subject:"RE\: Encrypting a 2008 R2 Clustered File Server"

RE: Encrypting a 2008 R2 Clustered File Server

2012-01-10 Thread Ken Schaefer

To clarify one point: you can access RMS encrypted documents offline if you've 
already been issued a license key. But you can't open anything you haven't 
previously

From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Wednesday, 11 January 2012 3:15 PM
To: NT System Admin Issues
Subject: RE: Encrypting a 2008 R2 Clustered File Server

I think you need to define what you are trying to protect against.

Bitlocker will protect disks at rest - it's whole disk encryption. It doesn't 
encrypt individual files.

EFS is per file encryption - but it's also an attribute of the NTFS file 
system. EFS is thus not portable across any medium which doesn't support that 
NTFS file attribute (e.g. FAT file system, SMB network). Additionally, EFS 
works by using a certificate in the user's profile - so if you want to use 
per-user EFS encryption on a file server, you need to have (a) roaming profiles 
that store the EFS certs and (b) Kerberos delegation from the file server to 
the server hosting the roaming profiles, so that the server can authN as the 
user and load their profile and cert.
As the cert is stored in the user's profile, it can be used offline.
Giving multiple people access to a file is a bit of a pain - individual 
decryption keys need to be inserted into each file. Hence you pretty much need 
a PKI for anything larger than the most trivial of environments

AD-RMS is based on license keys issued by an RMS server. So issuance is 
centrally controlled - no need to store things in user profiles per se. However 
you need to be able to contact the RMS server to obtain a license key (decrypt) 
or encrypt a document. So, it doesn't really work offline. Additionally, it's 
reliant on the application to implement the functionality to control access. 
So, no ability to RMS encrypt a Access file, Visio file, Photoshop file etc. 
Excel, Word, Powerpoint and Outlook are the only supported Office applications.

There are plenty of third party products as well. Most work on the same 
principles of either EFS or AD-RMS: either a central license store, or a 
distributed key store.

Cheers
Ken

From: Cameron Cooper 
[mailto:ccoo...@aurico.com]<mailto:[mailto:ccoo...@aurico.com]>
Sent: Wednesday, 11 January 2012 5:30 AM
To: NT System Admin Issues
Subject: RE: Encrypting a 2008 R2 Clustered File Server

Michael,

Thanks for the warning on not using it.  With my first research we couldn't use 
BitLocker on the cluster servers since they don't have TPM chips installed.  
Found the following article to use BitLocker without 
TPM<http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/>.

Regards,

Cameron

_
Cameron Cooper | IT Manager | Aurico
Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896
ccoo...@aurico.com<mailto:ccoo...@aurico.com> | 
www.aurico.com<http://www.aurico.com>

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Tuesday, January 10, 2012 2:10 PM
To: NT System Admin Issues
Subject: RE: Encrypting a 2008 R2 Clustered File Server

NO! Don't use EFS! Use BitLocker.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Cameron Cooper 
[mailto:ccoo...@aurico.com]<mailto:[mailto:ccoo...@aurico.com]>
Sent: Tuesday, January 10, 2012 1:49 PM
To: NT System Admin Issues
Subject: Encrypting a 2008 R2 Clustered File Server

All,

We're in the process of migrating all of our company servers from server 2003 
to server 2008 R2.  We've installed and configured two Server 2008 R2 
Enterprise cluster servers with a failover cluster role and are connected to a 
MD3000 storage.

Here's what we're looking to do... we're going to create network shares that 
are dependent on dept. and user access (ie Someone from our researching 
dept. doesn't need to see/have access to accounting dept. share) and encrypt 
the entire file server.  We also want the encrypt/decrypt to be transparent to 
the end user.

First question: Has anyone used EFS with AD RMS with network shares?  Has this 
worked and how easy was it to setup?

Second question: Is there a recommended encryption solution that someone has 
implemented?

