Data encryption in Windows Server 2003

[Charles]

I have a requirement to encrypt all the user data on our fileserver.
The user data, however, needs to be accessible by multiple users. What
I want to do is for any user to be able to save a file and for this
file to be saved in an encrypted format, however I want all users to
be able to open this file as well. From what I gather, by using EFS,
this can't be done unless I am willing to go into every file and make
it readable by all the users. I don't seem to be able to say, on a
directory basis, encrypt all files within the directory, but make all
files readable by all users.

Am I doing something wrong? If I can't use EFS to do this, is there
any other product that I could use?

Thanks

 

[RF]

I have a requirement to encrypt all the user data on our fileserver.
The user data, however, needs to be accessible by multiple users. What
I want to do is for any user to be able to save a file and for this
file to be saved in an encrypted format, however I want all users to
be able to open this file as well. From what I gather, by using EFS,
this can't be done unless I am willing to go into every file and make
it readable by all the users. I don't seem to be able to say, on a
directory basis, encrypt all files within the directory, but make all
files readable by all users.

Am I doing something wrong? If I can't use EFS to do this, is there
any other product that I could use?

Thanks

It's been a while since I was in this biz but I'll
have a go anyway.

First, it seems that you trying to hide this
folder from some users and give access
to other users? This would seem to me to have the
same effect as encryption.

Can you not put the users of this folder into a
group and then give that
group the necessary access rights to that folder?
These rights could be Write
- to add files - or Read to just read the files,
etc. You may not need encryption then.
Users outside the group would have no access to
the folder.

You may need to clarify the situation a bit better.

 

[Charles]

It's been a while since I was in this biz but I'll
have a go anyway.

First, it seems that you trying to hide this
folder from some users and give access
to other users?  This would seem to me to have the
same effect as encryption.

Can you not put the users of this folder into a
group and then give that
group the necessary access rights to that folder?
These rights could be Write
- to add files -  or Read to just read the files,
etc. You may not need encryption then.
Users outside the group would have no access to
the folder.

You may need to clarify the situation a bit better.

Thanks for the reply.

We have a requirement from a client to have any data that we hold of
their's to be encrypted in order to address the risk of theft etc. So,
if our fileserver was stolen, albeit unlikely, no-one else could read
the client data.

We are not trying to hide the data from other users in our own
business. In fact, I need multiple users to be able to access the
data.

I will have a look at the group option on the fileserver. I'm not too
hot on Windows Server 2003, but learning rapidly!

Thanks

 

[RF]

Thanks for the reply.

We have a requirement from a client to have any data that we hold of
their's to be encrypted in order to address the risk of theft etc. So,
if our fileserver was stolen, albeit unlikely, no-one else could read
the client data.

We are not trying to hide the data from other users in our own
business. In fact, I need multiple users to be able to access the
data.

I will have a look at the group option on the fileserver. I'm not too
hot on Windows Server 2003, but learning rapidly!

Thanks

My understanding is about 5 years old now and it
is that only the person who encrypts a file can
read it. It has to be decrypted by the same person
before others can read it.
If all users have the same name it seems to me to
make possible what you want but that could create
other problems.

Your help file should have a section on encrypting
applicable to your server.

 

[Charles]

My understanding is about 5 years old now and it
is that only the person who encrypts a file can
read it. It has to be decrypted by the same person
before others can read it.
If all users have the same name it seems to me to
make possible what you want but that could create
other problems.

Your help file should have a section on encrypting
applicable to your server.

There is a way within Windows EFS to allow multiple users access to
specific files. This has to be done on a file by file basis as far as
I understand but can't be done on a folder basis so that new files
added are automatically accessible to multiple users. I guess that
somewhere along the line I'm missing a point about encryption, however
I will keep digging.

Many thanks for you input.

 

[Anteaus]

I think it first needs to be clarified as to what purpose the encryption will
serve. If all users have access, clearly it does not hide sensitive data from
ordinary users.

If the concern is that of the fileserver or its disks being stolen, you can
install Truecrypt, and have this mount an encrypted volume as a server
diveletter. You can then share this volume (or subfolders of it) on the LAN.
This will appear transparently as an ordinary share to users, who will not
see the encryption.

If the server is powered-down and rebooted, it will then be necessary
to-re-supply the password or key at the server console to re-open the share.
No key, no access- and unlike ordinary passwords, very difficult to bypass.

This would in principle meet the requirement of 'data being encrypted' on
the server, though whether it would meet specific confidentiality
requrements... you would have to evaluate.

http://www.truecrypt.org

 

[Charles]

I think it first needs to be clarified as to what purpose the encryption will
serve. If all users have access, clearly it does not hide sensitive data from
ordinary  users.

If the concern is that of the fileserver or its disks being stolen, you can
install Truecrypt, and have this mount an encrypted volume as a server
diveletter. You can then share this volume (or subfolders of it) on the LAN.
This will appear transparently as an ordinary share to users, who will not
see the encryption.

If the server is powered-down and rebooted, it will then be necessary
to-re-supply the password or key at the server console to re-open the share.
No key, no access- and unlike ordinary passwords, very difficult to bypass.

This would in principle meet the requirement of 'data being encrypted' on
the server, though whether it would meet specific confidentiality
requrements... you would have to evaluate.

http://www.truecrypt.org

Thanks for this. I will try out Truecrypt. It certainly looks to be
able to do what we need.