Solved

File share encryption for multiple users?

Posted on 2016-09-14
8
54 Views
Last Modified: 2016-09-16
How are people encrypting File shares with sensitive data?

We were a smaller company and our HR and finance department was just 1 person for the longest time. We run Windows 2008-2012r2 servers on an AD domain. As we are growing our HR and finance dept is getting larger, there are several files that HR accesses over file shares, our security department has now required they be encrypted because of hitrust and Hipaa certifications we will be carrying. All the solutions I am finding are ways to encrypt the files for one specific person, and 2012 for the file server, we're looking at Bitlocker drive encryption but it looks like it needs a TPM module which our server doesn't have and it will encrypt the whole drives which slows things down and we only need those few files encrypted. So how are people doing this? if it's possible.
0
Comment
Question by:Crossroads305
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 41798190
Did you look at the built-in EFS?
By the way, what attack scenario do you see?
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 125 total points
ID: 41798201
BitLocker is our go-to solution. We buy tom modules for all client deployments.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 41798292
He'd need to find out if his server mainboard has a TPM header, so a TPM could be bought for it. Without, it is not advisable to use TPMs on a server if the attack scenario is about physical access. The server will likely need to be startable hands-free, so no TPM, no bitlocker.
0
 
LVL 1

Author Comment

by:Crossroads305
ID: 41798396
So basically the attack, plan is if someone gets access to the internal network and/or recovering a hard drive that was to be destroyed not being able to recover the sensative data. however multiple people access the file through many different ways remotely, laptops, rds, VDIs, etc. Also we must also stop them from copying it off the network share as well.

EFS from what I read uses certificates and is supposed to be seamless, which from a user standpoint is easy, but from a tech standpoint I don't know if it's much of a solution. TPM looks like its easy but bitlocker encrypts the entirety of the disk and I'm told we can't have any slowdowns and with TPM slow downs will occur.

as for the built in Encryption in our testings it doesn't let the other people open the file just says access denied, even though they're added to the encrypted users and explicitly added in NTFS permissions.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
ID: 41798718
You need to inform yourself about both, EFS and bitlocker to have a base to discuss on.
BL on servers without a TPM is not recommendable - so please do as advised, check if your server mainboard can be equipped with a TPM. What you need to find out is whether it has a TPM header.
If not, drop the bitlocker thought and focus on EFS.

About your scenario: if someone gets network access... now what should that mean? Any member of your company has network access and still, they are already kept from seeing some data by NTFS permissions. No encryption needed for that. Encryption is against theft, against physical drive access - not network access.

"stop them from copying it off the network share as well." - encryption does not stop someone from copying data he can read. You did not yet understand it. please read some basics about encryption like wikipedia on bitlocker maybe or technet articles about bitlocker and EFS.

BL and performance: not worth mentioning. The performance loss is marginal.
"
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 125 total points
ID: 41798796
You can't prevent someone from cooking data off the share. Full stop. That's the *point* of a share.

You can prevent them (within reason) from opening or or copying that data.) Windows RMS or Azure Information Protection is what you seek. For LoB app data, it basically requires windows 10 1607 and server 2016 in most cases.
0
 
LVL 23

Assisted Solution

by:NVIT
NVIT earned 125 total points
ID: 41798814
As an alternative to EFS, Bitlocker: Maybe TrueCrypt... VeraCrypt... CipherShed?
0
 
LVL 1

Author Comment

by:Crossroads305
ID: 41801647
Thanks for all the Help. We came up with several options. I know general basics of encryption and I didn't think it could do all of that but I'm just repeating what I'm being told is needed under the hitrust encryption security policy we need to follow.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
Know what services you can and cannot, should and should not combine on your server.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now