Regards,

Cameron

_
Cameron Cooper | IT Manager | Aurico
Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896
ccoo...@aurico.com<mailto:ccoo...@aurico.com> | 
www.aurico.com<http://www.aurico.com>

CONFIDENTIALITY NOTICE: This email message is intended only for the person or 
entity to which it is addressed and may contain confidential material. Any 
unauthorized review, use, disclosure, downloading, copying or distribution is 
prohibited. If you are not the intended recipient, please contact the sender by 
reply email and perm

RE: Encrypting a 2008 R2 Clustered File Server

2012-01-10 Thread Ken Schaefer

I think you need to define what you are trying to protect against.

Bitlocker will protect disks at rest - it's whole disk encryption. It doesn't 
encrypt individual files.

EFS is per file encryption - but it's also an attribute of the NTFS file 
system. EFS is thus not portable across any medium which doesn't support that 
NTFS file attribute (e.g. FAT file system, SMB network). Additionally, EFS 
works by using a certificate in the user's profile - so if you want to use 
per-user EFS encryption on a file server, you need to have (a) roaming profiles 
that store the EFS certs and (b) Kerberos delegation from the file server to 
the server hosting the roaming profiles, so that the server can authN as the 
user and load their profile and cert.
As the cert is stored in the user's profile, it can be used offline.
Giving multiple people access to a file is a bit of a pain - individual 
decryption keys need to be inserted into each file. Hence you pretty much need 
a PKI for anything larger than the most trivial of environments

AD-RMS is based on license keys issued by an RMS server. So issuance is 
centrally controlled - no need to store things in user profiles per se. However 
you need to be able to contact the RMS server to obtain a license key (decrypt) 
or encrypt a document. So, it doesn't really work offline. Additionally, it's 
reliant on the application to implement the functionality to control access. 
So, no ability to RMS encrypt a Access file, Visio file, Photoshop file etc. 
Excel, Word, Powerpoint and Outlook are the only supported Office applications.

There are plenty of third party products as well. Most work on the same 
principles of either EFS or AD-RMS: either a central license store, or a 
distributed key store.

Cheers
Ken

From: Cameron Cooper [mailto:ccoo...@aurico.com]
Sent: Wednesday, 11 January 2012 5:30 AM
To: NT System Admin Issues
Subject: RE: Encrypting a 2008 R2 Clustered File Server

Michael,

Thanks for the warning on not using it.  With my first research we couldn't use 
BitLocker on the cluster servers since they don't have TPM chips installed.  
Found the following article to use BitLocker without 
TPM<http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/>.

Regards,

Cameron

_
Cameron Cooper | IT Manager | Aurico
Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896
ccoo...@aurico.com<mailto:ccoo...@aurico.com> | 
www.aurico.com<http://www.aurico.com>

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Tuesday, January 10, 2012 2:10 PM
To: NT System Admin Issues
Subject: RE: Encrypting a 2008 R2 Clustered File Server

NO! Don't use EFS! Use BitLocker.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Cameron Cooper 
[mailto:ccoo...@aurico.com]<mailto:[mailto:ccoo...@aurico.com]>
Sent: Tuesday, January 10, 2012 1:49 PM
To: NT System Admin Issues
Subject: Encrypting a 2008 R2 Clustered File Server

All,

We're in the process of migrating all of our company servers from server 2003 
to server 2008 R2.  We've installed and configured two Server 2008 R2 
Enterprise cluster servers with a failover cluster role and are connected to a 
MD3000 storage.

Here's what we're looking to do... we're going to create network shares that 
are dependent on dept. and user access (ie Someone from our researching 
dept. doesn't need to see/have access to accounting dept. share) and encrypt 
the entire file server.  We also want the encrypt/decrypt to be transparent to 
the end user.

First question: Has anyone used EFS with AD RMS with network shares?  Has this 
worked and how easy was it to setup?

Second question: Is there a recommended encryption solution that someone has 
implemented?

