Re: Protecting sensitive files on a Windows file server

paul.johnson8@xxxxxxxxx wrote:
Encrypting the files looks like the way to go, since this should
protect the information if the employee for some reason takes the
files out of the active directory environment (ie. copies to a usb
drive, cdrom etc..).

Actually, that's not quite right. The files will be encrypted on your file server but since the employee will have a key that is able to decrypt the files, he/she can then do whatever he wants with the file (e.g. copy to USB drive, burn to CD, etc.). If a user copies an encrypted file from the encrypted folder to a non-encrypted folder, the file will be saved unencrypted.

I forgot to mention in my previous e-mail not to forget about encrypting the communication between the client's workstation and the file server using, for example, IPSec communications.

The question here is what extra layer of security should we use to
protect the files (containing salary/bank/private info).

Depends how far you want to go with it... Group Policies can disable USB drives, you can remove CD-R/RW drives, disable all attachments on your mail server, etc. Very strict company policies that are backed up/enforced will be necessary as well.

Our users are spread out in different countries but will all be
accessing the shared folder on 1 specific server. The users are not
considered technical, they are bean counters (finance dept) after
all....

EFS can be a PITA for some of these people, I've noticed. This is because while you can grant file permissions on a folder using security groups, you can't do the same with encrypted files. If you want 15 users to be able to access 50 different files in an encrypted folder, you must explicitly grant access to *each* file for *each* user. It gets boring quick. =)

I'll assume you're already using encrypted links between sites.

-j

--
Jeremy L. Gaddis, GCWN, MCP
http://www.linuxwiz.net/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Relevant Pages

  • RE: sharing files from my removable HD to xbox360
    ... i just deicided to check my xbox and its reading the folder now. ... Added my entire USB drive to the monitored folders list. ... I'll let the developer who owns Media Sharing know about the problem you're ... reason for me to have all my songs on both drives so i dont want to have to ...
    (microsoft.public.windowsmedia.player)
  • Re: chkdsk/f
    ... I keep my original documents and spreadsheet files on my harddrive and BACKUP on USB drives. ... Also some utility pgms designed for the hardrive may or may not do what they are supposed to do on removable drives. ... > corrupted, not just a file, but the entire folder. ... > run chkdsk to recover the files, ...
    (microsoft.public.windowsxp.general)
  • Re: How to password protect a bunch of Word document files at once?
    ... If you have plenty of space on the USB drive you may be OK. ... you would be well advised to create a folder on the ... > Do I assume this will work on USB Flash drives where all the documents ... >> Dim myFile, Password, PathToUse As String ...
    (microsoft.public.word.newusers)
  • Re: NOT displaying/showing drive letters of USB/removable media partitions in WinExplorer ?
    ... USB drives and 1 for a Memory Stick there are always 5 drive letters ... I don't want to see all these drive letters. ... Then create there on folder for each slot of the reader. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: help please on passwords, encryption etc
    ... I'm confused about the difference between making a folder private ... >> and encrypting it. ... > they are just marked "private". ... Use MMC and and snapin called "certificates" and export the ...
    (microsoft.public.windowsxp.security_admin)