I've been asked to create some file store for our directors that will contain sensitive information. They have asked that it not be possible for other admins to read the data.
I immediately thought of EFS, but I seem to recall this can only be done on a per-user basis.
We are currently running Server 2003, however we are likely to migrate to Server 2008 (possibly R2) in the near future.
Has anyone else been tasked with a similar request, and if so, how did you deal with it?
It is possible to give multiple users access to an EFS encrypted file, so long as you are using windows XP or above on clients, and server 2003 or above on the server. You cannot do it for a group, you will need to add each individual user.
The main point to be aware of with this is that the user(s) you want to give access to the EFS encrypted file must have a valid EFS certificate stored in Active Directory. You can then add multiple users to the access rights to the EFS encrypted file:
Has anyone else been tasked with a similar request, and if so, how did you deal with it?
If they don't want the sysadmins to have access, it doesn't truly matter if you use EFS or NTFS permissions - the short answer is that if you want the data to be backed up, admins need access. It's impossible to have access to what you can't read - so if they're that concerned about what you can get to... it might be time for a chat about what they're actually afraid of.
Or... they're not going to understand anyway, so you can dazzle them with a new acronym, EFS will take care of that, and Sam's answer is the fix. ;)
This is a great excuse to start making sure that your environment is secure by default. EFS won't help you unless the recovery agent is only your personal account. that may be an acceptable risk to the business btu they should be made aware of it. If this is not a portable system (a removable hard drive or laptop) regular ACLs will suffice. A deny ACL for the other admins will ensure that they cannot read it and if you employ ABE other admins can't even see the file. Don't forget to also set up domain and server isolation as well. Backup operators can also be granted access to backup the file without being granted access to restore the file. This privlege will override the permissions of the file so admins do not have to have access to back up the file, and ensure that they will not be able to read the file should they decide to try to restore it to a different system. (this means that yes the backup team and the restore team will be 2 seperate people) Note that if I am an admin in your domain, with physical access to the server, you can throw all this out the window. Physical access to the server will let me bypass everying possible. If this is that important then sticking it on a USB key in a locked drawer is actually not that bad an idea. I agree with Kara that a frank discussion of what they are afraid of is in order, if they are that paranoid about it. I suspect that onc you set up domain and server isolation and show them that even if someone has the right permissions, they can only get to the file from a directors workstation- that should be sufficient to impress them that it's secure.
for references see:
Best Practices for Delegating Active Directory Administration
