RE: Protecting sensitive files on a Windows file server

["Tyler, Grayling" <ggtyler () foodlion com>]

Note: while there is indeed an RSA w/token based authentication product,
they also have a file encryption piece.

Unless you're driven by some mandate (SOX, PCI, HIPPA etc) to encrypt,
then lock down the access and monitor for changes to the configuration
and to the files. 

All communication regarding everyday IT support needs such as IT
problems / incidents should be directed to the ITCRC team at x2848
instead of contacting the various associates directly within the IT
department. 
By logging all problems / incidents with the ITCRC team, this will
provide us more visibility into the various types of calls we are
receiving, trending of these calls, numbers of calls, etc. The ITCRC
team will bring more attention to your issues and allow prompt
resolution to your calls.

-----Original Message-----
From: simonis () myself com [mailto:simonis () myself com] 
Sent: Wednesday, June 21, 2006 9:46 AM
To: security-basics () securityfocus com
Subject: Re: Protecting sensitive files on a Windows file server

I suppose the best answer to this question lies in what threat you are
trying to mitigate.  By restricting access to the share properly, you go
a long way to protect sensitive data from the remainder of the user
community.  If you want to protect from the administrator of the
fileserver, a wise goal, or have a technical adversary who you think may
intercept on the wire, then encryption is a good solution.



I wouldn't think about EFS.  I'm not aware of how it handles encrypting
for multiple users, if it does at all.  Winzip, using AES, isn't bad,
but you run the risk of the shared secret being commonly reused from
archive to archive and/or being written down.  



Two factor login with RSA is just a stronger access control, which
speaks to a different problem.  Admins still need to have broad access,
regardless of how they authenticate.  





Have you looked at PGP NetShare?  It is new, so you might not have seen
it, but it seems to be exactly what you'd need.  



-Ds

**************************************************************************
This electronic message may contain confidential or privileged information
and is intended for the individual or entity named above.  If you are 
not the intended recipient, be aware that any disclosure, copying, 
distribution or use of the contents of this information is prohibited. 
If you have received this electronic transmission in error, please notify 
the sender immediately by using the e-mail address or by telephone
(704-633-8250).
**************************************************************************

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------