We are now trying to get the building blocks correctly set, which includes the use of EFS (Encrypting File System) or its equivalent to protect network transmissions. I am looking for some guidelines for interpreting what Kerberos-based EFS can give us and the expectations that we should have for its limitations.
Then, assuming we want (for example) an RSA-based solution, how do I get into the price performance evaluation of such third-party solutions that we will need to plug into Windows 2000 Advanced Server, Active Directory and so on? Funny as it might seem, I do not want to be submitting the result of this initial work as a SearchWindowsManageability.com blooper later down the road! Any advice would be very welcome.
You can read some excellent papers on EFS on Microsoft's Web site. The first one to read is Encrypting File System for Windows 2000; you should also refer to this white paper on Windows 2000 Public Key Infrastructure and this one on PKI enhancements in XP Pro and .NET. While EFS does not require you to establish a PKI, these white papers detail many facets of its use, including how to improve management of EFS. I recently wrote an article and did a webcast on the issue of recovery and how it will be improved in Windows .NET server. Many important Windows 2000 issues are reviewed as well.
If you are considering an RSA-based solution, your best bet is to contact both RSA and Microsoft. Microsoft has a new team that specializes in security services.