I've had success with Sysinternals Process Explorer. With this, you can search to find what process(es) have a file open, and you can use it to close the handle(s) if you want. Of course, it is safer to close the whole process. Exercise caution and judgement.
To find a specific file, use the menu option Find->Find Handle or DLL...
Type in part of the path to the file. The list of processes will appear below.
If you prefer command line, Sysinternals suite includes command line tool Handle, that lists open handles.
Examples
c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "e:\"
(finds all files opened from drive e:\
"
c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "file-or-path-in-question"
We use OpenVPN for our "home" and "field" workers. There are clients available for Windows, Linux and Mac OS X (called tunnelblik). We run our access server off a Fedora box, but according to the openvpn website, there are also access servers available as virtual appliances or for VHD. However, this will require either a server connected directly to the Internet, or some port forwarding from your firewall to the access server. From your description above, it sounds like port forwarding is the way to go for you.
We use this with self-signed certificates (i.e. certificates we create ourselves for each user) and it works like a charm. Our access server is configured to run on port 443, which makes it easier for the "field" workers to connect from hotels (which often have strong restrictions on which ports are allowed).
With Windows clients, the OpenVPN client can be configured to start up before the Windows login prompt comes up, which means that at the point of logon, you already have a connection to your LAN, and authentication against AD is simple: The user gets a choice which domain he wants to log on to (local domain or AD domain). Alternatively, if the client is NOT configured to start up automatically, users can still log on with their domain credentials, if the computer is registered, because Windows will cache their credentials for a certain time. However, if no connection is made before the cache expires, your homeworker can get a bit stuck, particularly if he doesn't have credentials for any local accounts on the machine.
Best Answer
Yep, it's perfectly possible. x509 is x509.
OpenVPN 2.1 (beta, but perfectly stable) supports CryptoAPI. We use it one a daily basis.
To use your existing PKI just give the OpenVPN server a copy of the CA. You can specify which clients can login in, if you don't want everyone on the CA to have access, by using CCD. Then place the following in your client configs:
You can copy/paste the
<cert_thumb>
from the certificate details in the Windows personal cert store.Auto Enroll is a pain and it's been a while since I struggled with it. But it does work, eventually.