Security Basics mailing list archives
RE: Protecting sensitive files on a Windows file server
From: "Beauford, Jason" <jbeauford () EightInOnePet com>
Date: Fri, 23 Jun 2006 09:18:06 -0400
RandyW wrote:
I don't want to sound like a crank here, but why would you not be able to protect these files using standard NTFS/GPO/File permissions on the files? I've got some servers with highly sensitive files on them and we've designed the permissions such that only those "need to know" are even aware that they are there, much less can actually gain access to them. This breaks down however, if Management won't agree to this kind of forced limitation, or where the definition of "need to know" is the "everyone" group... If someone has access to the file in order to try cracking the passwords, then there isn't much you can do to stop them, as that may require significant filesystem access as it is. Encrypted backups help there, in case of lost media, but when it comes to windows, that nut is hard to crack. Commerical encryption may be the choice, but then again, you have to give the keys out to those that "need" to gain access to these files. If those systems are compromised, so is your Crypto. Am I wrong here?? RandyW
This makes sense to me. Another idea is a separate network altogether where only the people that need access to the files have access to the files, in addition to ACL's. How about a small network on a completely different subnet. Install a second NIC in the appropriate workstations and connect that to the second switch for that network. Then, only the server that houses your files and the workstations are plugged in there. It's an more expensive solution, but if you control physical access to the switch and to the PC's with access, then you're good. Putting the switch in a locked closet or server room is trivial. And if you see someone at a desk they shouldn't be, then you know there's a problem. Of course you wont ALWAYS see that person, but at least you know, access can only be gained from those specific workstations and end users aren't hacking away during work hours from their desk. Comments, Opinions? JMB --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Protecting sensitive files on a Windows file server, (continued)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 23)
- Re: Protecting sensitive files on a Windows file server simonis (Jun 21)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 21)
- Re: Protecting sensitive files on a Windows file server RandyW (Jun 22)
- RE: Protecting sensitive files on a Windows file server Tyler, Grayling (Jun 22)
- RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 22)
- RE: Protecting sensitive files on a Windows file server David Gillett (Jun 23)
- RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 22)
- RE: Protecting sensitive files on a Windows file server Tyler, Grayling (Jun 22)
- RE: Protecting sensitive files on a Windows file server Tyler, Grayling (Jun 22)
- RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 22)
- RE: Protecting sensitive files on a Windows file server Beauford, Jason (Jun 23)