Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

File share encryption for multiple users?

Posted on 2016-09-14
8
80 Views
Last Modified: 2016-09-16
How are people encrypting File shares with sensitive data?

We were a smaller company and our HR and finance department was just 1 person for the longest time. We run Windows 2008-2012r2 servers on an AD domain. As we are growing our HR and finance dept is getting larger, there are several files that HR accesses over file shares, our security department has now required they be encrypted because of hitrust and Hipaa certifications we will be carrying. All the solutions I am finding are ways to encrypt the files for one specific person, and 2012 for the file server, we're looking at Bitlocker drive encryption but it looks like it needs a TPM module which our server doesn't have and it will encrypt the whole drives which slows things down and we only need those few files encrypted. So how are people doing this? if it's possible.
0
Comment
Question by:Crossroads305
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 41798190
Did you look at the built-in EFS?
By the way, what attack scenario do you see?
0
 
LVL 57

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 125 total points
ID: 41798201
BitLocker is our go-to solution. We buy tom modules for all client deployments.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 41798292
He'd need to find out if his server mainboard has a TPM header, so a TPM could be bought for it. Without, it is not advisable to use TPMs on a server if the attack scenario is about physical access. The server will likely need to be startable hands-free, so no TPM, no bitlocker.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 1

Author Comment

by:Crossroads305
ID: 41798396
So basically the attack, plan is if someone gets access to the internal network and/or recovering a hard drive that was to be destroyed not being able to recover the sensative data. however multiple people access the file through many different ways remotely, laptops, rds, VDIs, etc. Also we must also stop them from copying it off the network share as well.

EFS from what I read uses certificates and is supposed to be seamless, which from a user standpoint is easy, but from a tech standpoint I don't know if it's much of a solution. TPM looks like its easy but bitlocker encrypts the entirety of the disk and I'm told we can't have any slowdowns and with TPM slow downs will occur.

as for the built in Encryption in our testings it doesn't let the other people open the file just says access denied, even though they're added to the encrypted users and explicitly added in NTFS permissions.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 250 total points
ID: 41798718
You need to inform yourself about both, EFS and bitlocker to have a base to discuss on.
BL on servers without a TPM is not recommendable - so please do as advised, check if your server mainboard can be equipped with a TPM. What you need to find out is whether it has a TPM header.
If not, drop the bitlocker thought and focus on EFS.

About your scenario: if someone gets network access... now what should that mean? Any member of your company has network access and still, they are already kept from seeing some data by NTFS permissions. No encryption needed for that. Encryption is against theft, against physical drive access - not network access.

"stop them from copying it off the network share as well." - encryption does not stop someone from copying data he can read. You did not yet understand it. please read some basics about encryption like wikipedia on bitlocker maybe or technet articles about bitlocker and EFS.

BL and performance: not worth mentioning. The performance loss is marginal.
"
0
 
LVL 57

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 125 total points
ID: 41798796
You can't prevent someone from cooking data off the share. Full stop. That's the *point* of a share.

You can prevent them (within reason) from opening or or copying that data.) Windows RMS or Azure Information Protection is what you seek. For LoB app data, it basically requires windows 10 1607 and server 2016 in most cases.
0
 
LVL 24

Assisted Solution

by:NVIT
NVIT earned 125 total points
ID: 41798814
As an alternative to EFS, Bitlocker: Maybe TrueCrypt... VeraCrypt... CipherShed?
0
 
LVL 1

Author Comment

by:Crossroads305
ID: 41801647
Thanks for all the Help. We came up with several options. I know general basics of encryption and I didn't think it could do all of that but I'm just repeating what I'm being told is needed under the hitrust encryption security policy we need to follow.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Roaming profile & Office 365 3 127
Can you set up BitLocker to not require PIN/KEY on boot? 1 60
Samsung S5 - Bricked?? 5 63
Open Encryption Software Advice needed 4 68
As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question