加密 AD 域上的共享文件
我可以加密 Windows 服务器上的共享文件并仅允许经过身份验证的域用户访问这些文件吗?
场景如下:
我有一家软件开发公司,我想保护我的源代码不被我的程序员复制。
一个问题是一些程序员使用自己的笔记本电脑来开发公司的软件。
在这种情况下,不可能阻止开发人员复制其笔记本电脑的源代码。
针对这种情况,我想到了以下解决方案,但不知道是否可以实现。
这个想法是对源代码进行加密,只有当开发人员登录到 AD 域时才可以访问(解密)它们,即如果他们没有登录到 AD 域,则加密的源代码将毫无用处。
这个可以实施吗? 应该使用什么技术?
Can I encrypt shared files on windows server and allow only authenticated domain users have access to these files?
The scenario as follows:
I have a software development company, and I would like to protect my source code from being copied by my programmers.
One problem is that some programmers use their own laptops to developing the company's software.
In this scenario it's impossible to prevent developers from copying the source code for their laptops.
In this case I thought about the following solution, but i don't know if it's possible to implement.
The idea is to encrypt the source code and they are accessible (decrypted) only when developers are logged into the AD domain, ie if they are not logged into the AD domain, the source code would be encrypted be useless.
Can be implemented this ?
What technology should be used?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这取决于您如何理解“仅允许经过身份验证的域用户访问这些文件”:来自“允许 Active Directory 中的选定用户访问 EFS 文件”或“来自文件共享的加密网络流量”。你的问题还有更多其他的解释方式。大多数情况都是可能的,特别是当您有 Active Directory 集成 PKI 时。我不知道你对这个领域有哪些了解。例如,您知道 EFS 工作原理的主要原理吗? (例如,请参阅 http://go.microsoft.com/fwlink/?LinkID=85746 和 http://technet.microsoft.com/en-us /library/bb457116.aspx)。
因此,如果您写一个简短的问题,答案可能会更长,并且无法提供您需要的信息。
此外,stackoverflow.com 是一个仅用于软件开发的网站。可能是 https://serverfault.com/ 或 https://superuser。 com/ 更适合您的问题。
最好的问候
UDPATED:服务器上的 EFS 确实不是最好的解决方案,因为服务器上的数据恢复存在问题。如果用户忘记携带笔记本电脑,或者您想要恢复备份数据,或者出现其他非标准情况,您可能需要在公司中实施新的特殊流程,以便在服务器上使用 EFS。如果您不这样做,您可能会在服务器上收到任何人都无法读取的加密数据。由于这个问题,大多数大公司拒绝在服务器上使用 EFS。在笔记本电脑上使用本地 EFS 或硬盘加密,但在服务器上仅使用设计良好的 NTFS 权限系统。
在我看来,您无需任何 EFS 也可以解决所有权限问题。例如,您可以在服务器上创建一个具有创建者所有者更改权限的目录。然后你公司的每个程序员都可以在共享上创建一个子目录,并将他的项目源复制到子目录中。他/她获得对此目录的更改权限,但其他人没有。如果你在根共享目录中为你的账户添加了域管理员的权限,那么域管理员或者你对你的程序员的数据也将拥有相应的权限。
如果某些人在一个项目上工作,您可以为该项目创建一个目录,在Active Directory 中创建相应的组,将属于该项目的人员作为该组的成员,并为该组在NTFS 中更改权限。只有该组中的人员才能访问该目录。
抱歉,如果我写的是众所周知的事情(我不知道你的知识)。我只想给您提供一些示例,这些示例表明您在问题中描述的所有问题都可以解决不涉及加密,而只需在文件系统中授予权限即可解决。您应该选择这种方式吗?
It' depend on how you understand "allow only authenticated domain users have access to these file": from "permit selected user from Active Directory access EFS file" or "encrypted network traffic, from a file share". There are much more other interpretation ways of your question. Most scenarios are possible especially is you have Active Directory integrated PKI. I don't know which knowledge in the area you have. Do you know for example the main principles how EFS work? (see for example, http://go.microsoft.com/fwlink/?LinkID=85746 and http://technet.microsoft.com/en-us/library/bb457116.aspx).
So if you write a short question an answer could be much longer and can give not the information which you need.
Moreover stackoverflow.com is a site for software development only. Probably https://serverfault.com/ or https://superuser.com/ are better suitable for your question.
Best regards
UDPATED: EFS on the server is really not the best solution because of problem with data recovery on the server. If a user forget your laptop or if you want restore the backup data or in case of other not standard situations you can be required to implement new special processes in your company in case of usage EFS on the server. If you don't do this you can receive encrypted data on the server which nobody can read. Because of this problem the most of large companies deny EFS on servers. One use local EFS or hard disk encryption on laptops, but use only a good designed NTFS permission system on the server.
It seems to me that you can solve all your permission problem problems also without any EFS. For example, you can create on the server a directory with change permission for Creator Owner. Then every programmers of your company can create a subdirectory on the share and copy his project source in the subdirectory. He/she receive change permission to this directory, but nobody else. If you add to the root share directory a permission for Domain Administrators of for your account, then Domain Administrators or you will also have corresponding permission to the data of your programmers.
If some persons work on one project you can create a directory for the project, create a corresponding Group in the Active Directory, place persons who belongs to the project as a members of the group, and grand change permission in NTFS for this group. Only persons from the group will be able access the directory.
Sorry if I write a well known things (I don't know your knowledge). I want only gives you some examples, which shows, that all problems which you described in your question can be solved not with respect of encryption, but just with granting permission in the file system. Should you probably choose this way?