this is not what firewalls are for
=> someone needs to manage the FW as well... - who's
this going to be? Typically the same admins that you want to protect the data
from... And since the server is in a domain, they can still do everything
they need on the server via GPOs...
So usually, this is a call for encrypting data - and it
sounds like you want to share the data between multiple users (which is
typically the issue). Even though EFS in 2003 allows to share encrypted files
between users, it's rather clumsy to do so, as you need to configure this for
every single file... (i.e. can't be configured at the folder level). Also,
depending on how you setup EFS, the Domain or Enterprise Admins have a hold of
the master key.
There are various other tools out there, which do this very
nicely (incl. sharing an encryption key in the department, whith each configured
user having his own PIN to be able to leverage the key) - I've worked with
Utimaco's SafeGuard products in this area and would recommend you to have a look
at them (www.utimaco.com)
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert
Sent: Dienstag, 1. Juni 2004 12:02
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Protecting Domain Data in Forest
A
personal firewall may also fit requirements.. I have used Checkpoint
secureClient to fulfill a similar requirement.
-----Original Message-----
From: Rutherford, Robert
Sent: 01 June 2004 10:52
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Protecting Domain Data in ForestYou need a separate forest then really.orYou could DMZ the box off behind a firewall with an appropriate rulebase.BR,Rob-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: 01 June 2004 10:45
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Protecting Domain Data in Forest
I have a very strange delemma here...
One of our domains has a server with sensitive data. The IT director of this domain has decided that some of the information contained on this server cannot be seen by anyone from the other domains ( even including the Enterprise Admins in our forest ). This server must also remain connected to it's domain and available for non-protected data, SMS hotfixes... Is this even possible to do?
My boss has also stated that he does not want a seperate forest and domain for this server because of the extra upkeep. Although, an extra password to encrypt data for the users would be allowable. Are there any products that could get this done? Has anyone else ran into this problem?
Thanks,
Jonathan
This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person.
The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains.
It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes.
The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.
This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person.
The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains.
It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes.
The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.
