Encrypt shared files on AD Domain.

Question

Can I encrypt shared files on windows server and allow only authenticated domain users have access to these files?

The scenario as follows:

I have a software development company, and I would like to protect my source code from being copied by my programmers.

One problem is that some programmers use their own laptops to developing the company's software.

In this scenario it's impossible to prevent developers from copying the source code for their laptops.

In this case I thought about the following solution, but i don't know if it's possible to implement.

The idea is to encrypt the source code and they are accessible (decrypted) only when developers are logged into the AD domain, ie if they are not logged into the AD domain, the source code would be encrypted be useless.

Can be implemented this ? What technology should be used?

Answer 1

It' depend on how you understand "allow only authenticated domain users have access to these file": from "permit selected user from Active Directory access EFS file" or "encrypted network traffic, from a file share". There are much more other interpretation ways of your question. Most scenarios are possible especially is you have Active Directory integrated PKI. I don't know which knowledge in the area you have. Do you know for example the main principles how EFS work? (see for example, http://go.microsoft.com/fwlink/?LinkID=85746 and http://technet.microsoft.com/en-us/library/bb457116.aspx).

So if you write a short question an answer could be much longer and can give not the information which you need.

Moreover stackoverflow.com is a site for software development only. Probably http://serverfault.com/ or http://superuser.com/ are better suitable for your question.

Best regards

UDPATED: EFS on the server is really not the best solution because of problem with data recovery on the server. If a user forget your laptop or if you want restore the backup data or in case of other not standard situations you can be required to implement new special processes in your company in case of usage EFS on the server. If you don't do this you can receive encrypted data on the server which nobody can read. Because of this problem the most of large companies deny EFS on servers. One use local EFS or hard disk encryption on laptops, but use only a good designed NTFS permission system on the server.

It seems to me that you can solve all your permission problem problems also without any EFS. For example, you can create on the server a directory with change permission for Creator Owner. Then every programmers of your company can create a subdirectory on the share and copy his project source in the subdirectory. He/she receive change permission to this directory, but nobody else. If you add to the root share directory a permission for Domain Administrators of for your account, then Domain Administrators or you will also have corresponding permission to the data of your programmers.

If some persons work on one project you can create a directory for the project, create a corresponding Group in the Active Directory, place persons who belongs to the project as a members of the group, and grand change permission in NTFS for this group. Only persons from the group will be able access the directory.

Sorry if I write a well known things (I don't know your knowledge). I want only gives you some examples, which shows, that all problems which you described in your question can be solved not with respect of encryption, but just with granting permission in the file system. Should you probably choose this way?