Regards,

Cameron

_
Cameron Cooper | IT Manager | Aurico
Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896
ccoo...@aurico.com<mailto:ccoo...@aurico.com> | 
www.aurico.com<http://www.aurico.com>



CONFIDENTIALITY NOTICE: This email message is intended only for the person or 
entity to which it is addressed and may contain confidential material. Any 
unauthorized review, use, disclosure, downloading, copying or distribution is 
prohibited. If you are not the intended recipient, please contact the sender by 
reply email and permanently delete all copies of the original message. If you 
are the intended recipient but do not wish to receive communications through 
this medium, please advise the sender immediately.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-soft

RE: Encrypting a 2008 R2 Clustered File Server

2012-01-10 Thread Brian Desmond

AD RMS is independent of Bitlocker/TPM/EFS though and does some really slick 
stuff.

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c   - 312.731.3132

From: Cameron Cooper [mailto:ccoo...@aurico.com]
Sent: Tuesday, January 10, 2012 3:30 PM
To: NT System Admin Issues
Subject: RE: Encrypting a 2008 R2 Clustered File Server

Michael,

Thanks for the warning on not using it.  With my first research we couldn't use 
BitLocker on the cluster servers since they don't have TPM chips installed.  
Found the following article to use BitLocker without 
TPM<http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/>.

Regards,

Cameron

_
Cameron Cooper | IT Manager | Aurico
Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896
ccoo...@aurico.com<mailto:ccoo...@aurico.com> | 
www.aurico.com<http://www.aurico.com>

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Tuesday, January 10, 2012 2:10 PM
To: NT System Admin Issues
Subject: RE: Encrypting a 2008 R2 Clustered File Server

NO! Don't use EFS! Use BitLocker.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Cameron Cooper 
[mailto:ccoo...@aurico.com]<mailto:[mailto:ccoo...@aurico.com]>
Sent: Tuesday, January 10, 2012 1:49 PM
To: NT System Admin Issues
Subject: Encrypting a 2008 R2 Clustered File Server

All,

We're in the process of migrating all of our company servers from server 2003 
to server 2008 R2.  We've installed and configured two Server 2008 R2 
Enterprise cluster servers with a failover cluster role and are connected to a 
MD3000 storage.

Here's what we're looking to do... we're going to create network shares that 
are dependent on dept. and user access (ie Someone from our researching 
dept. doesn't need to see/have access to accounting dept. share) and encrypt 
the entire file server.  We also want the encrypt/decrypt to be transparent to 
the end user.

First question: Has anyone used EFS with AD RMS with network shares?  Has this 
worked and how easy was it to setup?

Second question: Is there a recommended encryption solution that someone has 
implemented?

Regards,

Cameron

_
Cameron Cooper | IT Manager | Aurico
Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896
ccoo...@aurico.com<mailto:ccoo...@aurico.com> | 
www.aurico.com<http://www.aurico.com>



CONFIDENTIALITY NOTICE: This email message is intended only for the person or 
entity to which it is addressed and may contain confidential material. Any 
unauthorized review, use, disclosure, downloading, copying or distribution is 
prohibited. If you are not the intended recipient, please contact the sender by 
reply email and permanently delete all copies of the original message. If you 
are the intended recipient but do not wish to receive communications through 
this medium, please advise the sender immediately.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin



CONFIDENTIALITY NOTICE: This email message is intended only for the person or 
entity to which it is addressed and may contain confidential material. Any 
unauthorized review, use, disclosure, downloading, copying or distribution is 
prohibited. If you are not the intended recipient, please contact the sender by 
reply email and permanently delete all copies of the original message. If you 
are the intended recipient but do not wish to receive communications through 
this medium, please advise the sender immediately.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Encrypting a 2008 R2 Clustered File Server

2012-01-10 Thread Cameron Cooper

Michael,

Thanks for the warning on not using it.  With my first research we couldn't use 
BitLocker on the cluster servers since they don't have TPM chips installed.  
Found the following article to use BitLocker without 
TPM<http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/>.

