Re: Deny access to copy files



Hi,

Even if you have special COPY permission in NTFS, any user with READ
access will open the file and just use Save As to save it anywhere, or
just write a small code, possible in any programming language, to read
file and write a new file. So COPY thing is useless, MS is intelligent
enough.

Regards,

On Fri, Jun 20, 2008 at 12:39 AM, Michael P. Carter
<mcarter@xxxxxxxxxxxxxxx> wrote:

Also, the NTFS permission READ will allow anyone with that permission to
also copy (the EXECUTE part allows them to launch the appropriate
program to open the file), so the Windows permissions don't meet your
security needs (it's something that we've been harassing Microsoft about
for more than a decade - separate permissions for READ and COPY)).

Michael P. Carter
Network Manager
mcarter@xxxxxxxxxxxxxxx
562-498-6888

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Atif Azim
Sent: Wednesday, June 18, 2008 11:44 PM
To: GSO GSO
Cc: James Finnican; Kevin Ortloff; Ahmed Khalid;
focus-ms@xxxxxxxxxxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: Deny access to copy files

Indeed a technical control is not the only thing you should be looking
forward to in such a scenario.First, you need to set your policies
straight and results for non-compliance leading to consequences for
leaking intellectual property. When looking forward to technical
controls, checkout McAfee Data loss Prevention (DLP).It addresses
issues related to source code leakage as well. Go to

http://www.mcafee.com/us/enterprise/products/data_loss_prevention/data_l
oss_prevention.html

and also see the flash demo at

http://www.mcafee.com/us/local_content/demos/dlp_technical_demo/dlp_flas
h_demo.html

Regards,
Atif Azim






On Wed, Jun 18, 2008 at 1:16 AM, GSO GSO <gso.gsecur@xxxxxxxxx> wrote:
DeviceLock is a great program. Besides the very granular permission
levels, I have also like the fact I can create temporary access codes.
So if an individual needs access to a USB device for an hour or even
a month, I can give it to them.

B

http://GovernmentSecurity.org

On Tue, Jun 17, 2008 at 2:43 PM, James Finnican <jfinnica@xxxxxxxx>
wrote:
DeviceLock and, disable access to the internet with exception to
accepted resources, Wiki's subscribed sites. You can do this from IE
directly or, configure it at the firewall if it allows.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Kevin Ortloff
Sent: Friday, June 13, 2008 9:31 AM
To: Ahmed Khalid; focus-ms@xxxxxxxxxxxxxxxxx
Cc: security-basics@xxxxxxxxxxxxxxxxxxxxxxx
Subject: RE: Deny access to copy files

If you don't mind spending a 2-3 thousand, there is a good product
called ' DeviceLock '. This is a global policy enforcer that will
restrict activates on USB, External Storage, etc, etc.. You can be very
specific too like only a certain kind of thumb drive can be used by a
particular individual ( this allows you to control who has the ability
to even use an approved drive ). Or, maybe you only want read, but no
write. You can do that too.

Anyway, hope that helps. I'm sure there are other apps that can do
this. I liked DeviceLock when I did my evals.



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Ahmed Khalid
Sent: Sunday, June 01, 2008 11:20 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Cc: security-basics@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Deny access to copy files

I am working for a software house, they are developing a software
product and their requirement is to restrict programmers to take the
code out of office premises due to company policy. I am trying to
configure a windows based machine which denies access to copy files to
external storage devices connected to USB. There is an NTFS permission
"Read + Execute" I guess this could do the work but is there any other
way to do it?

They also don't need programmers to take the code with them in their
email.
I can restrict SMTP and POP ports but when it comes to web based
emails I am clueless, How can I restrict web based emails like hotmail,
gmail, yahoo there are so many of these and if I somehow manage to block
all web based email sites someone can write a script to send emails, if
not a script HTTP tunneling would bypass any checks and bounds defined
by my proxy/gateway machine. How can I block such thing?

Any help would be highly appreciated.

Regards,
Ahmed Khalid




This email, its contents and attachments contain information from j2
Global Communications, Inc. and/or its affiliates which may be
privileged, confidential or otherwise protected from disclosure. The
information is intended to be for the addressee(s) only. If you are not
an addressee, any disclosure, copy, distribution, or use of the contents
of this message is prohibited. If you have received this email in error
please notify the sender by reply e-mail and delete the original message
and any copies. j2 Global Communications. 6922 Hollywood Blvd.,
Hollywood, CA 90028.




--
Security/Hacking Paper Contest Win $100
http://GovernmentSecurity.org




--
("There are only 10 kinds of people in this world: those who know
binary and those who don't.")

Shreyas Zare
Co-Founder, Technitium
eMail: shreyas@xxxxxxxxxxxxxx

..::< The Technitium Team >::..
Visit us at www.technitium.com
Contact us at theteam@xxxxxxxxxxxxxx

Technitium Personal Computers
We believe in quality.
Visit http://pc.technitium.com for details.



Relevant Pages

  • Re: cloning /reseal process clonges the user priviliege
    ... nothing suspecious as far as NTFS permission settings. ... file BEFORE the cloning and AFTER the cloning. ... setting has been reset back to "do not show hidden files and folders" ...
    (microsoft.public.windowsxp.embedded)
  • Re: Corrupt mp3s problem
    ... If the normal user starts the mp3 player, it runs with their UID and does not have permission to alter other users files. ... Most Windows users, if not forced to do otherwise by their sysadmin, log on as an administrator, because some fairly common programs can't run in a restricted user account. ... I've got legitimate access to a program to recover any and all passwords on any NTFS file system I use & it only takes a minute or two to run. ...
    (rec.audio.pro)
  • Re: Corrupt mp3s problem
    ... Only if they have permission to do so. ... Even XP Home, while it has some of the security GUI removed, still has ... The FAT file system is intrinsically insecure, & NTFS isn't much better. ... I have an NTFS password scrub disk as well. ...
    (rec.audio.pro)
  • Re: always being prompted for username/password??!!??
    ... My guess is that you're lacking either NTFS read permission on the ... folder or file that you are trying to access has the apropriate NTFS ... I have a win2k3 server box and winxp box on a network - very ...
    (microsoft.public.inetserver.iis.security)
  • RE: NTFS Security
    ... I understand that you want to generate a NTFS ... permission report for each user on the data drive. ... Online Partner Support ...
    (microsoft.public.windows.server.sbs)