Solved

Certificate Authority "CA"

Posted on 2014-10-05
15
84 Views
Last Modified: 2015-02-14
I want to be able to do the following, I have never setup a "CA" and would like info as to the best way of doing it.
I have setup just to practice on a VM Srv the CA role, and I have setup templates ect...

I want to be able to do the following.

I have (2) VLans on the network, one for the staff users and one for the tech users.
Both VLans can talk to each other if thy need .
The tech users are 12 workstations that are used to program cell phones.
Our in house programers will be creating programs for the tech users to be able to use on there workstations.
He is concern with one of the tech users being able to download the program and take it off site and using it.

Here is what I would like to do.
when the programer creates a program I like to be able to encrypt it with certificate, at the same time the tech user will have to be able to go into the share folder and drag it to there desktop.


In short, I want to be able to encrypt a file, folder or program and allow the tech user to use it when still protecting it in the even that it is taken off site.

What would be the best way to accomplish this?
0
Comment
Question by:noad
  • 7
  • 6
  • 2
15 Comments
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 500 total points
ID: 40362121
> In short, I want to be able to encrypt a file, folder or program

better clarify what you mean by the word 'encrypt' before suggesting a just-for-you solution.

can you please tell us the purpose of encrypting a file, folder or program? to prevent other people from extracting your code/data or running the program or some other specific purpose?
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40362140
Either running the program through remote app / remote desktop , (remote app preferred) or for you to implement ADRMS (Active directory Rights Management Services).  Your idea is way too cumbersome as the program will have to be in 2 parts (check for a valid key and then decrypt the main program) and then execute the main program.. once the main program is decrypted it is open to being emailed or sneakernetter out..
0
 
LVL 1

Author Comment

by:noad
ID: 40362145
bboa...

i want the teh users to be able to open the file while at the office on there computer, but not to be to able to put the file  on a USB drive and open at home or on some other computer.
0
 
LVL 1

Author Comment

by:noad
ID: 40362146
david,

i see what you mean
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40362166
Crazy glue fixes the sneaker-net problem permanently.  With Group policy you can disable USB drives completely, disallow writing to removable media..  Stopping the user from emailing it home is another issue.. or say uploading it to mozy/onedrive is another item.. ADRMS if the user only has READ/Execute permittions  while physically connected to the domain the file cannot be copied AT ALL (if so configured)
0
 
LVL 1

Author Comment

by:noad
ID: 40362249
David,

you make a good case...
I think I will include use it.

I still have a problem where if I encrypt a file with user "TDoe" I want user "KDoe" to be able to open it.
I tried exporting the private key from TDoe and importing it into KDoe, but KDoe still can't open TDoe file.
Why?
What I'm i doing worng?
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40363050
you have to encrypt it with EVERY USERS public key and your private key that you want to be able to access the file, each of these users must have a copy of your public key.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 1

Author Comment

by:noad
ID: 40363528
David...

I setup the ADCA
I created a dummy user (jdoe)
I went into the templates, duplicated the users template, renamed it "MVP User".
I logged on with jode and requested a certificate.
So far everything is correct.
From the admin account I created a text file and encrypted it, when I try to add the user jdoe I can't (see snap shoots)

user reguest cert
unable to add user
I'm I just doing something wrong? if so what is it?

Thanks
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40364953
mvpjoe needs an efs basic certificate
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40364957
0
 
LVL 1

Author Comment

by:noad
ID: 40365730
David,

I understand what you are asking me to do, but if I may ask. the users temple says that they can encrypt...
Is it just that, only encrypt???
I will add the efs basic temp to the jdoe user.
Will let  you know how it goes.
0
 
LVL 1

Author Comment

by:noad
ID: 40365760
David,

I added the basic efs cert to jdoe, I create a duplicate (MVP Basic EFS) went into jode account , requested the cert...
the problem that I'm having is when I'm in the admin account from which I encrypted the file I can't seem to be able to add jdoe....

unable to add JDoe
see how find user is grayed out....

from the user jdoe can view all his cert.

user JDoe
any idea what could be preventing me from adding the user jdoe to the encrypted file from the administrative account?

Thanks
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40608999
you need to add their public key to your keystore, view certificate then import it.. you will only get the public part of the key.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 40609135
it seems i just clarified your requirements and didn't follow up giving the solution. the points and grade should go to David please.
0
 
LVL 1

Author Comment

by:noad
ID: 40609604
David,

BBAO is correct, I inmy hurry I clicked on the wrong name, I did mean to click on your name.
I'm sorry.

How can I fix it????
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now