Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Encrypting specific shares on Server 2008 file server?

Posted on 2014-09-24
13
Medium Priority
?
382 Views
Last Modified: 2014-09-25
Does anyone have a run down or some good favorities saved on configuring data encryption on a windows file server share that's accessed by entire departments?
0
Comment
Question by:Ben Hart
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
13 Comments
 
LVL 56

Expert Comment

by:McKnife
ID: 40341947
Hi.

If I may ask: why would you want to configure certain shares and not the entire partition?
Secondly: are you familiar with bitlocker and EFS and know the difference of both?
3rd: do you know what you are protected against and what not if you use each of those?
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40341958
1st: Because some data is going to be deemed sensitive, and per our parent company in the near future sensitive data must be encrypted.
2nd: Bitlocker encrypts an OS drive/volume only.  EFS does whatever you tell it to yes?
3rd: I assumed both protected against theft.. but Bitlocker is not protecting anything when the machine is powered up and the users enters the passcode correct?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40341998
1 Hmm, the question is not answered. I asked because I would recommend to encrypt the whole partition. That would be a lot easier unless you need EFS-features, which leads us to 2
2 correct on Bitlocker. EFS is meant to encrypt things per-user and not like bitlocker, per machine. Is that needed? Do you need different access level at the shares?
3 EFS does not protect against theft if a recovery agent comes along. See http://technet.microsoft.com/en-us/library/cc512680.aspx
By default, the data recovery agent is defined to be the administrator account. On stand-alone workstations and workgroup machines, the administrator account is the local administrator; on domain-joined machines, the administrator account is the first domain controller’s administrator account.
So if someone gets the credentials of a recovery agent along with your machine, he can undo EFS' protection.
But why I really asked number three is because many people don't get the difference between protection at rest (server shut down) and protection of data in transit. While on the network, the files are open (not decrypted but unlocked) to local server users and while being transferred through the network, they are not encrypted.
0
Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
LVL 14

Author Comment

by:Ben Hart
ID: 40342019
maybe further explaining what we're looking for might help?  Like i said earlier, our parent company wants us to designate critical data as important enough to be encrypted.  That will be worked out with the departments head.. however I do not know the best way of going about doing this.  Whether 3rd party appliance or software or using EFS/BL.  The data shares will most likely be access by folks from multiple departments so being able to designate access based on group membership will be advantageous. but, quite obviously, I'd like to implement something with the least amount of admin overhead, and being able to recover/decrypt these files with a specific recovery agent or specified domain account is required.

Another part of this project will be looking towards encrypting the entire drives of mobile users.. but that's for another thread.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40342081
"The data shares will most likely be access by folks from multiple departments so being able to designate access based on group membership will be advantageous." - this can be done using NTFS permissions alone.
I recommend to use bitlocker. The key could be provided by a TPM chip if your server features one (enterprise level servers often do, some need to upgrade their hardware with one to use it). Or, without TPM, you would need to enter that key manually at server start ("no...", I can hear you say ;), or using a script that reads it from a network share of a physically secured computer.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40342265
NTFS perms have nothing to do with encryption though, unless I'm not getting what you mean entirely.  I know what NTFS security is and that's not what we're looking to do here, we are looking specifically at encryption.  I just meant to say that these encrypted folders (shares) will not be accessed by the entire company.  Now if who is accessing what has no bearing on encryption then we can ignore that part, I only mention that because I noticed that with EFS you can specify individual users but not groups.

Now in addition to this.. before the end of this year we *should* be getting a Netapp in that site.. so the data would be migrated off the individual windows servers and onto the filer.  I realize that will change the entire way the encryption is obtained and administered.  I just want to give you the full picture.
0
 
LVL 56

Accepted Solution

by:
McKnife earned 2000 total points
ID: 40342353
The end of the year is quite close, so drop Bitlocker and let's look at what you can do on your Netapp. I guess it will feature some kind of built-in encryption, but you should name the model you are going to buy and then I could do a shot investigation.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40342375
FAS2552 is what we've got specced and quoted.

however I will still need to focus on Bitlocker for windows laptops.  which probably means I need to generate a new question thread.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40342383
Yes, generate a new thread, I'll be with you, we have our whole domain bitlocked.
As for the netapp, I'll look at the model soon.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40342412
Awesome, much obliged.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40343727
I've requested that this question be deleted for the following reason:

After conversing with McKnife it seem my original question is null.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40342464
Hm, I would have kept this one open. It was about the server side of the concept. Should I object in order to cancel the closure?
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 40343019
McKnife gave valuable information
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question