Re: Disabling "Save to FTP" on OFFICE 2000?

From: Ken B (none_at_microsoft.com)
Date: 02/08/05 

Date: Tue, 8 Feb 2005 14:35:53 -0500

If the computers are meant to be "secure" computers (containing confidential
info), you might consider taking them off the network, disabling the nic,
and making them standalone computers that are totally stand alone. Between
disabling the nic and usb ports, you won't have to worry about the "secure"
machines losing data. Oh yea, take out the floppy drive and cd rw if it has
one ;).

The only sucky downside to making a machine 'secure' in this manner is that
you've now dedicated a machine to being virtually (paradoxically) unusable
for normal work tasks--email, sharing files, etc.

::plink plink::

Ken

"Javier J" <no.mail@please.no> wrote in message
news:O0A8srfDFHA.208@TK2MSFTNGP12.phx.gbl...
> Hi!!
>
> I know that with users being local admins, this would be of no use. And
> re-reading my post, I see that I haven't made myself too clear. Sorry for
> that.
>
> The computers I want to secure will be placed in a separate OU, and the
> users that will use them will _NOT_ be local admins. That's why I'm
> investing time and effort researchin group policy, etc.
>
> We want to make sure (or at least, as sure as it's reasonably possible)
> that the users won't be able to take the info off the computers "no matter
> what". There is already a solution in place for the "local device"
> problem: We're using "Secuware Security Framework" for local security.
> Among other things, the software enables the domain admin to set all the
> external devices on a computer as "encrypted", so all info to/from them is
> encrypted. That takes care of the "portable USB Drive" problem.
>
> The issue is, we don't want the files from moving about, even within the
> internal network. The reference to the number of local admins present is
> to show that there is quite a number of people who might be able to save
> the files to a CD/Pen Drive, or similarly make use of them. And when users
> are Local Admins, the possibility of rogue FTP Servers exist, and has to
> be taken into account.
>
> The problem with "banning" VMWARE is that, first of all, the client has
> 1500+ employess in 6 (IIRC) buildings, and fairly old buildings at that,
> so it's not easy to see who "uses" VMWARE. Remember, it only takes a few
> minutes to do this. Of course, those who have rogue FTP servers will be
> disciplined... when caught. Equally those who use VMWARE and shouldn't be
> doing so.... But this is all after the fact, and we'd like to stop the
> information from leaking in the first place ;)
>
> Hope this makes the situation clearar. Thanks for the time and your
> opinions, and I look forward to any further input you care to offer.
>
> Paul Adare wrote:
>> In article <#uW94WcDFHA.3120@TK2MSFTNGP12.phx.gbl>, in the
>> microsoft.public.win2000.security news group, Javier J
>> <no.mail@please.no> says...
>>
>>
>>>Don't worry. Somebody sent me this link:
>>>http://homepages.wmich.edu/~mchugha/w2kfirewall.htm
>>>that shows the way...
>>
>>
>> Given the fact that the majority of the users are local admins, the above
>> will accomplish exactly nothing. Admin users can simply turn this off.
>> I don't understand the specific concern about saving to FTP locations in
>> the first place. As others have pointed out, you can block access to
>> external FTP sites easily with any half decent firewall. Who cares if
>> they save to internally located FTP sites? Where's the risk? They could
>> just as easily save to a USB/Firewire device and walk out with the files.
>> Where's the additional risk involved in saving to an internal FTP site?
>> Again, as others have pointed out, this seems to be a problem that
>> doesn't really have a good technical solution. This should be covered by
>> written and _enforced_ security and acceptable use policies. Any user
>> caught with VMWare on their systems will be disciplined. Any user caught
>> running an unauthorized FTP server will likewise be disciplined...
>>

Relevant Pages

  • Re: Disabling "Save to FTP" on OFFICE 2000?
    ... If the computers are meant to be "secure" computers (containing confidential ... > I know that with users being local admins, this would be of no use. ... those who have rogue FTP servers will be ...
    (microsoft.public.office.misc)
  • Re: Disabling "Save to FTP" on OFFICE 2000?
    ... If the computers are meant to be "secure" computers (containing confidential ... > I know that with users being local admins, this would be of no use. ... those who have rogue FTP servers will be ...
    (microsoft.public.win2000.group_policy)
  • Why Easy To Use Software Is Putting You At Risk
    ... Anyone who has been working with computers for a long time will have noticed ... because DNS does not configure properly or security permissions are relaxed ... Is It Also Secure ... guarantee that no one really knows for sure, not even Microsoft developers. ...
    (Security-Basics)
  • Re: Add another domain user group to local administrators of all computers in an OU with removing ot
    ... If you have a group "mylocaladmins", which is added to restricted groups, with user1, user2 and user3 you can add or remove accounts to this group without effecting the other users in the group, they will still be local admins. ... But if you have so different needs with separating computers, you have to do a good planning before, what you will achive in for which users/groups. ... Select add on the Members of this group and then add the members ...
    (microsoft.public.windows.server.active_directory)
  • Re: Hlp - DB security mystery
    ... One of the other computers has as well, ... I triple checked the mdw and the Users group has NO ... to secure, including creating a brand new mdw. ... The database in on a network share to which only my group and I have access. ...
    (microsoft.public.access.security)