Encryption of folder and data

Dear Experts,

I am requested to encrypt a folder on our file server, and have started looking into different methods.  My concern is, if files are copied from encrypted folder onto external storage devices, is the encryption no longer protecting the file?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
If you are referring to EFS on Windows, do note it is just another local file system MS product. When you connect via a network share, the server will generate a profile and depending on your settings, get a certificate. If you are going to mandate a smart card for EFS, it does not work as desired.
E.g. in group policy below, the activation of encryption for a file residing on a network share generates error message such as "This operation requires an interactive window station".
> Computer configuration / Windows settings / Security settings / Public Key Policies EFS: "Require a smart card for EFS = ENABLED"
In short, when you encrypt on a server, the EFS protected file is first decrypted and then sent in clear plaintext over the network, and then re-encrypted on the remote server destined. One way around this is to connect to the server using WebDAV. Then the file is encrypted locally and will use your smart card. Otherwise consider using 7zip, winzio and password protect the file so that it is independent and remain encrypted till password unlocked it and extracted out....
Hi yballan.

Tell us, why would you need to do this?
I am experienced with encryption matters and I see no valid reason for using folder encryption if the contents are accessed only via network. You should use NTFS permissions together with full disk encryption at the server.
btanExec ConsultantCommented:
Use case is key as shard by McKnife as well. e.g.
When encrypting removable media, it is important to keep in mind that the encrypted files will only be accessible on computers that have certificates for users who are listed as having access to the file (or the recovery agent key). This means that if you are working on an encrypted file at work, and you bring it home to finish up on your home computer, you will only be able to access this file if your home computer has your user certificate.

Similarly, you should take great care when you enable EFS on a SharePoint site. Any user who has access to a SharePoint site can encrypt any file on that site. However, once that file is encrypted, only users listed as having access to that file (or the recovery agent) will be able to access it.

Important is also do not encrypt files when you are logged on as the local Administrator unless you have changed the default recovery agent account. The effectiveness of EFS recovery is compromised if a file's creator is both the user and the recovery agent account.

Furthermore, there are limitation as well
Once an EFS folder is created, any files created in the folder will always be encrypted by the creator of the file. This is not always what you intend. If you have a publicly available folder that has encryption on it, you need to carefully manage who has access to that folder using NTFS file permissions, share permissions, or other methods of preventing unauthorized access.

Another problem is that anyone who has access to your system drive can break EFS encryption. This shouldn't be a big problem on a well-secured server, but it's still a concern. The solution is to enable BitLocker on your server.
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

David Johnson, CD, MVPOwnerCommented:
am requested to encrypt a folder on our file server, and have started looking into different methods.  My concern is, if files are copied from encrypted folder onto external storage devices, is the encryption no longer protecting the file? Correct especially if copied to a non-NTFS volume.

What you want here is ADRMS (a role you can add to Windows Server)
yballanAuthor Commented:
Dear btan,
Thank you for your quick response, after reading your reply, I am starting to believe that I do not have enough knowledge about the encryption, and will be reading on these materials to understand better.
Dear McKnife,
Thank you for your quick response.  Here is what is happening.  One of our client requested that their information needs to be encrypted, so we wanted to put on encrypted folder on file server for multiple workers to access.  We also need to make sure that if someone copies these files onto external storage, or emails it as attachment, that it cannot be deciphered.
To solve exactly that, we once used Aladdin (now Safenet) HASP encryption tokens like this:
1 buy them and insert the token into the server
2 install the software at the server
3 encrypt the files in question

Now whenever they leave the server, they are useless because the dongle is missing.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yballanAuthor Commented:
Thank you Experts, for valuable information.  I will bring up all possible solutions suggested by you to my supervisor to go forward.
btanExec ConsultantCommented:
Not to bog you down with material but this can help as starter - there is a security section if you really to jump straight into it https://msdn.microsoft.com/en-us/library/ms995356.aspx

I see it as if using Windows itself as native support for encryption per se  (subjected to OS type)
Disk encryption - Bitlocker (has TPM and USB keyfile)
File/folder encryption - EFS
Removable medium encryption - Bitlocker-to-go or EFS (NTFS formatted drive)
second factor authentication - Smartcard or token (default smartcard crypto service provider, CSP)), Biometric Framework  (Bio API)
Network Encryption (pt to pt) - VPN/IPSec
Online Drive encryption - Onedrive (SSL channel), Azure Cloud (Multi-factor Auth), Azure Virtual network (VPN/IPSec)..

Regardless, for external storage medium one thing to note that moving forward is the Fast IDentity Online (FIDO) Alliance support whereby objective is to transition away from passwords and to a stronger form of identity. This forms also the the FIDO U2F Security Key to serve as a Fast Identity Online Universal Second Factor (FIDO U2F) Authentication - supposed to be a FIDO Ready™ U2F compliant physical USB second factor device that offers a simpler, stronger alternative to today’s six digit one-time passcodes (OTP)...

Too many areas in coverage and probably for your case is to ensure minimally data is encrypted everywhere it store, transit and in use (if poss). Encrypted thumbdrive with authentication is a one worthy investment besides the EFS only...there is Ironkey to mentioned as candidate...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.