new permissions question

Good morning, I know that I can grant special permissions to disallow
delete, rename etc, but am faced with a new issue.

THe office owners want me to lock the data all down, basically, I have
several folders on the server that I can grant special permissions to - but
can I prevent it from being copied to another location such as a USB or a CD?
I personally think that I cannot disallow the CD burning, unless I
disconnect the power to the CD rom, and as far as the USB, they use them, and
I can not disable USB in BIOS if they are using them. Any other ideas?

Thanks!

 

"Kim K" <KimK@discussions.microsoft.com> wrote in message
news:E3122BDE-57C4-4C76-B98B-F52170E516F1@microsoft.com...
> Good morning, I know that I can grant special permissions to disallow
> delete, rename etc, but am faced with a new issue.
>
> THe office owners want me to lock the data all down, basically, I have
> several folders on the server that I can grant special permissions to -
> but
> can I prevent it from being copied to another location such as a USB or a
> CD?
> I personally think that I cannot disallow the CD burning, unless I
> disconnect the power to the CD rom, and as far as the USB, they use them,
> and
> I can not disable USB in BIOS if they are using them. Any other ideas?
>
> Thanks!

If your users can read a file then they can copy it. You can't have one
without the other.

 

> THe office owners want me to lock the data all down

What you are facing is "physical security". Probably the 1st defense is
physical security. This is because, when you have physical access to a
machine you can circumvent virtually all file-based security measures. This
is why you will find Servers in "Server Rooms" and/or "Data Centers" and not
under a user's desk, in enterprise installations.

I think you're gonna have to explain to the "owners" the "physical security"
threat. And that for items where you can't have total physical security
(i.e. workstations - and even servers sometimes) you're gonna need a written
"Security Policy". A Security Policy with potential termination as a
consequence of ignoring or circumventing the "rules".

Just my opinion.

-Frank

 

THank you for both responses. I wanted to confirm my thinking was correct,
and that I was not overlooking something I could do.

I have long told them that they need a good user agreement and
confidentiality poilcy, but they say that does no good as the data can still
be taken from the office. They asked me last week how big banks, and health
org's do it and I said with a good policy!

At this point in time I think I can only tell them that

1. I will disable the power on each individual work stations CD ROM drive,
however that wll prohibit me in the future to load something unless I can use
another way to install (say from the server).
and to
2. Either I take away rights on the server folders - or I disable the USB
in the BIOS. HOwever that does not prohibit them from attaching to email any
documents and sending to them selves outsuide the office.

They basically wanted me last week to make them a "read only" computer and
my response was to take away the network on the workstation and use it as a
stand alone, but that takes all functionality away from the business.

Atleast I swayed them to leave right click alone, they wanted that disabled
and the mouse reconfigured to either mock left click or disable right click
then to run MMC on the individual workstation, and hide the mouse program in
control panel............

See what I am up against?
"Frankster" wrote:

> > THe office owners want me to lock the data all down
>
> What you are facing is "physical security". Probably the 1st defense is
> physical security. This is because, when you have physical access to a
> machine you can circumvent virtually all file-based security measures. This
> is why you will find Servers in "Server Rooms" and/or "Data Centers" and not
> under a user's desk, in enterprise installations.
>
> I think you're gonna have to explain to the "owners" the "physical security"
> threat. And that for items where you can't have total physical security
> (i.e. workstations - and even servers sometimes) you're gonna need a written
> "Security Policy". A Security Policy with potential termination as a
> consequence of ignoring or circumventing the "rules".
>
> Just my opinion.
>
> -Frank
>
>

 

Hello Kim,

I personnaly think, the main issue should be no about who copys/download
documents but should be who can have read access to it.

This is impossible. Even if you disable power on CD ROM drive (Best way
might be to use GPO to disable CD ROM drive), users can still us USB to copy
data (Unless you want to disable this via GPO as well), then they can email
files to themselve using thei non-corporate email etc...
The dilemma is that you want to make users as productive as possible, but at
the same time take away resources that might make them productive it has to
be either or.

