0

People in our company asked to encrypting some of the shared folders published in a local Windows 2003 File Server. The requirements are:

  • Encrypt the files, so only a user or group or users can open them
  • Avoid password protected files. The encryption process should be transparent to the users
  • Though files are encrypted, the backup software (BackupExec) must be able to copy and access binary for verification
  • Cannot install tools/software in user's PCs, they want this to work automatically

As we have very little experience managing servers, we'll be grateful for any help or suggestion offered.

  • Why won't Windows EFS work for this? – Dave M Feb 19 '10 at 13:33
  • Any reason why standard NTFS permissioning is not adequate for them? – Maximus Minimus Feb 19 '10 at 14:10
  • mh, they want to limit event the administrator: if he's logged into the file server, can access all the files in the shared folders (locals in the server). It's private data and only a group can view it. –  Feb 19 '10 at 14:39
  • Dave M, we´re looking at it but our inexperience is limiting us. Do you've used/implemented it? Any advice will be more than welcome! –  Feb 19 '10 at 14:41

2 Answers2

2

Take away the administrators permission to the folder. He can then not see the directory without taking ownership and reseting the permissions (which can then be recorded in auditing). Backup operators group has access to everything, make sure this password is set to something hard to remember and not recorded (again audit password resets + change of membership of this group). Enable encryption on the files to protect backups from other users.

At the end of the day the administrator with some effort can see any file on the system, even using certificates, because he can go onto the user's pc and grab them or install keyloggers, restore from backups to somewhere else, resetting permissions, etc. And shared passwords don't often stay very secret. What usually happens when you go to so much effort to hide files from them is that the user forgets their password and gets locked out of their data forever. Plus users don't know enough about IT to know when an admin could have circumvented their precautions.

At the end of the day you have to trust your admins with data confidentiality as you do with other employees and company assets/money. Any really vital data can always be stored on cd/dvd/flash and physically secured.

JamesRyan
  • 8,166
  • 2
  • 25
  • 36
1

You can try PGP Netshare or SecurStar Sharecrypt.

As far as meeting your requirements, to my knowledge both solutions should allow:

  • Files will be encryped on the shared folder
  • Individual files won't need password-protection. However, you may require access to decrypt the entire shared folder
  • Backup software will likely only backup the encrypted data. This can be an advantage, so even if a backup tape is lost nobody can access your data
  • You'd need to install the software on the end-users PCs once. Then they shouldn't require local admin rights.
Yoav Aner
  • 561
  • 2
  • 6
  • 13