Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

Remote Storage

In many organizations, policy states that no data files can be stored on local systems. To store encrypted files on file servers, the servers must be configured and care must be taken to protect the data during transport. There are two ways to remotely store EFS-encrypted files on a Windows Server 2003 server: SMB file shares and WebDAV folders. WebDAV is Distributed Authoring and Versioning, part of the HTTP 1.1 standard. It provides the ability to store files in a web folder using the HTTP PUT command. A new redirector implements WebDAV in Windows XP and Server 2003. Sharing of files can be enabled in this manner on the local intranet and across the Internet. Firewalls that allow HTTP access to internal web servers will pose no barrier to this process. Both SMB and WebDAV storage of EFS-encrypted files offer their own challenges and issues. Three main issues stand out.

First, if SMB file shares are used, files are decrypted before being transported across the network and then are re-encrypted on the file server. To protect the files during transport, they must be encrypted by some alternative method, sent across the network, and then decrypted. IPSec can provide this function. WebDAV storage works differently. When an encrypted file is stored to a WebDAV-enabled folder, the file crosses the network encrypted and is saved in the remote folder still encrypted. When retrieved, it is not decrypted until it reaches the local machine. If the file is created on the remote server, a temporary file is used on the local host, and the file is encrypted and then transported to the remote server.

Second, however, are the issues related to preparing the server for storing encrypted files. When SMB is used, the computer and user account must be trusted for delegation in Active Directory. When computers are trusted for delegation, they can act as if they were the user, obtaining the authority to use his privileges and obtaining access to resources that he is authorized to use. This may not be an acceptable risk. WebDAV storage does not require the remote server to be trusted for delegation because files are not encrypted or decrypted on the server. However, WebDAV does require IIS to be installed, which requires additional security awareness and policy to ensure that this does not open new risks.

Third, WebDAV folders are Internet-accessible via HTTP wherever HTTP access is provided. Unlike SMB, which can be safely blocked at the firewall because there is no legitimate usage necessary for external users, WebDAV access cannot be blocked where web servers must be accessed. However, you can control access by ensuring sound permission sets and by restricting access to internal WebDAV folders where possible to local users only. That is, if port 80 HTTP access must be available from the Internet to internal web servers, the access should be explicitly contained to those servers. WebDAV folders for EFS files should be located on servers that are not Internet-accessible.

SMB Shares

Before SMB shares can be used for storing encrypted files, they must be prepared. The computer must be trusted for delegation in the Active Directory, and the user's keys must be present on the file server. The easiest and most preferred way to do the latter is to use roaming profiles. However, if a roaming profile is not available, the server can create a new local profile for the user. Because the local host creates an EFS key, the new local profile on the server would contain a different set of keys than the profile on the client. Therefore, attempting to store EFS-encrypted files on a remote file server without using roaming profiles is not a good idea because two different sets of keys must now be managed. To trust the computer for delegation, follow these steps:

NOTE: Caching Key Handles for Performance

By default, Windows Server 2003 when trusted for delegation and used for storage of EFS encrypted files will cache up to 15 user key handles. (Handles are pointers to the location of the keys; caching handles improves performance.) This number can be changed (the range is from 5 to 30) by modifying the DWORD value UserCacheSize located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\EFS\UserCacheSize.

WebDAV

WebDAV can be set up easily but does require configuration. Files and folders will not appear as encrypted to any user locally logged on to the server. It's important not to locally encrypt files on the server and not to administer the files locally. Use WebDAV to do so. You can, however, use NTBACKUP to back up the encrypted files. WebDAV must be enabled on the IIS computer and then configured using web permissions. Use NTFS file permissions to further enhance security. For more information on configuring WebDAV, refer to Chapter 5, "Controlling Access to Data."