File share encryption for multiple users?

How are people encrypting File shares with sensitive data?

We were a smaller company and our HR and finance department was just 1 person for the longest time. We run Windows 2008-2012r2 servers on an AD domain. As we are growing our HR and finance dept is getting larger, there are several files that HR accesses over file shares, our security department has now required they be encrypted because of hitrust and Hipaa certifications we will be carrying. All the solutions I am finding are ways to encrypt the files for one specific person, and 2012 for the file server, we're looking at Bitlocker drive encryption but it looks like it needs a TPM module which our server doesn't have and it will encrypt the whole drives which slows things down and we only need those few files encrypted. So how are people doing this? if it's possible.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Did you look at the built-in EFS?
By the way, what attack scenario do you see?
Cliff GaliherCommented:
BitLocker is our go-to solution. We buy tom modules for all client deployments.
He'd need to find out if his server mainboard has a TPM header, so a TPM could be bought for it. Without, it is not advisable to use TPMs on a server if the attack scenario is about physical access. The server will likely need to be startable hands-free, so no TPM, no bitlocker.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Crossroads305Author Commented:
So basically the attack, plan is if someone gets access to the internal network and/or recovering a hard drive that was to be destroyed not being able to recover the sensative data. however multiple people access the file through many different ways remotely, laptops, rds, VDIs, etc. Also we must also stop them from copying it off the network share as well.

EFS from what I read uses certificates and is supposed to be seamless, which from a user standpoint is easy, but from a tech standpoint I don't know if it's much of a solution. TPM looks like its easy but bitlocker encrypts the entirety of the disk and I'm told we can't have any slowdowns and with TPM slow downs will occur.

as for the built in Encryption in our testings it doesn't let the other people open the file just says access denied, even though they're added to the encrypted users and explicitly added in NTFS permissions.
You need to inform yourself about both, EFS and bitlocker to have a base to discuss on.
BL on servers without a TPM is not recommendable - so please do as advised, check if your server mainboard can be equipped with a TPM. What you need to find out is whether it has a TPM header.
If not, drop the bitlocker thought and focus on EFS.

About your scenario: if someone gets network access... now what should that mean? Any member of your company has network access and still, they are already kept from seeing some data by NTFS permissions. No encryption needed for that. Encryption is against theft, against physical drive access - not network access.

"stop them from copying it off the network share as well." - encryption does not stop someone from copying data he can read. You did not yet understand it. please read some basics about encryption like wikipedia on bitlocker maybe or technet articles about bitlocker and EFS.

BL and performance: not worth mentioning. The performance loss is marginal.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cliff GaliherCommented:
You can't prevent someone from cooking data off the share. Full stop. That's the *point* of a share.

You can prevent them (within reason) from opening or or copying that data.) Windows RMS or Azure Information Protection is what you seek. For LoB app data, it basically requires windows 10 1607 and server 2016 in most cases.
NVITEnd-user supportCommented:
As an alternative to EFS, Bitlocker: Maybe TrueCrypt... VeraCrypt... CipherShed?
Crossroads305Author Commented:
Thanks for all the Help. We came up with several options. I know general basics of encryption and I didn't think it could do all of that but I'm just repeating what I'm being told is needed under the hitrust encryption security policy we need to follow.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.