Anyway, my suggestion is for you to look into sharepoint where you can track
who access what document and why etc. You mentioned about banks and
healthcare etc, well they enforced security by making sure that only people
who needs certain documents have access to it, the less people have access
to sensitive docs the easier to identify who did what if it cames to that
case. You can have employees sign confidentiality agreements etc...that is
what must corporates do anyways..

Lastly if you want to invest more on security, then you can use encryption
and any copied doc becames useless, but users can still print it...etc..

Isaac


"Kim K" <KimK@discussions.microsoft.com> wrote in message
news:12282525-4D84-4A1C-A5BD-582C28F73C32@microsoft.com...
> THank you for both responses. I wanted to confirm my thinking was
> correct,
> and that I was not overlooking something I could do.
>
> I have long told them that they need a good user agreement and
> confidentiality poilcy, but they say that does no good as the data can
> still
> be taken from the office. They asked me last week how big banks, and
> health
> org's do it and I said with a good policy!
>
> At this point in time I think I can only tell them that
>
> 1. I will disable the power on each individual work stations CD ROM
> drive,
> however that wll prohibit me in the future to load something unless I can
> use
> another way to install (say from the server).
> and to
> 2. Either I take away rights on the server folders - or I disable the USB
> in the BIOS. HOwever that does not prohibit them from attaching to email
> any
> documents and sending to them selves outsuide the office.
>
> They basically wanted me last week to make them a "read only" computer and
> my response was to take away the network on the workstation and use it as
> a
> stand alone, but that takes all functionality away from the business.
>
> Atleast I swayed them to leave right click alone, they wanted that
> disabled
> and the mouse reconfigured to either mock left click or disable right
> click
> then to run MMC on the individual workstation, and hide the mouse program
> in
> control panel............
>
> See what I am up against?
> "Frankster" wrote:
>
>> > THe office owners want me to lock the data all down
>>
>> What you are facing is "physical security". Probably the 1st defense is
>> physical security. This is because, when you have physical access to a
>> machine you can circumvent virtually all file-based security measures.
>> This
>> is why you will find Servers in "Server Rooms" and/or "Data Centers" and
>> not
>> under a user's desk, in enterprise installations.
>>
>> I think you're gonna have to explain to the "owners" the "physical
>> security"
>> threat. And that for items where you can't have total physical security
>> (i.e. workstations - and even servers sometimes) you're gonna need a
>> written
>> "Security Policy". A Security Policy with potential termination as a
>> consequence of ignoring or circumventing the "rules".
>>
>> Just my opinion.
>>
>> -Frank
>>
>>

 

HI again Isaac,

Thanks for the post, yes I have been going over this with the business for
several days, and my train of thought was exactly yours, in regards to
diabling CD Rom- then USB (and of course all printers and other devices to be
produvctive with it) and limit email size but that does not allow for non
corp email aco****s like yahoo or hotmail. You are 100% correct.

When I asked about who needs access to shared srives, the way it is set up
currently is the way they want it, however they want the employees to be able
to open and read a document, perhaps edit it, but not copy it or email it,
which can be copied to a flash or saved as, to their desktop. So again as I
see it, either they have access to read and copy or none at all.

I wll look into sharepoint however I am not familiar with it, so I wll have
to read up on it., but will it limit access or just track?

"Isaac Oben [MCITP:EA, MCSE]" wrote:

> Hello Kim,
>
> I personnaly think, the main issue should be no about who copys/download
> documents but should be who can have read access to it.
>
> This is impossible. Even if you disable power on CD ROM drive (Best way
> might be to use GPO to disable CD ROM drive), users can still us USB to copy
> data (Unless you want to disable this via GPO as well), then they can email
> files to themselve using thei non-corporate email etc...
> The dilemma is that you want to make users as productive as possible, but at
> the same time take away resources that might make them productive it has to
> be either or.
>
> Anyway, my suggestion is for you to look into sharepoint where you can track
> who access what document and why etc. You mentioned about banks and
> healthcare etc, well they enforced security by making sure that only people
> who needs certain documents have access to it, the less people have access
> to sensitive docs the easier to identify who did what if it cames to that
> case. You can have employees sign confidentiality agreements etc...that is
> what must corporates do anyways..
>
> Lastly if you want to invest more on security, then you can use encryption
> and any copied doc becames useless, but users can still print it...etc..
>
> Isaac
>
>
> "Kim K" <KimK@discussions.microsoft.com> wrote in message
> news:12282525-4D84-4A1C-A5BD-582C28F73C32@microsoft.com...
> > THank you for both responses. I wanted to confirm my thinking was
> > correct,
> > and that I was not overlooking something I could do.
> >
> > I have long told them that they need a good user agreement and
> > confidentiality poilcy, but they say that does no good as the data can
> > still
> > be taken from the office. They asked me last week how big banks, and
> > health
> > org's do it and I said with a good policy!
> >
> > At this point in time I think I can only tell them that
> >
> > 1. I will disable the power on each individual work stations CD ROM
> > drive,
> > however that wll prohibit me in the future to load something unless I can
> > use
> > another way to install (say from the server).
> > and to
> > 2. Either I take away rights on the server folders - or I disable the USB
> > in the BIOS. HOwever that does not prohibit them from attaching to email
> > any
> > documents and sending to them selves outsuide the office.
> >
> > They basically wanted me last week to make them a "read only" computer and
> > my response was to take away the network on the workstation and use it as
> > a
> > stand alone, but that takes all functionality away from the business.
> >
> > Atleast I swayed them to leave right click alone, they wanted that
> > disabled
> > and the mouse reconfigured to either mock left click or disable right
> > click
> > then to run MMC on the individual workstation, and hide the mouse program
> > in
> > control panel............
> >
> > See what I am up against?
> > "Frankster" wrote:
> >
> >> > THe office owners want me to lock the data all down
> >>
> >> What you are facing is "physical security". Probably the 1st defense is
> >> physical security. This is because, when you have physical access to a
> >> machine you can circumvent virtually all file-based security measures.
> >> This
> >> is why you will find Servers in "Server Rooms" and/or "Data Centers" and
> >> not
> >> under a user's desk, in enterprise installations.
> >>
> >> I think you're gonna have to explain to the "owners" the "physical
> >> security"
> >> threat. And that for items where you can't have total physical security
> >> (i.e. workstations - and even servers sometimes) you're gonna need a
> >> written
> >> "Security Policy". A Security Policy with potential termination as a
> >> consequence of ignoring or circumventing the "rules".
> >>
> >> Just my opinion.
> >>
> >> -Frank
> >>
> >>
>
>
>

 

Hello Kim,

I haven't looked in detail of what sharepoint can and can't do..I forgot
about mentioning Adobe in my last post..Adobe might be the closest for you
to achieve what you intend on doing..Adobe can prevent everything you
mention, no download, no print etc. But you will have convert all documents
to Adobe etc..

Isaac

"Kim K" <KimK@discussions.microsoft.com> wrote in message
news:A70E08D2-95EF-4909-9C18-F8C20E29CF43@microsoft.com...
> HI again Isaac,
>
> Thanks for the post, yes I have been going over this with the business for
> several days, and my train of thought was exactly yours, in regards to
> diabling CD Rom- then USB (and of course all printers and other devices to
> be
> produvctive with it) and limit email size but that does not allow for non
> corp email aco****s like yahoo or hotmail. You are 100% correct.
>
> When I asked about who needs access to shared srives, the way it is set up
> currently is the way they want it, however they want the employees to be
> able
> to open and read a document, perhaps edit it, but not copy it or email it,
> which can be copied to a flash or saved as, to their desktop. So again as
> I
> see it, either they have access to read and copy or none at all.
>
> I wll look into sharepoint however I am not familiar with it, so I wll
> have
> to read up on it., but will it limit access or just track?
>
> "Isaac Oben [MCITP:EA, MCSE]" wrote:
>
>> Hello Kim,
>>
>> I personnaly think, the main issue should be no about who copys/download
>> documents but should be who can have read access to it.
>>
>> This is impossible. Even if you disable power on CD ROM drive (Best way
>> might be to use GPO to disable CD ROM drive), users can still us USB to
>> copy
>> data (Unless you want to disable this via GPO as well), then they can
>> email
>> files to themselve using thei non-corporate email etc...
>> The dilemma is that you want to make users as productive as possible, but
>> at
>> the same time take away resources that might make them productive it has
>> to
>> be either or.
>>
>> Anyway, my suggestion is for you to look into sharepoint where you can
>> track
>> who access what document and why etc. You mentioned about banks and
>> healthcare etc, well they enforced security by making sure that only
>> people
>> who needs certain documents have access to it, the less people have
>> access
>> to sensitive docs the easier to identify who did what if it cames to that
>> case. You can have employees sign confidentiality agreements etc...that
>> is
>> what must corporates do anyways..
>>
>> Lastly if you want to invest more on security, then you can use
>> encryption
>> and any copied doc becames useless, but users can still print it...etc..
>>
>> Isaac
>>
>>
>> "Kim K" <KimK@discussions.microsoft.com> wrote in message
>> news:12282525-4D84-4A1C-A5BD-582C28F73C32@microsoft.com...
>> > THank you for both responses. I wanted to confirm my thinking was
>> > correct,
>> > and that I was not overlooking something I could do.
>> >
>> > I have long told them that they need a good user agreement and
>> > confidentiality poilcy, but they say that does no good as the data can
>> > still
>> > be taken from the office. They asked me last week how big banks, and
>> > health
>> > org's do it and I said with a good policy!
>> >
>> > At this point in time I think I can only tell them that
>> >
>> > 1. I will disable the power on each individual work stations CD ROM
>> > drive,
>> > however that wll prohibit me in the future to load something unless I
>> > can
>> > use
>> > another way to install (say from the server).
>> > and to
>> > 2. Either I take away rights on the server folders - or I disable the
>> > USB
>> > in the BIOS. HOwever that does not prohibit them from attaching to
>> > email
>> > any
>> > documents and sending to them selves outsuide the office.
>> >
>> > They basically wanted me last week to make them a "read only" computer
>> > and
>> > my response was to take away the network on the workstation and use it
>> > as
>> > a
>> > stand alone, but that takes all functionality away from the business.
>> >
>> > Atleast I swayed them to leave right click alone, they wanted that
>> > disabled
>> > and the mouse reconfigured to either mock left click or disable right
>> > click
>> > then to run MMC on the individual workstation, and hide the mouse
>> > program
>> > in
>> > control panel............
>> >
>> > See what I am up against?
>> > "Frankster" wrote:
>> >
>> >> > THe office owners want me to lock the data all down
>> >>
>> >> What you are facing is "physical security". Probably the 1st defense
>> >> is
>> >> physical security. This is because, when you have physical access to a
>> >> machine you can circumvent virtually all file-based security measures.
>> >> This
>> >> is why you will find Servers in "Server Rooms" and/or "Data Centers"
>> >> and
>> >> not
>> >> under a user's desk, in enterprise installations.
>> >>
>> >> I think you're gonna have to explain to the "owners" the "physical
>> >> security"
>> >> threat. And that for items where you can't have total physical
>> >> security
>> >> (i.e. workstations - and even servers sometimes) you're gonna need a
>> >> written
>> >> "Security Policy". A Security Policy with potential termination as a
>> >> consequence of ignoring or circumventing the "rules".
>> >>
>> >> Just my opinion.
>> >>
>> >> -Frank
>> >>
>> >>
>>
>>
>>

 

Adobe professional?

"Isaac Oben [MCITP:EA, MCSE]" wrote:

> Hello Kim,
>
> I haven't looked in detail of what sharepoint can and can't do..I forgot
> about mentioning Adobe in my last post..Adobe might be the closest for you
> to achieve what you intend on doing..Adobe can prevent everything you
> mention, no download, no print etc. But you will have convert all documents
> to Adobe etc..
>
> Isaac
>
> "Kim K" <KimK@discussions.microsoft.com> wrote in message
> news:A70E08D2-95EF-4909-9C18-F8C20E29CF43@microsoft.com...
> > HI again Isaac,
> >
> > Thanks for the post, yes I have been going over this with the business for
> > several days, and my train of thought was exactly yours, in regards to
> > diabling CD Rom- then USB (and of course all printers and other devices to
> > be
> > produvctive with it) and limit email size but that does not allow for non
> > corp email aco****s like yahoo or hotmail. You are 100% correct.
> >
> > When I asked about who needs access to shared srives, the way it is set up
> > currently is the way they want it, however they want the employees to be
> > able
> > to open and read a document, perhaps edit it, but not copy it or email it,
> > which can be copied to a flash or saved as, to their desktop. So again as
> > I
> > see it, either they have access to read and copy or none at all.
> >
> > I wll look into sharepoint however I am not familiar with it, so I wll
> > have
> > to read up on it., but will it limit access or just track?
> >
> > "Isaac Oben [MCITP:EA, MCSE]" wrote:
> >
> >> Hello Kim,
> >>
> >> I personnaly think, the main issue should be no about who copys/download
> >> documents but should be who can have read access to it.
> >>
> >> This is impossible. Even if you disable power on CD ROM drive (Best way
> >> might be to use GPO to disable CD ROM drive), users can still us USB to
> >> copy
> >> data (Unless you want to disable this via GPO as well), then they can
> >> email
> >> files to themselve using thei non-corporate email etc...
> >> The dilemma is that you want to make users as productive as possible, but
> >> at
> >> the same time take away resources that might make them productive it has
> >> to
> >> be either or.
> >>
> >> Anyway, my suggestion is for you to look into sharepoint where you can
> >> track
> >> who access what document and why etc. You mentioned about banks and
> >> healthcare etc, well they enforced security by making sure that only
> >> people
> >> who needs certain documents have access to it, the less people have
> >> access
> >> to sensitive docs the easier to identify who did what if it cames to that
> >> case. You can have employees sign confidentiality agreements etc...that
> >> is
> >> what must corporates do anyways..
> >>
> >> Lastly if you want to invest more on security, then you can use
> >> encryption
> >> and any copied doc becames useless, but users can still print it...etc..
> >>
> >> Isaac
> >>
> >>
> >> "Kim K" <KimK@discussions.microsoft.com> wrote in message
> >> news:12282525-4D84-4A1C-A5BD-582C28F73C32@microsoft.com...
> >> > THank you for both responses. I wanted to confirm my thinking was
> >> > correct,
> >> > and that I was not overlooking something I could do.
> >> >
> >> > I have long told them that they need a good user agreement and
> >> > confidentiality poilcy, but they say that does no good as the data can
> >> > still
> >> > be taken from the office. They asked me last week how big banks, and
> >> > health
> >> > org's do it and I said with a good policy!
> >> >
> >> > At this point in time I think I can only tell them that
> >> >
> >> > 1. I will disable the power on each individual work stations CD ROM
> >> > drive,
> >> > however that wll prohibit me in the future to load something unless I
> >> > can
> >> > use
> >> > another way to install (say from the server).
> >> > and to
> >> > 2. Either I take away rights on the server folders - or I disable the
> >> > USB
> >> > in the BIOS. HOwever that does not prohibit them from attaching to
> >> > email
> >> > any
> >> > documents and sending to them selves outsuide the office.
> >> >
> >> > They basically wanted me last week to make them a "read only" computer
> >> > and
> >> > my response was to take away the network on the workstation and use it
> >> > as
> >> > a
> >> > stand alone, but that takes all functionality away from the business.
> >> >
> >> > Atleast I swayed them to leave right click alone, they wanted that
> >> > disabled
> >> > and the mouse reconfigured to either mock left click or disable right
> >> > click
> >> > then to run MMC on the individual workstation, and hide the mouse
> >> > program
> >> > in
> >> > control panel............
> >> >
> >> > See what I am up against?
> >> > "Frankster" wrote:
> >> >
> >> >> > THe office owners want me to lock the data all down
> >> >>
> >> >> What you are facing is "physical security". Probably the 1st defense
> >> >> is
> >> >> physical security. This is because, when you have physical access to a
> >> >> machine you can circumvent virtually all file-based security measures.
> >> >> This
> >> >> is why you will find Servers in "Server Rooms" and/or "Data Centers"
> >> >> and
> >> >> not
> >> >> under a user's desk, in enterprise installations.
> >> >>
> >> >> I think you're gonna have to explain to the "owners" the "physical
> >> >> security"
> >> >> threat. And that for items where you can't have total physical
> >> >> security
> >> >> (i.e. workstations - and even servers sometimes) you're gonna need a
> >> >> written
> >> >> "Security Policy". A Security Policy with potential termination as a
> >> >> consequence of ignoring or circumventing the "rules".
> >> >>
> >> >> Just my opinion.
> >> >>
> >> >> -Frank
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

 

Kim,

Yes, Adobe Professional.. The document owner can basically prevent anyone
from saving, printing, etc

--
Isaac Oben [MCTIP:EA, MCSE]
"Kim K" <KimK@discussions.microsoft.com> wrote in message
news:9CFC18BE-0054-4BC9-B6D6-85E7C4C19A1A@microsoft.com...
> Adobe professional?
>
> "Isaac Oben [MCITP:EA, MCSE]" wrote:
>
>> Hello Kim,
>>
>> I haven't looked in detail of what sharepoint can and can't do..I forgot
>> about mentioning Adobe in my last post..Adobe might be the closest for
>> you
>> to achieve what you intend on doing..Adobe can prevent everything you
>> mention, no download, no print etc. But you will have convert all
>> documents
>> to Adobe etc..
>>
>> Isaac
>>
>> "Kim K" <KimK@discussions.microsoft.com> wrote in message
>> news:A70E08D2-95EF-4909-9C18-F8C20E29CF43@microsoft.com...
>> > HI again Isaac,
>> >
>> > Thanks for the post, yes I have been going over this with the business
>> > for
>> > several days, and my train of thought was exactly yours, in regards to
>> > diabling CD Rom- then USB (and of course all printers and other devices
>> > to
>> > be
>> > produvctive with it) and limit email size but that does not allow for
>> > non
>> > corp email aco****s like yahoo or hotmail. You are 100% correct.
>> >
>> > When I asked about who needs access to shared srives, the way it is set
>> > up
>> > currently is the way they want it, however they want the employees to
>> > be
>> > able
>> > to open and read a document, perhaps edit it, but not copy it or email
>> > it,
>> > which can be copied to a flash or saved as, to their desktop. So again
>> > as
>> > I
>> > see it, either they have access to read and copy or none at all.
>> >
>> > I wll look into sharepoint however I am not familiar with it, so I wll
>> > have
>> > to read up on it., but will it limit access or just track?
>> >
>> > "Isaac Oben [MCITP:EA, MCSE]" wrote:
>> >
>> >> Hello Kim,
>> >>
>> >> I personnaly think, the main issue should be no about who
>> >> copys/download
>> >> documents but should be who can have read access to it.
>> >>
>> >> This is impossible. Even if you disable power on CD ROM drive (Best
>> >> way
>> >> might be to use GPO to disable CD ROM drive), users can still us USB
>> >> to
>> >> copy
>> >> data (Unless you want to disable this via GPO as well), then they can
>> >> email
>> >> files to themselve using thei non-corporate email etc...
>> >> The dilemma is that you want to make users as productive as possible,
>> >> but
>> >> at
>> >> the same time take away resources that might make them productive it
>> >> has
>> >> to
>> >> be either or.
>> >>
>> >> Anyway, my suggestion is for you to look into sharepoint where you can
>> >> track
>> >> who access what document and why etc. You mentioned about banks and
>> >> healthcare etc, well they enforced security by making sure that only
>> >> people
>> >> who needs certain documents have access to it, the less people have
>> >> access
>> >> to sensitive docs the easier to identify who did what if it cames to
>> >> that
>> >> case. You can have employees sign confidentiality agreements
>> >> etc...that
>> >> is
>> >> what must corporates do anyways..
>> >>
>> >> Lastly if you want to invest more on security, then you can use
>> >> encryption
>> >> and any copied doc becames useless, but users can still print
>> >> it...etc..
>> >>
>> >> Isaac
>> >>
>> >>
>> >> "Kim K" <KimK@discussions.microsoft.com> wrote in message
>> >> news:12282525-4D84-4A1C-A5BD-582C28F73C32@microsoft.com...
>> >> > THank you for both responses. I wanted to confirm my thinking was
>> >> > correct,
>> >> > and that I was not overlooking something I could do.
>> >> >
>> >> > I have long told them that they need a good user agreement and
