restricting copying

[Bill Brehm]

Hi. We keep our data files on a server and have workstations to access the
data. I would like to arrange security so that staff can access the files
with the applications they need to work on the data. But I would like to
prevent the staff from copying the files to a USB drive or burning files to
a CDROM or DVDROM or any other methods that they could use to bring the data
out of the company.

Any there any settings in XP or programs I can install to help prevent
removal of data that doesn need to be accessed by them as part of their
work?

The main application, btw, is Solidworks (CAD).

Thanks...

 

[Shenan Stanley]

Hi. We keep our data files on a server and have workstations to
access the data. I would like to arrange security so that staff can
access the files with the applications they need to work on the
data. But I would like to prevent the staff from copying the files
to a USB drive or burning files to a CDROM or DVDROM or any other
methods that they could use to bring the data out of the company.

Any there any settings in XP or programs I can install to help
prevent removal of data that doesn need to be accessed by them as
part of their work?

The main application, btw, is Solidworks (CAD).

They can OPEN and WORK WITH these files - as well as save them back in their
original location?
Do the machines they utilize have access to the Internet?

If they can open and save these files someplace other than where they were
originally opened from - from within the application they use to manipulate
them - I don't know of any way to keep them from copying them someplace - by
Internet email, internet upload, USB key, CD burning, DVD burning, network
file transfer to another computer they have more control over, etc. You'd
have to have control over everything that computer they use and the server -
full and complete control. Even then - I think it might be a bit
unrealistic.

 

[Steven L Umbach]

If a user is running the application locally on their workstation it is next
to impossibly to prevent some form of copying that could include printing
data, photographing the monitor, emailing the data, etc.

To minimize the chance of actually taking data files out side the network
you could consider using Terminal Services to run the application making
sure that clients can not redirect their hard drives, copy to clipboard,
access the internet, or be able to save files to any computer that have
physical access to that has access to USB, cdrom/dvd, internet, etc. Other
options include having all their workstations in a computer safe that only
allows the cables out to their keyboard/mouse/monitor, or otherwise making
sure they don't have access to their computers innards and plugging all
USB/firewire/etc ports with epoxy or such and making sure computer does not
have writeable cdrom/dvd drives or have internet access.

Also implementing user access according to principle of least privilege will
help prevent data that the user does not need access to from being stolen.
That can be done by managing user group membership so that user is not a
member of privileged groups unless there is no other option and that users
do not have permissions to shares/folders that he does not need access to in
order to do his job and making sure that computers that contain any
sensitive data are physically secured to some degree.

Steve

http://technet.microsoft.com/en-us/library/bb456992.aspx --- Principle of
least user privilige
http://www.mcmcse.com/microsoft/guides/ntfs_and_share_permissions.shtml ---
basics of share and NTFS permissions