Whole hard drive encryption software that causes files that are copied over network to be unreadable

I'm working a project for a company that needs to insure that the documents and files stored on the hard drives of its executives are completely unreadable if any of the IT employees copy these files from the executives' hard drives to their own computers.

While only a few employees have domain admin access and would be able to do this in the first place we need to insure that if this is ever done that the files that are copied will be highly encrypted and won't be able to be read since this has already been done by former domain admins.

What kind of whole hard drive encryption software will do this?

Is this something that Symantec PGP whole hard drive encryption will do once the entire Windows 10 OS and hard drive of a computer is encrypted?
IT GuyNetwork EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
You know, you would get better answers initially and have to ask fewer questions if you just explained what your end goal was in the first place.

You don't necessarily want full disk encryption as your previous question states, you want an encrypting file system.  

Whole hard drive encryption prevents access to the data UNLESS you have a credentials to get into the machine.  At which point the admin rights can be used to override file permissions

The Encrypting File System
See: https://technet.microsoft.com/en-us/library/cc700811.aspx

How EFS Works


Depending on how this is implemented, the admins can be limited in their ability to access the data... HOWEVER, if not careful, the admins CAN corrupt the user's keys (with local user accounts) or potentially just change the passwords (with domain accounts) to gain access.  The best you get from this is the ability to know the data was potentially accessed without authorization... but frankly, I can still see ways around this that don't rely on increased computing power hacking the encryption keys.  For example, clone the domain on and then change the information...

Management would probably be better off vetting the admins they hire better and/or not treating them poorly so they want to do things like this.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David Johnson, CD, MVPRetiredCommented:
)What kind of whole hard drive encryption software will do this?
Is this something that Symantec PGP whole hard drive encryption will do once the entire Windows 10 OS and hard drive of a computer is encrypted?

No since the files are unencrypted when the drive is unlocked. This only prevents someone cloning the drive and accessing the files.  Not when the user is logged in, they than then copy/email/ftp these files at will. What you need is some sort of digital rights management like ADRMS (part of windows server since 2012)
  1. Persistent usage policies, which remain with the information, no matter where it is moved, sent or forwarded.
  2. An additional layer of privacy to protect sensitive information —such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands.
  3. Prevent an authorized recipient of restricted content from forwarding, copying, modifying, printing, faxing, or pasting the content for unauthorized use
  4. Prevent restricted content from being copied by using the Print Screen feature in Microsoft Windows
  5. Support file expiration so that content in documents can no longer be viewed after a specified period of time
  6. Enforce corporate policies that govern the use and dissemination of content within the company
EirmanChief Operations ManagerCommented:
I'm a great fan of jetico's bestcrypt and have used it for years.
It has some advanced features which I don't fully understand

This one may do at least some of what you need ....
Jetico Central Manager, included as a component in BestCrypt Volume Encryption – Enterprise Edition, enables a single person (Administrator) from a central administration computer to always monitor usage of encrypted data on remote workstations across an enterprise network. It also includes a database for gathering and storing information from client computers, such as log information about deployment and updates of BestCrypt Volume Encryption client modules or rescue information to recover encrypted data in case of emergency.
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

IT GuyNetwork EngineerAuthor Commented:
OK what are some good Encrypting File System programs?

Can these Encrypting File System programs be used along with a whole drive encryption software such as Symantec PGP or with Windows Bitlocker?
btanExec ConsultantCommented:
Disk encryption cannot stop the domain admin as earlier discussed. You need another layer of protection such as file and folder encryption which the admin has no access too. Note that EFS would have data recovery agent and you should avoid administrator if it is deemed not secure by the policy. As default DRA is local administrator for standalone machine and first domain admin for domain machine. Can still consider EFS.

Otherwise, since you mentioned Symantec PGP, you can consider another from Symantec for File Folder encryption but do note
The Windows 10 Anniversary Update provides a feature that enables you to disable legacy drivers. To avoid accidentally disabling the Symantec File Share Encryption feature, Symantec recommends that you retain legacy drivers in the active state.
and does not currently support the Windows 10 Fall Creators Update (version 1709).

Another (may be easier) is to password protect the file using ZIP like use of 7z, or can check out AxCrypt

Do remember your protection against data loss is regular backups. Please backup all your important files – secured as well as files without security.
If someone is admin on a machine, he can record keystrokes (including all text and all encryption and user passwords).

Do you seriously believe that you can do anything against that? No, you can't. Wait: You can: Let those executives be the only admins on their machine. Seriously, that is the only way.
btanExec ConsultantCommented:
Who guards the guards. Insider threat not an easy problem to solve. I have seen file and folder encryption using 2FA, using smartcard and not just password. Machine is also smartcard login. That would not be easy for admin to "come in" to do any task without user and owner approval.

However, auper admin has been the concern. No good means but I think another optimal way is to detect anomalous activities through user activity monitoring. An agent which resides in the machine that watch over and cannot be removed by admin given they are aware of the installation password. All admin are also enforced to have 2FA and all login/log off tracked by central SOC. Looking into centralising server administration using like of privileged identity mgmt. I am in that environment. Not most effective but it has big deterrence to admin trying to attempt the illicit action without notice.

User vigilance is another user to build on to be alert on the onsite administration and regular random audit on critical system and client machine..
David Johnson, CD, MVPRetiredCommented:
If you use EFS you can copy  a file from an EFS encrypted folder to a FAT32 usb drive and now the file is not encrypted.  If you lose the EFS PKI key then any file encrypted using that key is for all intents and purposes lost.  The alternative is to backup the EFS key into a PFX file and then save it into a non encrypted folder.  You may backup this in several places, but you risk the key escaping into the wild.
The harder you make it for the user to encrypt/decrypt the file, which is why I recommend using ADRMS, as it is pretty much transparent to the user, and no matter where the RMS files are copied to or emailed, the RMS rules still apply to the file.
btanExec ConsultantCommented:
Just another note for EFS limitation.
Note that if you copy a file encrypted with EFS to an external system, it will no longer be encrypted. EFS is not designed to protect data while in transfer between systems, files that are transferred are decrypted prior to transfer and move over the network in plain text. If the destination folder is configured to be encrypted with EFS, the file will then be encrypted locally. It is possible to ensure EFS files stay encrypted when transferring over a network if they are copied to a web folder using WebDAV.
The secure channel need to be secured and the data has to be encrypted separately.
You will have noticed, that the author did not give any feedback yet. Writing too much, often does not even help until the author proves, that he is able to follow. This problem is old, any security admin knows it and whatever encryption is not the solution.
There are too many ways to get the contents of the machine if you have or had admin access at some point. Tightening things up means no longer administering it. No longer administering it means, the VIPs he's talking about will need to administer it themselves,

I work with all the stuff you mention, EFS, BL, 2FA whole disk encryption, ADRMS - that does not help here.

Happy new year everyone and Mr. K., congratulations on reaching 5,000 questions. A little more feedback in the next year(s) would be greatly appreciated.
IT GuyNetwork EngineerAuthor Commented:
I just got back from vacation to a place where I had no internet access.

I'm currently back to a very busy day at work and am reviewing these answers and will post feedback as I have the time.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.