logo

File Server Security with FSRM, EFS and BitLocker

Organizations today store data in many places, including both the corporate file servers and users’ personal devices. To ensure both security and regulatory compliance, IT administrators need to tightly control access to data stored on file servers, and also protect data on portable devices to minimize the risk of data loss or exposure if the devices are lost or stolen.

Windows Server 2016 offers several features that help you protect data:

  • File Server Resource Manager (FSRM)
  • Encrypting File System (EFS)
  • BitLocker
Download free guide:

File Server Resource Manager (FSRM)

File servers hold most of the data that your users and applications use. FSRM is a set of tools that help you understand, control and manage the quantity and type of data stored on your servers. FSRM offers:

  • Quota management. You can create, obtain and manage information about quotas to set storage limits on volumes or folders.
  • File screening management. You can prevent specific file types from being stored on a volume or folder, or be notified when users store these types of files.
  • Storage report management. You can schedule and configure reports on the components and aspects of FSRM, including:
    • Quota usage
    • File screening activity
    • Files that might negatively affect capacity management, such as large files, duplicate files or unused files
    • Files listed and filtered according to owner, file group or a specific file property
  • Classification management. You can identify, categorize and manage files using a wide array of properties.
  • File management tasks. You can delete old files or move files to a specific location based on a file property, such as filename or file type.
Read related content:

Encrypting File System (EFS)

If unauthorized users have physical access to a device (for example, if they have stolen a user’s laptop or smartphone), they can bypass file security to access the data. If you use EFS to protect data, unauthorized users cannot view a file’s content even if they have full access to the device.

Specifically, when an authorized user opens an encrypted file, EFS decrypts the file in the background and provides an unencrypted copy to the application. Authorized users can view or modify the file, and EFS saves changes transparently as encrypted data. If unauthorized users try to do the same, they receive an “Access denied” error.

EFS provides the following important capabilities:

  • EFS works at the file level, and you can have encrypted and unencrypted files on the same volume.
  • EFS operates in the background and is transparent to users and applications.
  • Only authorized users can access encrypted files.
  • You can use data recovery agents to recover data that was encrypted by any user.
  • You can use EFS to encrypt files locally or across the network.
  • In File Explorer, by default, EFS shows encrypted files and folders in a different color than unencrypted files.
  • EFS can encrypt data at rest only; it does not encrypt data while it is being transmitted over the network.

BitLocker

BitLocker complements EFS by providing an additional layer of protection for data stored on Windows devices. BitLocker protects devices that are lost or stolen against data theft or exposure, and it offers secure data disposal when you decommission a device.

BitLocker has the following features:

  • BitLocker can encrypt an entire volume (whether it contains the Windows operating system or is a data volume) or only the used parts of a volume.
  • BitLocker can use a Trusted Platform Module (TPM) to protect the integrity of the Windows startup process. BitLocker verifies that the required boot files have not been tampered with or modified.
  • BitLocker can require additional authentication, such as a PIN or a USB startup key.
  • You can configure network unlock at startup for BitLocker. With network unlock, the BitLocker-protected device starts automatically when it is connected to a trusted company network; otherwise, you need to provide a startup PIN.
  • If a TPM fails or the password is lost, BitLocker provides a recovery mechanism, a 48-digit recovery key or a recovery agent to access the volume data.
  • BitLocker protects the whole volume from offline attacks.
  • You can combine BitLocker with EFS. BitLocker encrypts at the volume level, whereas EFS encrypts data at the file level.
  • BitLocker overhead is minimal; for most installations, the performance impact is not noticeable.
Jeff Melnick
Jeff is a former Director of Global Solutions Engineering at Netwrix. He is a long-time Netwrix blogger, speaker, and presenter. In the Netwrix blog, Jeff shares lifehacks, tips and tricks that can dramatically improve your system administration experience.
More great reading
Featured tags
Active Directory CISSP Cyber attack Data classification Data governance Data security GDPR Insider threat IT compliance IT security Office 365 Risk assessment SharePoint Windows Server
...