that this question be deleted for the following reason:

After conversing with McKnife it seem my original question is null.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40342464
Hm, I would have kept this one open. It was about the server side of the concept. Should I object in order to cancel the closure?
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40343019
McKnife gave valuable information
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now