Solved

Certificate Authority "CA"

Posted on 2014-10-05
15
85 Views
Last Modified: 2015-02-14
I want to be able to do the following, I have never setup a "CA" and would like info as to the best way of doing it.
I have setup just to practice on a VM Srv the CA role, and I have setup templates ect...

I want to be able to do the following.

I have (2) VLans on the network, one for the staff users and one for the tech users.
Both VLans can talk to each other if thy need .
The tech users are 12 workstations that are used to program cell phones.
Our in house programers will be creating programs for the tech users to be able to use on there workstations.
He is concern with one of the tech users being able to download the program and take it off site and using it.

Here is what I would like to do.
when the programer creates a program I like to be able to encrypt it with certificate, at the same time the tech user will have to be able to go into the share folder and drag it to there desktop.


In short, I want to be able to encrypt a file, folder or program and allow the tech user to use it when still protecting it in the even that it is taken off site.

What would be the best way to accomplish this?
0
Comment
Question by:noad
  • 7
  • 6
  • 2
15 Comments
 
LVL 37

Accepted Solution

by:
bbao earned 500 total points
ID: 40362121
> In short, I want to be able to encrypt a file, folder or program

better clarify what you mean by the word 'encrypt' before suggesting a just-for-you solution.

can you please tell us the purpose of encrypting a file, folder or program? to prevent other people from extracting your code/data or running the program or some other specific purpose?
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40362140
Either running the program through remote app / remote desktop , (remote app preferred) or for you to implement ADRMS (Active directory Rights Management Services).  Your idea is way too cumbersome as the program will have to be in 2 parts (check for a valid key and then decrypt the main program) and then execute the main program.. once the main program is decrypted it is open to being emailed or sneakernetter out..
0
 
LVL 1

Author Comment

by:noad
ID: 40362145
bboa...

i want the teh users to be able to open the file while at the office on there computer, but not to be to able to put the file  on a USB drive and open at home or on some other computer.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 1

Author Comment

by:noad
ID: 40362146
david,

i see what you mean
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40362166
Crazy glue fixes the sneaker-net problem permanently.  With Group policy you can disable USB drives completely, disallow writing to removable media..  Stopping the user from emailing it home is another issue.. or say uploading it to mozy/onedrive is another item.. ADRMS if the user only has READ/Execute permittions  while physically connected to the domain the file cannot be copied AT ALL (if so configured)
0
 
LVL 1

Author Comment

by:noad
ID: 40362249
David,

you make a good case...
I think I will include use it.

I still have a problem where if I encrypt a file with user "TDoe" I want user "KDoe" to be able to open it.
I tried exporting the private key from TDoe and importing it into KDoe, but KDoe still can't open TDoe file.
Why?
What I'm i doing worng?
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40363050
you have to encrypt it with EVERY USERS public key and your private key that you want to be able to access the file, each of these users must have a copy of your public key.
0
 
LVL 1

Author Comment

by:noad
ID: 40363528
David...

I setup the ADCA
I created a dummy user (jdoe)
I went into the templates, duplicated the users template, renamed it "MVP User".
I logged on with jode and requested a certificate.
So far everything is correct.
From the admin account I created a text file and encrypted it, when I try to add the user jdoe I can't (see snap shoots)

user reguest cert
unable to add user
I'm I just doing something wrong? if so what is it?

Thanks
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40364953
mvpjoe needs an efs basic certificate
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40364957
0
 
LVL 1

Author Comment

by:noad
ID: 40365730
David,

I understand what you are asking me to do, but if I may ask. the users temple says that they can encrypt...
Is it just that, only encrypt???
I will add the efs basic temp to the jdoe user.
Will let  you know how it goes.
0
 
LVL 1

Author Comment

by:noad
ID: 40365760
David,

I added the basic efs cert to jdoe, I create a duplicate (MVP Basic EFS) went into jode account , requested the cert...
the problem that I'm having is when I'm in the admin account from which I encrypted the file I can't seem to be able to add jdoe....

unable to add JDoe
see how find user is grayed out....

from the user jdoe can view all his cert.

user JDoe
any idea what could be preventing me from adding the user jdoe to the encrypted file from the administrative account?

Thanks
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40608999
you need to add their public key to your keystore, view certificate then import it.. you will only get the public part of the key.
0
 
LVL 37

Expert Comment

by:bbao
ID: 40609135
it seems i just clarified your requirements and didn't follow up giving the solution. the points and grade should go to David please.
0
 
LVL 1

Author Comment

by:noad
ID: 40609604
David,

BBAO is correct, I inmy hurry I clicked on the wrong name, I did mean to click on your name.
I'm sorry.

How can I fix it????
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question