Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

File share encryption for multiple users?

Posted on 2016-09-14
8
Medium Priority
?
153 Views
Last Modified: 2016-09-16
How are people encrypting File shares with sensitive data?

We were a smaller company and our HR and finance department was just 1 person for the longest time. We run Windows 2008-2012r2 servers on an AD domain. As we are growing our HR and finance dept is getting larger, there are several files that HR accesses over file shares, our security department has now required they be encrypted because of hitrust and Hipaa certifications we will be carrying. All the solutions I am finding are ways to encrypt the files for one specific person, and 2012 for the file server, we're looking at Bitlocker drive encryption but it looks like it needs a TPM module which our server doesn't have and it will encrypt the whole drives which slows things down and we only need those few files encrypted. So how are people doing this? if it's possible.
0
Comment
Question by:Crossroads305
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 1000 total points
ID: 41798190
Did you look at the built-in EFS?
By the way, what attack scenario do you see?
0
 
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 500 total points
ID: 41798201
BitLocker is our go-to solution. We buy tom modules for all client deployments.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 1000 total points
ID: 41798292
He'd need to find out if his server mainboard has a TPM header, so a TPM could be bought for it. Without, it is not advisable to use TPMs on a server if the attack scenario is about physical access. The server will likely need to be startable hands-free, so no TPM, no bitlocker.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 1

Author Comment

by:Crossroads305
ID: 41798396
So basically the attack, plan is if someone gets access to the internal network and/or recovering a hard drive that was to be destroyed not being able to recover the sensative data. however multiple people access the file through many different ways remotely, laptops, rds, VDIs, etc. Also we must also stop them from copying it off the network share as well.

EFS from what I read uses certificates and is supposed to be seamless, which from a user standpoint is easy, but from a tech standpoint I don't know if it's much of a solution. TPM looks like its easy but bitlocker encrypts the entirety of the disk and I'm told we can't have any slowdowns and with TPM slow downs will occur.

as for the built in Encryption in our testings it doesn't let the other people open the file just says access denied, even though they're added to the encrypted users and explicitly added in NTFS permissions.
0
 
LVL 56

Accepted Solution

by:
McKnife earned 1000 total points
ID: 41798718
You need to inform yourself about both, EFS and bitlocker to have a base to discuss on.
BL on servers without a TPM is not recommendable - so please do as advised, check if your server mainboard can be equipped with a TPM. What you need to find out is whether it has a TPM header.
If not, drop the bitlocker thought and focus on EFS.

About your scenario: if someone gets network access... now what should that mean? Any member of your company has network access and still, they are already kept from seeing some data by NTFS permissions. No encryption needed for that. Encryption is against theft, against physical drive access - not network access.

"stop them from copying it off the network share as well." - encryption does not stop someone from copying data he can read. You did not yet understand it. please read some basics about encryption like wikipedia on bitlocker maybe or technet articles about bitlocker and EFS.

BL and performance: not worth mentioning. The performance loss is marginal.
"
0
 
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 500 total points
ID: 41798796
You can't prevent someone from cooking data off the share. Full stop. That's the *point* of a share.

You can prevent them (within reason) from opening or or copying that data.) Windows RMS or Azure Information Protection is what you seek. For LoB app data, it basically requires windows 10 1607 and server 2016 in most cases.
0
 
LVL 25

Assisted Solution

by:NVIT
NVIT earned 500 total points
ID: 41798814
As an alternative to EFS, Bitlocker: Maybe TrueCrypt... VeraCrypt... CipherShed?
0
 
LVL 1

Author Comment

by:Crossroads305
ID: 41801647
Thanks for all the Help. We came up with several options. I know general basics of encryption and I didn't think it could do all of that but I'm just repeating what I'm being told is needed under the hitrust encryption security policy we need to follow.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question