Endpoint Encryption

Could anyone pl explain in detail on the differences between Windows File Share vs PGP Net Share?

As of now, i inderstood the below and pl clarify me the same.

1. In case of local Windows file\folder share, if the user A shares the file\folder and provide the read access to user B, then user B can only read file content. Where as with PGP Netshare, if user A encrypts the file with user B's public key, then user B will decrypt with his/her private key to read and modify the content?

 So where is the option to make only read access to user B? what is the primary difference between Admin and Group Admin (I read the guide, but could not get the primary difference)? what is the difference netween admin and user (i understood that admin can make user also as Admin so that user can become group admin, but both user, admin and group admin can make the changes to the file, can remove the file or can read the file)?

2. In case of File Server file\folder share, fileserver admin (FA) will have the admin credentials to the file share and if FA provides the read\write or read or full control access to user A, then user A can encrypt that file\folder with user B's public key and user B can decrypt with his\her private key.

So what is primary difference between file server access and pgp netshare access?

Thanks!

They are 2 separate things essentially.

PGP Netshare is all about encrypting the file or folder.  If a user browses a share that is only encrypted, if they dont have PGP Desktop installed, they will have full access to the files (they will be completely incomprehensible, but will still have access)

You need to implement both solutions together for it to work the way it should.  Prevent user access to the folders/files AND encrypt.

Encryption of files is really to prevent admins from looking at highly sensitive data (like HR and Payroll etc.) that's the real power of netshare.  You dont want to be encrypting files unless you absolutely have to, because Windows file permissions will be sufficient, providing that if those files were stolen your company wasn't going to suffer as a result of it.

so, as per my understanding, below is the conclusion.

1. Both the windows share and pgp netshare are completely different in user access levels (like read only or read\write or full control)?

So PGP netshare can be done to the users only with read\write and full control access levels, where as Windows share can be done with all three access levels

2. If the folder which is already Windows Shared with the users A, B and C with different access levels, still any one of these users lets say A can go and encrypt the folder with B alone, so that only B can decrypt but C can't access the folder aswell.

Pl confirm the same.

Windows file permissions will always take priority.  If a user has no access to a folder but is a netshare user  for that folder, they wont have access.

No Weevil. Thats the wrong understanding of yours. If a folder is windows shared to user B by A, and if A encrypts the folder to only C, then C alone can decrypt the folder where as B can't open the folder itself even though he was given the windows shared access. I am sure, i tested this scenario.

Yes that is true but it doesn't work the other way round.

Be mindful that in group policy, the most restrictive policy applies.

So if group policy allows access to a folder, but PGP Netshare denies, it will deny

But if group policy denies access to a folder, but PGP Netshare allows, it will deny.

Both will need to have it on allow to allow the user access to the file, and for the file to editable.

So it will always look at Windows share permissions first, then the PGP ones.

So if group policy allows access to a folder, but PGP Netshare denies, it will deny  --- Absolutely perfect

But if group policy denies access to a folder, but PGP Netshare allows, it will deny  ---- Correct (But i dont know why is this behaviour. In my view, providing the access either Read\Write or Full Control in FileServer share to user A is required only for the user A to encrypt the same share with some one. and later the part, whether B is having the windows share access to the same folder in file server is NOT important, as if the folder is encrypted with B's key, then B should be able to decrypt).

There should be a table with [encrypted (yes\No) along with all the roles - admin, group admin and user in columns] and [read only, read\write and full control access to the users in file server share along with whether can encrypt or not] etc for the users like us to get a clear understanding of this or else it is taking lot of time to explore all these options.

I just want to clarify that NetShare encrypts individual files in a NetShare protected folder, rather than the folder itself. If someone who is not an authorized Netshare user of the protected folder places a file in the protected folder, it will not be encrypted.  It is correct that Netshare has no involvement in who can access a folder and its files, or what level of access they have.

That is true, 99 times out of 100 they will be the same, as in the group policy permissions will tally with netshare.  But remember that netshare permissions are only applicable to people with PGP Desktop installed.

You should have a look at some of the CLI commands, you can output a lot of the user privilages via that.

http://www.symantec.com/business/support/index?page=content&id=DOC4648

I got the clarity on the Windows File Share and PGP Net Share. I am yet to prepare the below table for few other share areas.

Bottom line: All the access controls are still maintained by ACL only. Net share isonly for encryption and decryption. And if the users want to decrypt the files\folders, then those files\folders should have been encrypted with them and atleast they should have read access to those files\folders. 

Attachment(s)

Windows File Share Vs PGP Net Share.xls   30 KB 1 version