Kurt, Yeah, I tested Bitlocker on a laptop with a USB stick years ago. Encrypting a server in a remote datacenter with a USB stick doesn't give me a warm fuzzy feeling. Its an option though. I have tested a Chrome GPO to force the default download directory to the encrypted folder and that seems to fit the bill.
Eric On Tue, Sep 6, 2016 at 2:51 PM, Kurt Buff <[email protected]> wrote: > https://4sysops.com/archives/configure-and-enabling- > bitlocker-on-windows-server/ > > Don't necessarily need TPM - a USB stick should do > > Kurt > > On Tue, Sep 6, 2016 at 11:44 AM, Eric Wittersheim > <[email protected]> wrote: > > Kevin, > > > > We don't have a TPM on that server to use Bitlocker. > > > > Eric > > > > On Tue, Sep 6, 2016 at 12:40 PM, Kevin Lundy <[email protected]> wrote: > >> > >> Bitlocker and encrypt the entire volume(s)? > >> > >> On Tue, Sep 6, 2016 at 12:18 PM, Eric Wittersheim > >> <[email protected]> wrote: > >>> > >>> I have a project that is in a highly secured environment and is > governed > >>> by our PCI policies. The project will allow a user to log into a > locked > >>> down Hyper V VM that is running Windows 2012 R2 server and open IE 11 > to > >>> download WAV files from a second Apache server on the local subnet. > The > >>> download directory has been redirected to a folder that is encrypted > using > >>> EFS so all files are encrypted as well. Once the project time frame is > >>> complete the downloads are deleted with evidence provided that the > files are > >>> removed. We can't securely erase the hard drives because multiple > projects > >>> will be running at the same time. So it has been determined that a > deleted > >>> file that was encrypted meets the security team requirements. > >>> > >>> What my main concern is the actual download process of the file. I > >>> believe the file might be going to a temp folder in the users profile > folder > >>> unencrypted before being copied over by the OS to the EFS encrypted > folder. > >>> Thus leaving those unencrypted bits on the hard drive. At this point I > >>> don't know of any way of getting around this problem. > >>> > >>> 1. Has anyone successfully used EFS on the users iNetCache (or IE temp > >>> directory)? > >>> 2. Does anyone have any ideas on how to do this differently? > >>> > >>> > >>> Thank you in advance for any pointers, > >>> > >>> Eric > >>> > >>> > >>> > >> > >> > > > > >
