RE: Protecting sensitive files on a Windows file server

["Beauford, Jason" <jbeauford () EightInOnePet com>]

RandyW wrote:
> I don't want to sound like a crank here, but why would you not be
> able to protect these files using standard NTFS/GPO/File permissions
> on the files?  I've got some servers with highly sensitive files on
> them and we've designed the permissions such that only those "need to
> know" are even aware that they are there, much less can actually gain
> access to them.     
>
> This breaks down however, if Management won't agree to this kind of
> forced limitation, or where the definition of "need to know" is the
> "everyone" group...  
>
> If someone has access to the file in order to try cracking the
> passwords, then there isn't much you can do to stop them, as that may
> require significant filesystem access as it is.  
>
> Encrypted backups help there, in case of lost media, but when it
> comes to windows, that nut is hard to crack.  Commerical encryption
> may be the choice, but then again, you have to give the keys out to
> those that "need" to gain access to these files.  If those systems
> are compromised, so is your Crypto.    
>
> Am I wrong here??
>
> RandyW

This makes sense to me. 

Another idea is a separate network altogether where only the people that
need access to the files have access to the files, in addition to ACL's.

How about a small network on a completely different subnet.  Install a
second NIC in the appropriate workstations and connect that to the
second switch for that network.  Then, only the server that houses your
files and the workstations are plugged in there.

It's an more expensive solution, but if you control physical access to
the switch and to the PC's with access, then you're good.  Putting the
switch in a locked closet or server room is trivial.  And if you see
someone at a desk they shouldn't be, then you know there's a problem.
Of course you wont ALWAYS see that person, but at least you know, access
can only be gained from those specific workstations and end users aren't
hacking away during work hours from their desk.

Comments, Opinions?

JMB

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------