Re: Protecting sensitive files on a Windows file server

["Gaddis, Jeremy L." <jeremy () linuxwiz net>]

paul.johnson8 () gmail com wrote:
> We are looking for a secure way to store very sensitive files on our
> Windows servers.  The data is shared. We will turn on full auditing,
> create hidden shares and a security group.

Don't stick with "just one" method.  Just like you have layers of 
firewalls, IDS, etc., do the same thing here, depending on *how* 
sensitive these files are.

Assuming a standard Windows domain-based environment, obviously I'd 
suggest the use of EFS (properly secured, of course).  This can be a 
pain in the ass for sharing of files, however, depending on how 
"technical" your users are or whether you can teach them they have to 
explicitly allow users access on an individual basis.

If EFS isn't sufficient to your needs, put another layer on top of it. 
TrueCrypt, PGP, etc. come to mind here.


> Our concern with the Windows/Office encryption types is that it could
> be cracked - ie. someone could get hold of the file and run some kind
> of password recovery on the file and access the data.

Indeed it can.  I didn't realize just how easy it was until a few weeks 
ago.  It took all of five minutes to download an applet, enter credit 
card details, and download the "plain text" file.  This was a document 
created with Microsoft Office Word 2003, by the way, and "secured" by 
standard password protection.

-j

--
Jeremy L. Gaddis, GCWN, MCP
http://www.linuxwiz.net/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature