SHARES !!!

[Andy]

Hi i am really hoping that someone can help me in my
quest !! we have set up an archive server so that all of
our old data is available to view online as it were.
permissions are for read only to stop users from just
takling what they want rather than going through the
process of bringing data live again. the problem is that
even though there is only a read permission, windows 2000
server does not stop people from cutting and copying
files !!! obviously this is a massive problem for us. any
suggestions would be greatly appreciated. am i missing
something or is there a third party bit of software that
will close this loophole

regards

Andy Boorman

 

[Michael Bednarek]

Hi i am really hoping that someone can help me in my
quest !! we have set up an archive server so that all of
our old data is available to view online as it were.
permissions are for read only to stop users from just
takling what they want rather than going through the
process of bringing data live again. the problem is that
even though there is only a read permission, windows 2000
server does not stop people from cutting and copying
files !!! obviously this is a massive problem for us. any
suggestions would be greatly appreciated. am i missing
something or is there a third party bit of software that
will close this loophole

This is rather complicated.

1. Create a new group, say Archive Readers; make all the individuals
which you want to have List Only Access member of that group. (This is
to prevent Administrators being denied - see step 6.)

2. Right click the "root" directory of your Archive; select Security.

3. Remove all groups, except Domain Admins, SYSTEM and such, from the
security tab of that directory.

3. Add the group from step 1 (Archive Readers) to the Security Groups.

4. Tick Allow: List Folder / Read Data in the Advanced dialogue; apply
to "This folder and subfolders".

5. Add the group from step 1 (Archive Readers) to the Security Groups
again.

6. Edit that group's setting and tick Deny: List Folder / Read Data;
apply to "Files only".

I think this will work. Note that Deny will override Allow in case an
individual is member of several groups, so Domain Admins and such
should not be members of the Archive Readers group.

Let us know how you go.

 

[Paul Adare]

microsoft.public.win2000.security news group, Michael Bednarek <mb at

This is rather complicated.

Actually, it is impossible with just NTFS permissions. If someone is
able to read a file, they are able to copy it. Period.

Andy, you might want to have a look at the new Rights Management
Service. Details on the Microsoft web site.

 

[Michael Bednarek]

microsoft.public.win2000.security news group, Michael Bednarek <mb at


Actually, it is impossible with just NTFS permissions. If someone is
able to read a file, they are able to copy it. Period.

That's a truism (of which the OP obviously needs reminding).

However, if List Files Access to the OP's Archive would be sufficient,
my approach works. It allows files to be listed, but not read.

I only did some rudimentary testing on this scheme and would be
interested to know how feasible it is in real life.

 

[Paul Adare]

microsoft.public.win2000.security news group, Michael Bednarek <mb at

That's a truism (of which the OP obviously needs reminding).

However, if List Files Access to the OP's Archive would be sufficient,
my approach works. It allows files to be listed, but not read.

Andy said:

=============
Hi I am really hoping that someone can help me in my
quest !! we have set up an archive server so that all of
our old data is available to view on-line as it were.
=============

Not really sure how you can make the leap from "all of our old data is
available" to "we don't need them to see the contents of the files, just
the file names themselves".

I only did some rudimentary testing on this scheme and would be
interested to know how feasible it is in real life.

If all you need to see is the file names, then I don't really see the
point of your scheme. An easier method would be to make the files
totally unavailable, run a dir /s > filelist.txt and then simply make
filelist.txt available.

 

[Michael Bednarek]

microsoft.public.win2000.security news group, Michael Bednarek <mb at


Andy said:

=============
Hi I am really hoping that someone can help me in my
quest !! we have set up an archive server so that all of
our old data is available to view on-line as it were.
=============

Not really sure how you can make the leap from "all of our old data is
available" to "we don't need them to see the contents of the files, just
the file names themselves".

I made that leap out of necessity. As you pointed out, and as should
be obvious to anyone, if a file can be read, it can be copied. So I
thought the next best thing is to let them list file names.

If all you need to see is the file names, then I don't really see the
point of your scheme. An easier method would be to make the files
totally unavailable, run a dir /s > filelist.txt and then simply make
filelist.txt available.

That's exactly how I do it here, too. However, in my experience some
users are more comfortable to use Explorer to look at a real
directory/file structure than openening and perusing a .txt file.

Some feedback from the OP would be helpful. I feel that you and I have
now spent more time on his problems than he ever did.

 

[Andy]

Thanks Michael

put it all in place and bingo !!! no copying or cutting
but unfortunately cannot open the files to read either !!!
damn was so close...............any ideas ???

regards

Andy

 

[Guest]

thank you gentlemen, was worth a go and i appreciate your
feedback. my technical guru also said that just using ntfs
permissions it would not be possible..........is it just
me or does this seem to be a bit slack ???

will check out the rights management stuff but if anyone
knows of some third party add on that can reslolve my
issue i would be eternally grateful

cheers

 

[Michael Bednarek]

Thanks Michael

put it all in place and bingo !!! no copying or cutting
but unfortunately cannot open the files to read either !!!
damn was so close...............any ideas ???

As was said before: if a file can be read, the client can save it.

This is probably a bit drastic: With Macintoshes as workstations and
Netware as a NOS, you could protect _executables_ (set file attribute
Execute Only) from being copied, but that's about it.

 

[Guest]

our users require the ability to open files that are
archived as often these old engineering drawings need to
be refered to but i do not want to keep all of our old
data on the file server just for the sake of viewing them.
i may change permissions to our file server so no user can
create a root folder, but can create subfolders. that way
if files are cut, copied from the archive they cannot be
pasted into the file server unless the folder cut from has
been recreated on the file server, confusing i know but
just trying to keep everyone happy with minimal risk of
duplicating files or overwriting.

regards

 

[Guest]

I use terminal services so if they copy the file, they can only copy it to a safe location.
I also set the files to read only so they cannot modify them.
Basically they just run the terminal services client from the workstation which cannot save to the local drive.
It works great for all the old drawings and documents that are sensitive information but need to be refered to.

Hope this helps,
Admin Guy

----- Michael Bednarek wrote: -----

Thanks Michael
but unfortunately cannot open the files to read either !!!
damn was so close...............any ideas ???

As was said before: if a file can be read, the client can save it.

This is probably a bit drastic: With Macintoshes as workstations and
Netware as a NOS, you could protect _executables_ (set file attribute
Execute Only) from being copied, but that's about it.