Security Basics mailing list archives
Re: Protecting sensitive files on a Windows file server
From: "paul.johnson8 () gmail com" <paul.johnson8 () gmail com>
Date: Wed, 21 Jun 2006 09:53:54 +1000
PGP Netshare looks like a good solution. We discovered with Office 2003, using the default Office 97/2000 compatible encryption type to protect the files, it is possible to recover the passwords/data using software such as Elcomsoft Password recovery (which can also break EFS) and online password/data recovery services no matter how long the password or complexity in under 5 mins. By changing the encryption type (using the Crypto API), we could mitigate this but the files are still prone to brute force. My concern is that there are numerous solutions available to recover or decrypt Office documents, we need to look at a more robust/proven encryption technology. The data we are looking to protect here is salary/personal information (bank accounts #, addresses etc..). How are others protecting this information in their place of work? Interesting to see that Winzip creates unencrypted recoverable temp files. I will need to look into this further. Thanks for the input. On 21/06/06, Roger A. Grimes <roger () banneretcs com> wrote:
There are many great commercial solutions, like PGP Desktop, but EFS is free and works well if you handle key archival seriously. EFS works well, but it is not as eloquent as many of the other solutions (don't forget TrueCrypt for a free solution). For example, EFS only encrypts data while its stored on the hard drive, but the data is decrypted (using EFS alone) when copied across the network or down to other media. PGP Desktop, with NetShare, allows the files and keys to be managed easier and to remain encrypted where ever they ended up (i.e. USB key, CD-ROM, etc.); and with a single encryption key. Office 2003 encryption isn't good encryption; easy to bypass. Winzip leaves unencrypted recoverable temp files. Just my one-half cent. I haven't tried the RSA solution. Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger_grimes () infoworld com or roger () banneretcs com *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 ***************************************************************** -----Original Message----- From: paul.johnson8 () gmail com [mailto:paul.johnson8 () gmail com] Sent: Monday, June 19, 2006 7:39 PM To: security basics Subject: Protecting sensitive files on a Windows file server We are looking for a secure way to store very sensitive files on our Windows servers. The data is shared. We will turn on full auditing, create hidden shares and a security group. Which type of protection would be most suitable: Office 2003 encryption Windows EFS Winzip 9.x encrypted archives RSA SecurID Windows Agent (2 factor authentication) PGP Desktop Pro Our concern with the Windows/Office encryption types is that it could be cracked - ie. someone could get hold of the file and run some kind of password recovery on the file and access the data. Any ideas on how to approach this would be much appreciated.
Current thread:
- Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 20)
- Message not available
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 21)
- RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 21)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 21)
- Message not available
- Re: Protecting sensitive files on a Windows file server Gaddis, Jeremy L. (Jun 21)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 22)
- Re: Protecting sensitive files on a Windows file server Gaddis, Jeremy L. (Jun 22)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 23)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 22)
- <Possible follow-ups>
- Re: Protecting sensitive files on a Windows file server simonis (Jun 21)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 21)
- Re: Protecting sensitive files on a Windows file server RandyW (Jun 22)
- RE: Protecting sensitive files on a Windows file server Tyler, Grayling (Jun 22)
- RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 22)