Regards,

Cameron

_
Cameron Cooper | IT Manager | Aurico
Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896
ccoo...@aurico.com<mailto:ccoo...@aurico.com> | 
www.aurico.com<http://www.aurico.com>

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Tuesday, January 10, 2012 2:10 PM
To: NT System Admin Issues
Subject: RE: Encrypting a 2008 R2 Clustered File Server

NO! Don't use EFS! Use BitLocker.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Cameron Cooper 
[mailto:ccoo...@aurico.com]<mailto:[mailto:ccoo...@aurico.com]>
Sent: Tuesday, January 10, 2012 1:49 PM
To: NT System Admin Issues
Subject: Encrypting a 2008 R2 Clustered File Server

All,

We're in the process of migrating all of our company servers from server 2003 
to server 2008 R2.  We've installed and configured two Server 2008 R2 
Enterprise cluster servers with a failover cluster role and are connected to a 
MD3000 storage.

Here's what we're looking to do... we're going to create network shares that 
are dependent on dept. and user access (ie Someone from our researching 
dept. doesn't need to see/have access to accounting dept. share) and encrypt 
the entire file server.  We also want the encrypt/decrypt to be transparent to 
the end user.

First question: Has anyone used EFS with AD RMS with network shares?  Has this 
worked and how easy was it to setup?

Second question: Is there a recommended encryption solution that someone has 
implemented?

Regards,

Cameron

_
Cameron Cooper | IT Manager | Aurico
Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896
ccoo...@aurico.com<mailto:ccoo...@aurico.com> | 
www.aurico.com<http://www.aurico.com>



CONFIDENTIALITY NOTICE: This email message is intended only for the person or 
entity to which it is addressed and may contain confidential material. Any 
unauthorized review, use, disclosure, downloading, copying or distribution is 
prohibited. If you are not the intended recipient, please contact the sender by 
reply email and permanently delete all copies of the original message. If you 
are the intended recipient but do not wish to receive communications through 
this medium, please advise the sender immediately.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin



CONFIDENTIALITY NOTICE: This email message is intended only for the person or 
entity to which it is addressed and may contain confidential material. Any 
unauthorized review, use, disclosure, downloading, copying or distribution is 
prohibited. If you are not the intended recipient, please contact the sender by 
reply email and permanently delete all copies of the original message. If you 
are the intended recipient but do not wish to receive communications through 
this medium, please advise the sender immediately.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Encrypting a 2008 R2 Clustered File Server

2012-01-10 Thread Michael B. Smith

NO! Don't use EFS! Use BitLocker.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Cameron Cooper [mailto:ccoo...@aurico.com]
Sent: Tuesday, January 10, 2012 1:49 PM
To: NT System Admin Issues
Subject: Encrypting a 2008 R2 Clustered File Server

All,

We're in the process of migrating all of our company servers from server 2003 
to server 2008 R2.  We've installed and configured two Server 2008 R2 
Enterprise cluster servers with a failover cluster role and are connected to a 
MD3000 storage.

Here's what we're looking to do... we're going to create network shares that 
are dependent on dept. and user access (ie Someone from our researching 
dept. doesn't need to see/have access to accounting dept. share) and encrypt 
the entire file server.  We also want the encrypt/decrypt to be transparent to 
the end user.

First question: Has anyone used EFS with AD RMS with network shares?  Has this 
worked and how easy was it to setup?

Second question: Is there a recommended encryption solution that someone has 
implemented?

Regards,

Cameron

_
Cameron Cooper | IT Manager | Aurico
Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896
ccoo...@aurico.com | 
www.aurico.com



CONFIDENTIALITY NOTICE: This email message is intended only for the person or 
entity to which it is addressed and may contain confidential material. Any 
unauthorized review, use, disclosure, downloading, copying or distribution is 
prohibited. If you are not the intended recipient, please contact the sender by 
reply email and permanently delete all copies of the original message. If you 
are the intended recipient but do not wish to receive communications through 
this medium, please advise the sender immediately.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Encrypting a 2008 R2 Clustered File Server

RE: Encrypting a 2008 R2 Clustered File Server

RE: Encrypting a 2008 R2 Clustered File Server

RE: Encrypting a 2008 R2 Clustered File Server

RE: Encrypting a 2008 R2 Clustered File Server

5 matches

Site Navigation

Mail list logo

Footer information