Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 92
  • Last Modified:

Certificate Authority "CA"

I want to be able to do the following, I have never setup a "CA" and would like info as to the best way of doing it.
I have setup just to practice on a VM Srv the CA role, and I have setup templates ect...

I want to be able to do the following.

I have (2) VLans on the network, one for the staff users and one for the tech users.
Both VLans can talk to each other if thy need .
The tech users are 12 workstations that are used to program cell phones.
Our in house programers will be creating programs for the tech users to be able to use on there workstations.
He is concern with one of the tech users being able to download the program and take it off site and using it.

Here is what I would like to do.
when the programer creates a program I like to be able to encrypt it with certificate, at the same time the tech user will have to be able to go into the share folder and drag it to there desktop.


In short, I want to be able to encrypt a file, folder or program and allow the tech user to use it when still protecting it in the even that it is taken off site.

What would be the best way to accomplish this?
0
noad
Asked:
noad
  • 7
  • 6
  • 2
1 Solution
 
bbaoIT ConsultantCommented:
> In short, I want to be able to encrypt a file, folder or program

better clarify what you mean by the word 'encrypt' before suggesting a just-for-you solution.

can you please tell us the purpose of encrypting a file, folder or program? to prevent other people from extracting your code/data or running the program or some other specific purpose?
0
 
David Johnson, CD, MVPOwnerCommented:
Either running the program through remote app / remote desktop , (remote app preferred) or for you to implement ADRMS (Active directory Rights Management Services).  Your idea is way too cumbersome as the program will have to be in 2 parts (check for a valid key and then decrypt the main program) and then execute the main program.. once the main program is decrypted it is open to being emailed or sneakernetter out..
0
 
noadAuthor Commented:
bboa...

i want the teh users to be able to open the file while at the office on there computer, but not to be to able to put the file  on a USB drive and open at home or on some other computer.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
noadAuthor Commented:
david,

i see what you mean
0
 
David Johnson, CD, MVPOwnerCommented:
Crazy glue fixes the sneaker-net problem permanently.  With Group policy you can disable USB drives completely, disallow writing to removable media..  Stopping the user from emailing it home is another issue.. or say uploading it to mozy/onedrive is another item.. ADRMS if the user only has READ/Execute permittions  while physically connected to the domain the file cannot be copied AT ALL (if so configured)
0
 
noadAuthor Commented:
David,

you make a good case...
I think I will include use it.

I still have a problem where if I encrypt a file with user "TDoe" I want user "KDoe" to be able to open it.
I tried exporting the private key from TDoe and importing it into KDoe, but KDoe still can't open TDoe file.
Why?
What I'm i doing worng?
0
 
David Johnson, CD, MVPOwnerCommented:
you have to encrypt it with EVERY USERS public key and your private key that you want to be able to access the file, each of these users must have a copy of your public key.
0
 
noadAuthor Commented:
David...

I setup the ADCA
I created a dummy user (jdoe)
I went into the templates, duplicated the users template, renamed it "MVP User".
I logged on with jode and requested a certificate.
So far everything is correct.
From the admin account I created a text file and encrypted it, when I try to add the user jdoe I can't (see snap shoots)

user reguest cert
unable to add user
I'm I just doing something wrong? if so what is it?

Thanks
0
 
David Johnson, CD, MVPOwnerCommented:
mvpjoe needs an efs basic certificate
0
 
noadAuthor Commented:
David,

I understand what you are asking me to do, but if I may ask. the users temple says that they can encrypt...
Is it just that, only encrypt???
I will add the efs basic temp to the jdoe user.
Will let  you know how it goes.
0
 
noadAuthor Commented:
David,

I added the basic efs cert to jdoe, I create a duplicate (MVP Basic EFS) went into jode account , requested the cert...
the problem that I'm having is when I'm in the admin account from which I encrypted the file I can't seem to be able to add jdoe....

unable to add JDoe
see how find user is grayed out....

from the user jdoe can view all his cert.

user JDoe
any idea what could be preventing me from adding the user jdoe to the encrypted file from the administrative account?

Thanks
0
 
David Johnson, CD, MVPOwnerCommented:
you need to add their public key to your keystore, view certificate then import it.. you will only get the public part of the key.
0
 
bbaoIT ConsultantCommented:
it seems i just clarified your requirements and didn't follow up giving the solution. the points and grade should go to David please.
0
 
noadAuthor Commented:
David,

BBAO is correct, I inmy hurry I clicked on the wrong name, I did mean to click on your name.
I'm sorry.

How can I fix it????
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 7
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now