Solved

Certificate Authority "CA"

Posted on 2014-10-05
15
82 Views
Last Modified: 2015-02-14
I want to be able to do the following, I have never setup a "CA" and would like info as to the best way of doing it.
I have setup just to practice on a VM Srv the CA role, and I have setup templates ect...

I want to be able to do the following.

I have (2) VLans on the network, one for the staff users and one for the tech users.
Both VLans can talk to each other if thy need .
The tech users are 12 workstations that are used to program cell phones.
Our in house programers will be creating programs for the tech users to be able to use on there workstations.
He is concern with one of the tech users being able to download the program and take it off site and using it.

Here is what I would like to do.
when the programer creates a program I like to be able to encrypt it with certificate, at the same time the tech user will have to be able to go into the share folder and drag it to there desktop.


In short, I want to be able to encrypt a file, folder or program and allow the tech user to use it when still protecting it in the even that it is taken off site.

What would be the best way to accomplish this?
0
Comment
Question by:noad
  • 7
  • 6
  • 2
15 Comments
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 500 total points
ID: 40362121
> In short, I want to be able to encrypt a file, folder or program

better clarify what you mean by the word 'encrypt' before suggesting a just-for-you solution.

can you please tell us the purpose of encrypting a file, folder or program? to prevent other people from extracting your code/data or running the program or some other specific purpose?
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40362140
Either running the program through remote app / remote desktop , (remote app preferred) or for you to implement ADRMS (Active directory Rights Management Services).  Your idea is way too cumbersome as the program will have to be in 2 parts (check for a valid key and then decrypt the main program) and then execute the main program.. once the main program is decrypted it is open to being emailed or sneakernetter out..
0
 
LVL 1

Author Comment

by:noad
ID: 40362145
bboa...

i want the teh users to be able to open the file while at the office on there computer, but not to be to able to put the file  on a USB drive and open at home or on some other computer.
0
 
LVL 1

Author Comment

by:noad
ID: 40362146
david,

i see what you mean
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40362166
Crazy glue fixes the sneaker-net problem permanently.  With Group policy you can disable USB drives completely, disallow writing to removable media..  Stopping the user from emailing it home is another issue.. or say uploading it to mozy/onedrive is another item.. ADRMS if the user only has READ/Execute permittions  while physically connected to the domain the file cannot be copied AT ALL (if so configured)
0
 
LVL 1

Author Comment

by:noad
ID: 40362249
David,

you make a good case...
I think I will include use it.

I still have a problem where if I encrypt a file with user "TDoe" I want user "KDoe" to be able to open it.
I tried exporting the private key from TDoe and importing it into KDoe, but KDoe still can't open TDoe file.
Why?
What I'm i doing worng?
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40363050
you have to encrypt it with EVERY USERS public key and your private key that you want to be able to access the file, each of these users must have a copy of your public key.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:noad
ID: 40363528
David...

I setup the ADCA
I created a dummy user (jdoe)
I went into the templates, duplicated the users template, renamed it "MVP User".
I logged on with jode and requested a certificate.
So far everything is correct.
From the admin account I created a text file and encrypted it, when I try to add the user jdoe I can't (see snap shoots)

user reguest cert
unable to add user
I'm I just doing something wrong? if so what is it?

Thanks
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40364953
mvpjoe needs an efs basic certificate
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40364957
0
 
LVL 1

Author Comment

by:noad
ID: 40365730
David,

I understand what you are asking me to do, but if I may ask. the users temple says that they can encrypt...
Is it just that, only encrypt???
I will add the efs basic temp to the jdoe user.
Will let  you know how it goes.
0
 
LVL 1

Author Comment

by:noad
ID: 40365760
David,

I added the basic efs cert to jdoe, I create a duplicate (MVP Basic EFS) went into jode account , requested the cert...
the problem that I'm having is when I'm in the admin account from which I encrypted the file I can't seem to be able to add jdoe....

unable to add JDoe
see how find user is grayed out....

from the user jdoe can view all his cert.

user JDoe
any idea what could be preventing me from adding the user jdoe to the encrypted file from the administrative account?

Thanks
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40608999
you need to add their public key to your keystore, view certificate then import it.. you will only get the public part of the key.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 40609135
it seems i just clarified your requirements and didn't follow up giving the solution. the points and grade should go to David please.
0
 
LVL 1

Author Comment

by:noad
ID: 40609604
David,

BBAO is correct, I inmy hurry I clicked on the wrong name, I did mean to click on your name.
I'm sorry.

How can I fix it????
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Know what services you can and cannot, should and should not combine on your server.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now