Ah - a remote location introduces real complications. Very understandable. Kurt
On Tue, Sep 6, 2016 at 1:35 PM, Eric Wittersheim <[email protected]> wrote: > Kurt, > > Yeah, I tested Bitlocker on a laptop with a USB stick years ago. Encrypting > a server in a remote datacenter with a USB stick doesn't give me a warm > fuzzy feeling. Its an option though. I have tested a Chrome GPO to force > the default download directory to the encrypted folder and that seems to fit > the bill. > > Eric > > On Tue, Sep 6, 2016 at 2:51 PM, Kurt Buff <[email protected]> wrote: >> >> >> https://4sysops.com/archives/configure-and-enabling-bitlocker-on-windows-server/ >> >> Don't necessarily need TPM - a USB stick should do >> >> Kurt >> >> On Tue, Sep 6, 2016 at 11:44 AM, Eric Wittersheim >> <[email protected]> wrote: >> > Kevin, >> > >> > We don't have a TPM on that server to use Bitlocker. >> > >> > Eric >> > >> > On Tue, Sep 6, 2016 at 12:40 PM, Kevin Lundy <[email protected]> wrote: >> >> >> >> Bitlocker and encrypt the entire volume(s)? >> >> >> >> On Tue, Sep 6, 2016 at 12:18 PM, Eric Wittersheim >> >> <[email protected]> wrote: >> >>> >> >>> I have a project that is in a highly secured environment and is >> >>> governed >> >>> by our PCI policies. The project will allow a user to log into a >> >>> locked >> >>> down Hyper V VM that is running Windows 2012 R2 server and open IE 11 >> >>> to >> >>> download WAV files from a second Apache server on the local subnet. >> >>> The >> >>> download directory has been redirected to a folder that is encrypted >> >>> using >> >>> EFS so all files are encrypted as well. Once the project time frame >> >>> is >> >>> complete the downloads are deleted with evidence provided that the >> >>> files are >> >>> removed. We can't securely erase the hard drives because multiple >> >>> projects >> >>> will be running at the same time. So it has been determined that a >> >>> deleted >> >>> file that was encrypted meets the security team requirements. >> >>> >> >>> What my main concern is the actual download process of the file. I >> >>> believe the file might be going to a temp folder in the users profile >> >>> folder >> >>> unencrypted before being copied over by the OS to the EFS encrypted >> >>> folder. >> >>> Thus leaving those unencrypted bits on the hard drive. At this point >> >>> I >> >>> don't know of any way of getting around this problem. >> >>> >> >>> 1. Has anyone successfully used EFS on the users iNetCache (or IE temp >> >>> directory)? >> >>> 2. Does anyone have any ideas on how to do this differently? >> >>> >> >>> >> >>> Thank you in advance for any pointers, >> >>> >> >>> Eric >> >>> >> >>> >> >>> >> >> >> >> >> > >> >> >
