-4

We want to keep our HR files on a share that only 3 people in HR can access. I'd prefer to do this on a share on our file server on a Windows box.

  1. We need the files to be encrypted so that someone ont he file server can't view them.
  2. Determining who can access the share needs to be controlled solely by me. So not even a root admin can change who has access.

Is there a way to do this? Or should I get a DropBox account for the 3 of them?

thanks - dave

David Thielen
  • 293
  • 2
  • 12

1 Answers1

2

We need the files to be encrypted so that someone ont he file server can't view them.

You have apparently confused what encryption is. Encryption does not prevent someone on the file server from viewing them. Encryption prevents someone from taking the files and opening them elsewhere.

What you're speaking of is access control.

Determining who can access the share needs to be controlled solely by me. So not even a root admin can change who has access.

And now you've apparently confused what access control means. There are certain things that cannot be done (without inglorious hacks), and one of them is preventing file access to the topmost administrative account.

Is there a way to do this? Or should I get a DropBox account for the 3 of them?

Solving any of this with DropBox is akin to not trusting a safety deposit box at your bank, so you put title deeds in a Fisher Price safe. Enjoy that. (Also, you've transferred access to your files to a different service that has their own root account that can get to your stuff... it's just a root account that you in essence don't see, so if it's out of sight I suppose that gives you a certain peace of mind?)

Here's what you do:

  1. Get your EFS encryption keys made and protected.
  2. EFS encrypt the file (it's as easy as a right click).
  3. Divvy up access to the file using standard security groups, and add users to the group.
  4. Don't give access to the Administrator account to people that you don't want to have access to that file.

Alternatively you can simply encrypt the whole drive with BitLocker. Alternatively you can implement some pretty crazy expensive security software that can implement more specialized privileged account management within a Windows environment, but be prepared for some beaucoup bucks to be hemorrhaged straight out of your wallet.

Wesley
  • 32,320
  • 9
  • 80
  • 116
  • Thank you for the specifics. Our fundamental problem is the HR files, by law, cannot be accessible to the domain admins. They do need to be shared by 3 people. How do we solve that requirement? – David Thielen Sep 09 '16 at 12:49
  • 2
    `Our fundamental problem is the HR files, by law, cannot be accessible to the domain admins.` Extraordinary claims require extraordinary evidence. I'm pretty confident that this is not actually what the law says, as if it was, every company under the jurisdiction of that law would be out of compliance. – HopelessN00b Sep 09 '16 at 14:24
  • @DavidThielen I would carefully consider that law and seek some guidance within your jurisdiction. It would seem that a strict interpretation of that law within your jurisdiction would push many businesses either out of existence or into extremely expensive security management packages. See: CyberArks's privileged access management tools, as one example. (No, I'm not affiliated with them.) – Wesley Sep 09 '16 at 17:20
  • The problem with the law is saying it's stupid, ineffective, or incredibly expensive does not provide a defense if breaking it. What a lot of companies do is keep these files on a single computer and that does provide the required security. I'm trying to find a way to do the same on a shared drive. – David Thielen Sep 10 '16 at 14:05