>> >> > confidentiality poilcy, but they say that does no good as the data
>> >> > can
>> >> > still
>> >> > be taken from the office. They asked me last week how big banks,
>> >> > and
>> >> > health
>> >> > org's do it and I said with a good policy!
>> >> >
>> >> > At this point in time I think I can only tell them that
>> >> >
>> >> > 1. I will disable the power on each individual work stations CD ROM
>> >> > drive,
>> >> > however that wll prohibit me in the future to load something unless
>> >> > I
>> >> > can
>> >> > use
>> >> > another way to install (say from the server).
>> >> > and to
>> >> > 2. Either I take away rights on the server folders - or I disable
>> >> > the
>> >> > USB
>> >> > in the BIOS. HOwever that does not prohibit them from attaching to
>> >> > email
>> >> > any
>> >> > documents and sending to them selves outsuide the office.
>> >> >
>> >> > They basically wanted me last week to make them a "read only"
>> >> > computer
>> >> > and
>> >> > my response was to take away the network on the workstation and use
>> >> > it
>> >> > as
>> >> > a
>> >> > stand alone, but that takes all functionality away from the
>> >> > business.
>> >> >
>> >> > Atleast I swayed them to leave right click alone, they wanted that
>> >> > disabled
>> >> > and the mouse reconfigured to either mock left click or disable
>> >> > right
>> >> > click
>> >> > then to run MMC on the individual workstation, and hide the mouse
>> >> > program
>> >> > in
>> >> > control panel............
>> >> >
>> >> > See what I am up against?
>> >> > "Frankster" wrote:
>> >> >
>> >> >> > THe office owners want me to lock the data all down
>> >> >>
>> >> >> What you are facing is "physical security". Probably the 1st
>> >> >> defense
>> >> >> is
>> >> >> physical security. This is because, when you have physical access
>> >> >> to a
>> >> >> machine you can circumvent virtually all file-based security
>> >> >> measures.
>> >> >> This
>> >> >> is why you will find Servers in "Server Rooms" and/or "Data
>> >> >> Centers"
>> >> >> and
>> >> >> not
>> >> >> under a user's desk, in enterprise installations.
>> >> >>
>> >> >> I think you're gonna have to explain to the "owners" the "physical
>> >> >> security"
>> >> >> threat. And that for items where you can't have total physical
>> >> >> security
>> >> >> (i.e. workstations - and even servers sometimes) you're gonna need
>> >> >> a
>> >> >> written
>> >> >> "Security Policy". A Security Policy with potential termination as
>> >> >> a
>> >> >> consequence of ignoring or circumventing the "rules".
>> >> >>
>> >> >> Just my opinion.
>> >> >>
>> >> >> -Frank
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>

 

"Isaac Oben [MCITP,MCSE]" <isaac.oben@nospam.gmail.com> wrote in message
news:uOE3CKOyJHA.1092@TK2MSFTNGP06.phx.gbl...
> Kim,
>
> Yes, Adobe Professional.. The document owner can basically prevent anyone
> from saving, printing, etc

.. . . but he cannot prevent people from printing screen shots and he
probably cannot prevent them from copying the file at a disk level.

 

On Wed, 29 Apr 2009 18:06:01 +0200, "Pegasus [MVP]" <news@microsoft.com> wrote:

>
>"Isaac Oben [MCITP,MCSE]" <isaac.oben@nospam.gmail.com> wrote in message
>news:uOE3CKOyJHA.1092@TK2MSFTNGP06.phx.gbl...
>> Kim,
>>
>> Yes, Adobe Professional.. The document owner can basically prevent anyone
>> from saving, printing, etc
>
>. . . but he cannot prevent people from printing screen shots and he
>probably cannot prevent them from copying the file at a disk level.
>
Nor from taking the copy home and opening it with 3rd party tools that advertise
their ability to read pfd files that a password protected etc.


--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.