Re: Protecting sensitive files on a Windows file server

["paul.johnson8 () gmail com" <paul.johnson8 () gmail com>]

I agree with you here regarding layers of security.

At the moment the shared folders are secured using security groups in
our Active Directory.  This is standard security for all shared
folders in the organization.  Since this information will contain
salary and bank info, it needs to be secured even more which is why we
are looking into another layer of security.

Encrypting the files looks like the way to go, since this should
protect the information if the employee for some reason takes the
files out of the active directory environment (ie. copies to a usb
drive, cdrom etc..).

The question here is what extra layer of security should we use to
protect the files (containing salary/bank/private info).

Our users are spread out in different countries but will all be
accessing the shared folder on 1 specific server.  The users are not
considered technical, they are bean counters (finance dept) after
all....

On 21/06/06, Gaddis, Jeremy L. <jeremy () linuxwiz net> wrote:
> paul.johnson8 () gmail com wrote:
> > We are looking for a secure way to store very sensitive files on our
> > Windows servers.  The data is shared. We will turn on full auditing,
> > create hidden shares and a security group.
>
> Don't stick with "just one" method.  Just like you have layers of
> firewalls, IDS, etc., do the same thing here, depending on *how*
> sensitive these files are.
>
> Assuming a standard Windows domain-based environment, obviously I'd
> suggest the use of EFS (properly secured, of course).  This can be a
> pain in the ass for sharing of files, however, depending on how
> "technical" your users are or whether you can teach them they have to
> explicitly allow users access on an individual basis.
>
> If EFS isn't sufficient to your needs, put another layer on top of it.
> TrueCrypt, PGP, etc. come to mind here.
>
>
> > Our concern with the Windows/Office encryption types is that it could
> > be cracked - ie. someone could get hold of the file and run some kind
> > of password recovery on the file and access the data.
>
> Indeed it can.  I didn't realize just how easy it was until a few weeks
> ago.  It took all of five minutes to download an applet, enter credit
> card details, and download the "plain text" file.  This was a document
> created with Microsoft Office Word 2003, by the way, and "secured" by
> standard password protection.
>
> -j
>
> --
> Jeremy L. Gaddis, GCWN, MCP
> http://www.linuxwiz.net/

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------