Current version of Bitlocker is better but I kind of see your point on remote datacenter.
Jon Harris -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Eric Wittersheim Sent: Tuesday, September 6, 2016 4:35 PM To: [email protected] Subject: Re: [NTSysADM] EFS and Temporary files Kurt, Yeah, I tested Bitlocker on a laptop with a USB stick years ago. Encrypting a server in a remote datacenter with a USB stick doesn't give me a warm fuzzy feeling. Its an option though. I have tested a Chrome GPO to force the default download directory to the encrypted folder and that seems to fit the bill. Eric On Tue, Sep 6, 2016 at 2:51 PM, Kurt Buff <[email protected]> wrote: https://4sysops.com/archives/configure-and-enabling-bitlocker-on-windows-server/ <https://4sysops.com/archives/configure-and-enabling-bitlocker-on-windows-server/> Don't necessarily need TPM - a USB stick should do Kurt On Tue, Sep 6, 2016 at 11:44 AM, Eric Wittersheim <[email protected]> wrote: > Kevin, > > We don't have a TPM on that server to use Bitlocker. > > Eric > > On Tue, Sep 6, 2016 at 12:40 PM, Kevin Lundy <[email protected]> wrote: >> >> Bitlocker and encrypt the entire volume(s)? >> >> On Tue, Sep 6, 2016 at 12:18 PM, Eric Wittersheim >> <[email protected]> wrote: >>> >>> I have a project that is in a highly secured environment and is governed >>> by our PCI policies. The project will allow a user to log into a locked >>> down Hyper V VM that is running Windows 2012 R2 server and open IE 11 to >>> download WAV files from a second Apache server on the local subnet. The >>> download directory has been redirected to a folder that is encrypted using >>> EFS so all files are encrypted as well. Once the project time frame is >>> complete the downloads are deleted with evidence provided that the files are >>> removed. We can't securely erase the hard drives because multiple projects >>> will be running at the same time. So it has been determined that a deleted >>> file that was encrypted meets the security team requirements. >>> >>> What my main concern is the actual download process of the file. I >>> believe the file might be going to a temp folder in the users profile folder >>> unencrypted before being copied over by the OS to the EFS encrypted folder. >>> Thus leaving those unencrypted bits on the hard drive. At this point I >>> don't know of any way of getting around this problem. >>> >>> 1. Has anyone successfully used EFS on the users iNetCache (or IE temp >>> directory)? >>> 2. Does anyone have any ideas on how to do this differently? >>> >>> >>> Thank you in advance for any pointers, >>> >>> Eric >>> >>> >>> >> >> >
