EFS and ftp server

cnfuzzdcnfuzzd Member Posts: 208
So, we have an interesting request from a client.

They have several users who are not members of the domain but do FTP data out of one of the servers, modify it, and then ftp it back to the server. They would like to encrypt the hard drives on the internal machines. Can we use EFS to encrypt the data on the server, but still make it accessible to the remote FTP users?


Thanks again, you guys are awesome


John
__________________________________________

Work In Progress: BSCI, Sharepoint

Comments

  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    In a nutshell, no. EFS relys on PKI certificates and FTP doesn't support them.

    Maybe if you can explain what they are trying to accomplish with the encryption we can suggest some alternatives. (are they trying to protect themselves from the contractors? or just the data they submit? etc).
  • cnfuzzdcnfuzzd Member Posts: 208
    Thats what I thought, one up on the boss.

    The client receives files throughout the day, which are stored on two servers. These files are then ftp's to the remote workers, who modify the data, and send them back. The client does not want to move away from ftp. They do want to prevent unauthorized access to the data stored on the servers if the servers were ever stolen or compromised. My initial response was they are going to have to completely alter the process.

    What do you think?


    John
    __________________________________________

    Work In Progress: BSCI, Sharepoint
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    dynamik wrote:
    Same problem though, how do they get the files there?
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    You can just have an encrypted "file" that stores all the files they're transferring. You mount it just like a drive. They can share the key via a phone call or something.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    If I've read this correctly the aim here is to secure the overall data on the server against misuse if the server is taken rather than use encryption to secure it between users (which I presume is done with file permissions anyway) and the scenario proposed does not require encryption of the data in transit so the fact it is FTP has no bearing on how it is stored on the file server encryption or no (beyond the fact that the FTP service account on the server would have to be allowed access to the encrypted files either as the direct owner or as an added one - ditto for whatever account they used to log into FTP if you are using per-user authentication). The FTP protocol and the filesystem never meet, it's purely down to how the FTP server interacts with the OS.
    It works similary for Truecrypt though you bypass authentication altogether excepting the initial key needed to mount the encrypted volume globally after the server boots.

    Now if you did want on-demand individual encryption per-user then every problem mentioned above does apply and VPN'ing in with Domain accounts and using SMB to copy the files over would be the best option imho.

    Still I'd be a lot more worried about the fact the data is being sent via nice old plain text FTP than a server actually being stolen. It sounds like you already know this but your client is putting the cart before the horse priority wise.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.