Encryption with network servers
You can encrypt data stored on a network file server; however, this will impact the user base and the variety of host environments. Ensure you fully understand the process before deploying to a live server.
Using encryption with a server does not provide any audit report of access, other than those already provided by the host operating system.
There are two encryption methods that might provide the required security:
Granular Encryption
You can run ESET Endpoint Encryption on connected client machines and use the software to create encrypted containers to store sensitive data. This method can also be used with non-Windows file servers and Network Attached Storage devices. The container types that can be used for this purpose are:
•Encrypted Archives
•Individually Encrypted Files
•Encrypted Virtual Disks
•Text encryption
You cannot use folder encryption over a network, see Error when you attempt to encrypt a network folder with ESET Endpoint Encryption (5.1.x). |
Full Disk Encryption
You must first understand how Full Disk Encryption (FDE) functions and how the attack vector is being defended against before considering it as a solution for securing a network server.
For ease of maintenance, FDE should only be used in a server environment where necessary. FDE will prevent files from being accessed or copied from the machine only when powered off or restarted.
When you authenticate yourself using your credentials through the ESET Endpoint Encryption bootloader, an FDE system will provide files and share data as before encryption.
FDE does not provide access control levels other than the operating system itself. It does not prevent data from being retrieved from the server across the network by an attacker exploiting the operating system.
If the attack vector is being defended against, then an encrypted container stored on the server, such as a virtual disk accessed by clients using ESET Endpoint Encryption, would be a more suitable solution. The advantage of this scenario is that only the necessary and sensitive data is encrypted. However, remember that only the first person to mount a virtual disk from the network gets read/write access, while subsequent users get read-only access until all users have unmounted the drive.
If FDE is required, then the following caveats should be noted when implementing the encryption:
•Before deploying to a live server, ensure you fully test the encryption process and backup/disaster recovery procedures on an identical server setup (both hardware and software).
•Verify the solution works correctly with the same disk controllers and drives used for storage on a test server. This is especially important if the machine uses RAID storage.
•If the server is in high demand, there will be a performance overhead due to the encryption.
•If admins use the remote desktop connection or similar remote connection software, rebooting the system will require someone physically present at the server machine to log in through the ESET Endpoint Encryption bootloader so that the user will boot straight to the Windows login. It is important to note that this will shift security to the Windows login.
An additional feature that could be used is Maintenance Mode.
Some remote hardware keyboard devices should allow logging in through the bootloader as they load with the machine´s BIOS. |
•If the encrypted machine is managed by an ESET Endpoint Encryption Server, the ESET Endpoint Encryption Server must not be hosted on the same machine. This is because access will be needed to the ESET Endpoint Encryption Server to recover the FDE logins should they be forgotten. You can only use FDE on Windows machines. You cannot use FDE on NAS devices or Linux-based servers.