Bitlocker on a domain
Hello all.
Not sure if I remember correctly. But bitlocker can be enabled domain wide. So files and folders can only be accessible within the network. Once tried to open outside the network the user won't be able to decrypt them.
Can that be done ? Or my memory failed me? Or I miss understood ? Lol
Not sure if I remember correctly. But bitlocker can be enabled domain wide. So files and folders can only be accessible within the network. Once tried to open outside the network the user won't be able to decrypt them.
Can that be done ? Or my memory failed me? Or I miss understood ? Lol
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you have any more questions, feel free to ask, I find this is a very interesting topic which is still emerging since it cannot be done on windows 7/2008R2 domains but needs win8 or higher in connection with a 2012 domain.
ASKER
will absolutely do.
Many thanks for sharing the info.
Many thanks for sharing the info.
ASKER
McKnife.
i was reading the article just now.
does that mean, it will only encrypts the jump drives ? and not the shared data on the shared server ?
what i needed and wanted to do. was securing my shared folders.
so if these shared folders were sent out of the network for whatever reason, they are useless.
for example
\\shares\password.txt will only open if you are on the network.
if you email that file or move it on a jump drive (data leakage) it is inaccessible)
i was reading the article just now.
does that mean, it will only encrypts the jump drives ? and not the shared data on the shared server ?
what i needed and wanted to do. was securing my shared folders.
so if these shared folders were sent out of the network for whatever reason, they are useless.
for example
\\shares\password.txt will only open if you are on the network.
if you email that file or move it on a jump drive (data leakage) it is inaccessible)
The policy you need should be: all that leaves the company should be encrypted. My article was about removable storage (thumb drives, smart phone storage, external hard drives). It was not meant as protection against attaching unencrypted data to mails.
You have to understand: whenever data is readable, it can be multiplied to an unencrypted copy.
So whatever you try to do, as soon as it is accessible, it can be copied. So either you don't offer them unencrypted room to copy to nor offer them ways to mail unencrypted, or you almost lost that battle.
Data leakage is a only fightable in highly secured environments where it is also made impossible to use a smartphone to film the screen while scrolling through the pages.
--
What you are trying to have is only possible with a piece of software that relies on a hardware component that is only available at your company. There are softwares like (former Aladdin) Sentinel HASP that work with dongles. The data will be only readable on machines that have the dongle plugged in. That solution would work in a terminal server environment where users work at the server and the dongle is plugged into the server. No dongle, no data. Whenever data is shared via mail or whatever, some decryption admin needs to give his consent... that means a lot of effort.
So think twice if you really want what you describe.
You have to understand: whenever data is readable, it can be multiplied to an unencrypted copy.
So whatever you try to do, as soon as it is accessible, it can be copied. So either you don't offer them unencrypted room to copy to nor offer them ways to mail unencrypted, or you almost lost that battle.
Data leakage is a only fightable in highly secured environments where it is also made impossible to use a smartphone to film the screen while scrolling through the pages.
--
What you are trying to have is only possible with a piece of software that relies on a hardware component that is only available at your company. There are softwares like (former Aladdin) Sentinel HASP that work with dongles. The data will be only readable on machines that have the dongle plugged in. That solution would work in a terminal server environment where users work at the server and the dongle is plugged into the server. No dongle, no data. Whenever data is shared via mail or whatever, some decryption admin needs to give his consent... that means a lot of effort.
So think twice if you really want what you describe.
ASKER
Totally understand that, but if encryption on the go, the user doesn't have the encryption and decryption key. the user opens a file, his computer decrypt that file he view it, once it is saved , it is encrypted no option to decrypt (just like bitlocker).
if this file was opened on a machine that doesn't have the decryption key, the files can't be decrypted.
and yes i am fine with that, only sensitive data will be dealt in this form, that don't need to be emailed or shared out of the network.
if this file was opened on a machine that doesn't have the decryption key, the files can't be decrypted.
and yes i am fine with that, only sensitive data will be dealt in this form, that don't need to be emailed or shared out of the network.
Look, imagine someone has a document that is "secured" and he wants to read it on premises. Works - now he copies the contents of the file and pastes them into a mail - you cannot prevent that.
I guess you are aware of that. There is no technical data leakage prevention technique that at the same time allows "normal IT life" like internet access, mails and thumb drive usage. Just not possible, so I discourage you to go for it.
I guess you are aware of that. There is no technical data leakage prevention technique that at the same time allows "normal IT life" like internet access, mails and thumb drive usage. Just not possible, so I discourage you to go for it.
ASKER
McKnife.
what you mentioned is only doable on txt files, not videos for example.
not 5 TB of video footage for example.
i know he can leak video by using his smartphone camera, but not 5TB of video :)
DLP 100% is impossible, but the higher the percentage, the better.
I understand your idea, and totally agree with it.
what you mentioned is only doable on txt files, not videos for example.
not 5 TB of video footage for example.
i know he can leak video by using his smartphone camera, but not 5TB of video :)
DLP 100% is impossible, but the higher the percentage, the better.
I understand your idea, and totally agree with it.
Ok, let's say we had to do it ;-)
->disable all USB storage access as well as DVD burners, eSATA, firewire and so on.
->have your internet access through a remotely controlled system with no upload function, same for your mail system
->alternatively, offer a mail system that works only when encryption is used and block all portable programs using something like applocker
->use bitlocker for data at rest
->disable all USB storage access as well as DVD burners, eSATA, firewire and so on.
->have your internet access through a remotely controlled system with no upload function, same for your mail system
->alternatively, offer a mail system that works only when encryption is used and block all portable programs using something like applocker
->use bitlocker for data at rest
If you have a hard drive that's locked, it can be removed and plugged in to any Windows 7 Pro or better machine and be read if you have the encryption key. If your users do not have that and you use group policy to lock those kinds of settings out, then that should cover you.