3

I've been asked to create some file store for our directors that will contain sensitive information. They have asked that it not be possible for other admins to read the data.

I immediately thought of EFS, but I seem to recall this can only be done on a per-user basis.

We are currently running Server 2003, however we are likely to migrate to Server 2008 (possibly R2) in the near future.

Has anyone else been tasked with a similar request, and if so, how did you deal with it?

Bryan
  • 7,538
  • 15
  • 68
  • 92

3 Answers3

3

It is possible to give multiple users access to an EFS encrypted file, so long as you are using windows XP or above on clients, and server 2003 or above on the server. You cannot do it for a group, you will need to add each individual user.

The main point to be aware of with this is that the user(s) you want to give access to the EFS encrypted file must have a valid EFS certificate stored in Active Directory. You can then add multiple users to the access rights to the EFS encrypted file:

EFS image

Community
  • 1
Sam Cogan
  • 38,158
  • 6
  • 77
  • 113
1

Has anyone else been tasked with a similar request, and if so, how did you deal with it?

If they don't want the sysadmins to have access, it doesn't truly matter if you use EFS or NTFS permissions - the short answer is that if you want the data to be backed up, admins need access. It's impossible to have access to what you can't read - so if they're that concerned about what you can get to... it might be time for a chat about what they're actually afraid of.

Or... they're not going to understand anyway, so you can dazzle them with a new acronym, EFS will take care of that, and Sam's answer is the fix. ;)

Kara Marfia
  • 7,892
  • 5
  • 32
  • 56
  • EFS is one of the technologies I've been trying to steer clear of, so it was only a matter of time before it was requested :) I'm pretty sure the fact that the data will be encrypted will suffice. They have been asking for a USB disk stored in a locked container for storing their sensitive data on. I did manage to explain why this was a bad idea, and they are no longer pursuing that idea at least. Thanks. – Bryan Jul 05 '09 at 15:48
  • admins do not need permissions to read the file to back up a server. – Jim B Jul 05 '09 at 16:22
  • 1
    @Kara: I disagree with the re: "if you want the data to be backed up". EFS has a backup API that decouples decryption from backup and allows properly-written backup software to read the ciphertext directly for backup purposes. You absolutely can use EFS to exclude "admins" (really, anyone w/o the right credentails) access to files. If you've followed best-practices and exported the recovery agent keys and removed them from the domain, only those with the right keys to decrypt the file are going to be able to decrypt it. If an "admin" changes passwords to gain access it'll leave an audit trail. – Evan Anderson Jul 05 '09 at 20:35
  • If you're using corporate-managed PKI, you've got an override certificate (at least with MS CA) - so you HAVE access, whether or not you choose to use it. Keeping all admins out of your data is cutting off your nose to spite your face. – Kara Marfia Jul 05 '09 at 22:13
  • 1
    Have you actually used EFS? I was not arguing the point re: it being a good idea not to have "admins" w/ access to data. You absolutely can take the recovery agent private key offline and secure it physically. It's considered best practice to do so. To argue the point, though: I am glad it can be shown that EFS prevents my access to data for one of my Customers (a court). I could be put in jail for accessing sealed cases, for example. With EFS, there's no way for me to access that data w/o leaving an audit trail. The data is backed-up in its encrypted state and is still fully recoverable. – Evan Anderson Jul 06 '09 at 02:34
  • I'm guessing that there are quite a number of applications where network administrators should have access to backup / restore data files that they, otherwise, shouldn't have access to the contents of. Just because you haven't worked in such an environment, that doesn't mean that they don't exist. Working in environments where access to confidential data could make me a suspect in a breach, I'd rather have EFS sitting between me and that data such that any number of experts could testify to my inability to access that data w/o leaving an audit trail. – Evan Anderson Jul 06 '09 at 02:36
  • You're talking about an audit trail. The question (and my comments) were about access. It's a shame that the distinction confused you, leading to all this hostility. – Kara Marfia Jul 06 '09 at 11:57
  • @Kara: There no hostility at all! We have a difference of opinion re: this feature. I see many valid applications for it, and consider it a "good thing" that there is a mechanism to allow backup / restore of data w/o providing access to the data and you don't. Regardless, the feature is what it is, and your original comment "if you want the data to be backed up, admins need access" is untrue in the context of how EFS works. In the end, that untruth is the "grain of sand" that's causing the irritation for me. I don't particuarly love Microsoft's software, but I love misinformation much less. – Evan Anderson Jul 06 '09 at 14:46
  • I'm not just talking about an audit trail, though. In the context of backups, a mechanism audits access only won't "cut the mustard" for the kind of data I'm talking about. When that data is "at rest" on backups, it still needs to be inaccessible to "admins". Just auditing the access in the operating system, as you're suggesting, doesn't audit the access when I make an illict copy of that tape, sneak it out of the data center, and mount it up at home. I'd rather have EFS than being searched at the door every day. (Yes, yes-- I know I should stop trying to "sell" you on the feature.) – Evan Anderson Jul 06 '09 at 14:49
  • I probably should've done a better job of separating the two thoughts, and you're right - if you have backup & PKI handled by different admins/groups - you HAVE effectively kept them both out of your data. I suppose it seems churlish to me to be that mistrustful of admins... but that's not the issue. ;) I agree EFS has great applications, and I should TRULY not post first thing in the AM after a holiday (owwww) weekend! (thanks for being patient) – Kara Marfia Jul 06 '09 at 15:18
  • *smile* No worries. It makes for great conversation, and keeps me from doing the work I'm supposed to be doing this morning. Keep up the good work w/ Server Fault-- I'm really enjoying it. (Bonus points for making me look up a word in the dictionary, too...) I actually *like* my Customers being distrustful of me. Anything that keeps me from being a suspect in a potential breach and limits my potential liability makes me happy. I know where you're coming from, though. – Evan Anderson Jul 06 '09 at 16:00
  • Yes, I remember my naive expectation that once I became in-house sysadmin, I wouldn't have to contend with mistrustful customers. Hah! I'll be the first to say I'm one of the less knowledgeable folks here, so I'm happy to do what I can to make it a fun and useful place, so I can keep learning from you guys! (sorry for making a mess on your question, Bryan!) ;) – Kara Marfia Jul 06 '09 at 17:16
0

This is a great excuse to start making sure that your environment is secure by default. EFS won't help you unless the recovery agent is only your personal account. that may be an acceptable risk to the business btu they should be made aware of it. If this is not a portable system (a removable hard drive or laptop) regular ACLs will suffice. A deny ACL for the other admins will ensure that they cannot read it and if you employ ABE other admins can't even see the file. Don't forget to also set up domain and server isolation as well. Backup operators can also be granted access to backup the file without being granted access to restore the file. This privlege will override the permissions of the file so admins do not have to have access to back up the file, and ensure that they will not be able to read the file should they decide to try to restore it to a different system. (this means that yes the backup team and the restore team will be 2 seperate people) Note that if I am an admin in your domain, with physical access to the server, you can throw all this out the window. Physical access to the server will let me bypass everying possible. If this is that important then sticking it on a USB key in a locked drawer is actually not that bad an idea. I agree with Kara that a frank discussion of what they are afraid of is in order, if they are that paranoid about it. I suspect that onc you set up domain and server isolation and show them that even if someone has the right permissions, they can only get to the file from a directors workstation- that should be sufficient to impress them that it's secure.

for references see:

Best Practices for Delegating Active Directory Administration

Best practices for security

Jim B
  • 23,938
  • 4
  • 35
  • 58