Security Basics mailing list archives

Re: Protecting sensitive files on a Windows file server

From: "Gaddis, Jeremy L." <jeremy () linuxwiz net>
Date: Thu, 22 Jun 2006 01:42:37 -0400

paul.johnson8 () gmail com wrote:

Encrypting the files looks like the way to go, since this should
protect the information if the employee for some reason takes the
files out of the active directory environment (ie. copies to a usb
drive, cdrom etc..).

Actually, that's not quite right. The files will be encrypted on yourfile server but since the employee will have a key that is able todecrypt the files, he/she can then do whatever he wants with the file(e.g. copy to USB drive, burn to CD, etc.). If a user copies anencrypted file from the encrypted folder to a non-encrypted folder, thefile will be saved unencrypted.

I forgot to mention in my previous e-mail not to forget about encryptingthe communication between the client's workstation and the file serverusing, for example, IPSec communications.

The question here is what extra layer of security should we use to
protect the files (containing salary/bank/private info).

Depends how far you want to go with it... Group Policies can disable USBdrives, you can remove CD-R/RW drives, disable all attachments on yourmail server, etc. Very strict company policies that are backedup/enforced will be necessary as well.

Our users are spread out in different countries but will all be
accessing the shared folder on 1 specific server.  The users are not
considered technical, they are bean counters (finance dept) after
all....

EFS can be a PITA for some of these people, I've noticed. This isbecause while you can grant file permissions on a folder using securitygroups, you can't do the same with encrypted files. If you want 15users to be able to access 50 different files in an encrypted folder,you must explicitly grant access to *each* file for *each* user. Itgets boring quick. =)


I'll assume you're already using encrypted links between sites.

-j

--
Jeremy L. Gaddis, GCWN, MCP
http://www.linuxwiz.net/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 20)
- Message not available
  - Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 21)
    - RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 21)
- Re: Protecting sensitive files on a Windows file server Gaddis, Jeremy L. (Jun 21)
  - Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 22)
    - Re: Protecting sensitive files on a Windows file server Gaddis, Jeremy L. (Jun 22)
    - Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 23)
- <Possible follow-ups>
- Re: Protecting sensitive files on a Windows file server simonis (Jun 21)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 21)
  - Re: Protecting sensitive files on a Windows file server RandyW (Jun 22)
- RE: Protecting sensitive files on a Windows file server Tyler, Grayling (Jun 22)
  - RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 22)
    - RE: Protecting sensitive files on a Windows file server David Gillett (Jun 23)
- RE: Protecting sensitive files on a Windows file server Tyler, Grayling (Jun 22)
- RE: Protecting sensitive files on a Windows file server Tyler, Grayling (Jun 22)
  - RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 22)

(Thread continues...)