data encryption on circuits and on a file server

I have 2 domain controllers\ file servers  installed at 2 different buildings. The domain controller's replicate data  through a circuit so that the changes on one server is replicated to the other server

This allows both to be identical for DR purposes etc

Users have shared areas on these servers and home directories
We use Comcast metro Ethernet between the 2 buildings

I had an auditor question me  about data encryption and I need someone to help me understand

The servers are Windows 2012r2

I was  told that the data on the servers needed  to be encrypted and the data also needs  to be encrypted when it replicates over the circuit to the other server
they explained it to me this way----- data that is moving or standing still must be encrypted

The data is inside my network secured by a firewall

The circuits are private- I was told by the auditors that the service provider could get access to the data as it moves through the circuit

Is the auditor right?

What could be done to fix this problem,?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
I would say half right.  Data moving over media that you don't control can be intercepted by the media provider.

Now, all this goes out the window if your auditors are from outside the organization and you must comply in order to get that contract or meet government specs.  But if the auditors are hired guns looking over your operation ...

I don't think your auditors understand how much of a drag on operations it is to maintain encryption on server data.  The intent is good, but they don't have to maintain the systems.

Every time anyone who has access to the servers leaves the organization, all the encryption must be undone, then redone with new keys.  In addition to that, the encryption must be undone, then redone periodically (at least every six months) just on general principles.  This will require cloning each server at least once so that you don't have company-wide Encryption Downtime Days.

But you'll have to buy more servers anyway, because instead of serving data the servers will instead be spending most of their time encrypting and decrypting data as it goes to and from disk.

As Admiral Grace Hopper said, data has a value.  Some data is valuable, some is not, some is valuable forever, some only for three minutes.  You should have your management put a value on the data on those servers, decide how long it is valuable, and then have them decide what is an acceptable risk level.  Then you can act accordingly to their decision, tell them how much it will cost to implement security at that level, and no matter whether they go ahead with it or not the consequences are on their heads, not yours.

Data at rest can be encrypted with bitlocker.
Replication data between domain controllers will use the SMB protocol and we can enforce encryption on that protocol as well.

Please google bitlocker and smb 3.0 encryption.
ChrisSenior Technical ArchitectCommented:
the auditors are technically correct for the data transit but are stating an extreme situation. If the private circuit is point to point then its quite challenging to sniff the data on there i.e. dig up the cables, break into the exchanges that route these.
If you have firewalls or routers that you control on each end then the easiest thing to do is do VPN connection between them. that way the traffic is encrypted in transit

With regard to data encrypted at rest i would push them for actual requirements, i would only expect to do this with client data in transit as it moved between network segments. If they are physical servers then making sure they have TPM chips you could encrypt them, if they are SAN attached then encrypted disks at the array level would protect from physical removal/theft
btanExec ConsultantCommented:
Indeed as expert mentioned, auditor is looking at data at rest and in transit (over wire) to be encrypted. In fact, for over the wire, some may say end to end encryption - data is encrypted before it get onto wire and wire is further secured so even if the wire does get intercepted, the data leaked remains encrypted.

Smb3 is good. But note to make sure Amb v1 is disabled so that it cannot be downgraded - see "5. Encryption Details".
The Secure Negotiate capability described in section 3 does prevent a “man in the middle” from downgrading a connection from SMB 3 to SMB 2 (which would use unencrypted access); however it does not prevent downgrades to SMB 1 which would also result in unencrypted access.

For this reason, in order to guarantee that SMB 3 capable clients will always use encryption to access encrypted shares, the SMB 1 server must be disabled.

If the –RejectUnencryptedAccess setting is left at its default setting of $true then there is no concern, because only encryption capable SMB 3 clients will be allowed to access the shares (SMB1 clients will also be rejected).

With SMB Encryption, the encryption key is derived from the existing session key, so you don’t need PKI or certificates. These keys are not shared on the wire. Clients don’t need to do anything, other than support SMB 3.0. The default configuration is to configure encryption per share, but there is an option to enable encryption for the entire server, configured via PowerShell. You simply need to use Set-SmbServerConfiguration –EncryptData $true.

See section 7 in

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.