Solved

File share encryption for multiple users?

Posted on 2016-09-14
8
112 Views
Last Modified: 2016-09-16
How are people encrypting File shares with sensitive data?

We were a smaller company and our HR and finance department was just 1 person for the longest time. We run Windows 2008-2012r2 servers on an AD domain. As we are growing our HR and finance dept is getting larger, there are several files that HR accesses over file shares, our security department has now required they be encrypted because of hitrust and Hipaa certifications we will be carrying. All the solutions I am finding are ways to encrypt the files for one specific person, and 2012 for the file server, we're looking at Bitlocker drive encryption but it looks like it needs a TPM module which our server doesn't have and it will encrypt the whole drives which slows things down and we only need those few files encrypted. So how are people doing this? if it's possible.
0
Comment
Question by:Crossroads305
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 41798190
Did you look at the built-in EFS?
By the way, what attack scenario do you see?
0
 
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 125 total points
ID: 41798201
BitLocker is our go-to solution. We buy tom modules for all client deployments.
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 41798292
He'd need to find out if his server mainboard has a TPM header, so a TPM could be bought for it. Without, it is not advisable to use TPMs on a server if the attack scenario is about physical access. The server will likely need to be startable hands-free, so no TPM, no bitlocker.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 1

Author Comment

by:Crossroads305
ID: 41798396
So basically the attack, plan is if someone gets access to the internal network and/or recovering a hard drive that was to be destroyed not being able to recover the sensative data. however multiple people access the file through many different ways remotely, laptops, rds, VDIs, etc. Also we must also stop them from copying it off the network share as well.

EFS from what I read uses certificates and is supposed to be seamless, which from a user standpoint is easy, but from a tech standpoint I don't know if it's much of a solution. TPM looks like its easy but bitlocker encrypts the entirety of the disk and I'm told we can't have any slowdowns and with TPM slow downs will occur.

as for the built in Encryption in our testings it doesn't let the other people open the file just says access denied, even though they're added to the encrypted users and explicitly added in NTFS permissions.
0
 
LVL 55

Accepted Solution

by:
McKnife earned 250 total points
ID: 41798718
You need to inform yourself about both, EFS and bitlocker to have a base to discuss on.
BL on servers without a TPM is not recommendable - so please do as advised, check if your server mainboard can be equipped with a TPM. What you need to find out is whether it has a TPM header.
If not, drop the bitlocker thought and focus on EFS.

About your scenario: if someone gets network access... now what should that mean? Any member of your company has network access and still, they are already kept from seeing some data by NTFS permissions. No encryption needed for that. Encryption is against theft, against physical drive access - not network access.

"stop them from copying it off the network share as well." - encryption does not stop someone from copying data he can read. You did not yet understand it. please read some basics about encryption like wikipedia on bitlocker maybe or technet articles about bitlocker and EFS.

BL and performance: not worth mentioning. The performance loss is marginal.
"
0
 
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 125 total points
ID: 41798796
You can't prevent someone from cooking data off the share. Full stop. That's the *point* of a share.

You can prevent them (within reason) from opening or or copying that data.) Windows RMS or Azure Information Protection is what you seek. For LoB app data, it basically requires windows 10 1607 and server 2016 in most cases.
0
 
LVL 24

Assisted Solution

by:NVIT
NVIT earned 125 total points
ID: 41798814
As an alternative to EFS, Bitlocker: Maybe TrueCrypt... VeraCrypt... CipherShed?
0
 
LVL 1

Author Comment

by:Crossroads305
ID: 41801647
Thanks for all the Help. We came up with several options. I know general basics of encryption and I didn't think it could do all of that but I'm just repeating what I'm being told is needed under the hitrust encryption security policy we need to follow.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Ransomware is a growing menace to anyone using a computer or mobile device. Here are answers to some common questions about this vicious new form of malware.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question