Security Basics mailing list archives
Re: Protecting sensitive files on a Windows file server
From: RandyW <randyw () techsource com>
Date: Wed, 21 Jun 2006 23:39:00 -0400
I don't want to sound like a crank here, but why would you not be able to protect these files using standard NTFS/GPO/File permissions on the files? I've got some servers with highly sensitive files on them and we've designed the permissions such that only those "need to know" are even aware that they are there, much less can actually gain access to them.
This breaks down however, if Management won't agree to this kind of forced limitation, or where the definition of "need to know" is the "everyone" group...
If someone has access to the file in order to try cracking the passwords, then there isn't much you can do to stop them, as that may require significant filesystem access as it is.
Encrypted backups help there, in case of lost media, but when it comes to windows, that nut is hard to crack. Commerical encryption may be the choice, but then again, you have to give the keys out to those that "need" to gain access to these files. If those systems are compromised, so is your Crypto.
Am I wrong here?? RandyW paul.johnson8 () gmail com wrote:
We already have a RSA infrastructure in place (used to authenticate our VPN). Are their any RSA authentication solutions which works at folders/file level. The cost to build a seperate server is prohibited at the moment. There is a RSA Windows Agent avaliable but it only works to authenticate Windows OS logons and not at the folder/file level. On 21/06/06, Tyler, Grayling <ggtyler () foodlion com> wrote:The most secure is going to be the two factor from RSA but it is also the most cumbersome to work with for the end users. Depends on just how sensitive the files are. All communication regarding everyday IT support needs such as IT problems / incidents should be directed to the ITCRC team at x2848 instead of contacting the various associates directly within the IT department. By logging all problems / incidents with the ITCRC team, this will provide us more visibility into the various types of calls we are receiving, trending of these calls, numbers of calls, etc. The ITCRC team will bring more attention to your issues and allow prompt resolution to your calls. -----Original Message----- From: paul.johnson8 () gmail com [mailto:paul.johnson8 () gmail com] Sent: Monday, June 19, 2006 7:39 PM To: security basics Subject: Protecting sensitive files on a Windows file server We are looking for a secure way to store very sensitive files on our Windows servers. The data is shared. We will turn on full auditing, create hidden shares and a security group. Which type of protection would be most suitable: Office 2003 encryption Windows EFS Winzip 9.x encrypted archives RSA SecurID Windows Agent (2 factor authentication) PGP Desktop Pro Our concern with the Windows/Office encryption types is that it could be cracked - ie. someone could get hold of the file and run some kind of password recovery on the file and access the data. Any ideas on how to approach this would be much appreciated.************************************************************************** This electronic message may contain confidential or privileged informationand is intended for the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited.If you have received this electronic transmission in error, please notifythe sender immediately by using the e-mail address or by telephone (704-633-8250).**************************************************************************
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 20)
- Message not available
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 21)
- RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 21)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 21)
- Message not available
- Re: Protecting sensitive files on a Windows file server Gaddis, Jeremy L. (Jun 21)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 22)
- Re: Protecting sensitive files on a Windows file server Gaddis, Jeremy L. (Jun 22)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 23)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 22)
- <Possible follow-ups>
- Re: Protecting sensitive files on a Windows file server simonis (Jun 21)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 21)
- Re: Protecting sensitive files on a Windows file server RandyW (Jun 22)
- RE: Protecting sensitive files on a Windows file server Tyler, Grayling (Jun 22)
- RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 22)
- RE: Protecting sensitive files on a Windows file server David Gillett (Jun 23)
- RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 22)
- RE: Protecting sensitive files on a Windows file server Tyler, Grayling (Jun 22)
- RE: Protecting sensitive files on a Windows file server Tyler, Grayling (Jun 22)
- RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 22)
- RE: Protecting sensitive files on a Windows file server Beauford, Jason (Jun 23)