Security Basics mailing list archives
Re: Protecting sensitive files on a Windows file server
From: "Gaddis, Jeremy L." <jeremy () linuxwiz net>
Date: Thu, 22 Jun 2006 01:42:37 -0400
paul.johnson8 () gmail com wrote:
Encrypting the files looks like the way to go, since this should protect the information if the employee for some reason takes the files out of the active directory environment (ie. copies to a usb drive, cdrom etc..).
Actually, that's not quite right. The files will be encrypted on your file server but since the employee will have a key that is able to decrypt the files, he/she can then do whatever he wants with the file (e.g. copy to USB drive, burn to CD, etc.). If a user copies an encrypted file from the encrypted folder to a non-encrypted folder, the file will be saved unencrypted.
I forgot to mention in my previous e-mail not to forget about encrypting the communication between the client's workstation and the file server using, for example, IPSec communications.
The question here is what extra layer of security should we use to protect the files (containing salary/bank/private info).
Depends how far you want to go with it... Group Policies can disable USB drives, you can remove CD-R/RW drives, disable all attachments on your mail server, etc. Very strict company policies that are backed up/enforced will be necessary as well.
Our users are spread out in different countries but will all be accessing the shared folder on 1 specific server. The users are not considered technical, they are bean counters (finance dept) after all....
EFS can be a PITA for some of these people, I've noticed. This is because while you can grant file permissions on a folder using security groups, you can't do the same with encrypted files. If you want 15 users to be able to access 50 different files in an encrypted folder, you must explicitly grant access to *each* file for *each* user. It gets boring quick. =)
I'll assume you're already using encrypted links between sites. -j -- Jeremy L. Gaddis, GCWN, MCP http://www.linuxwiz.net/
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 20)
- Message not available
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 21)
- RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 21)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 21)
- Message not available
- Re: Protecting sensitive files on a Windows file server Gaddis, Jeremy L. (Jun 21)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 22)
- Re: Protecting sensitive files on a Windows file server Gaddis, Jeremy L. (Jun 22)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 23)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 22)
- <Possible follow-ups>
- Re: Protecting sensitive files on a Windows file server simonis (Jun 21)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 21)
- Re: Protecting sensitive files on a Windows file server RandyW (Jun 22)
- RE: Protecting sensitive files on a Windows file server Tyler, Grayling (Jun 22)
- RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 22)
- RE: Protecting sensitive files on a Windows file server David Gillett (Jun 23)
- RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 22)
- RE: Protecting sensitive files on a Windows file server Tyler, Grayling (Jun 22)
- RE: Protecting sensitive files on a Windows file server Tyler, Grayling (Jun 22)
- RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 22)