Announcement

Collapse
No announcement yet.

File Security Settings

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • File Security Settings

    Not sure this is the right location for this post but here goes!
    We are running Windows Server 2003 with workstations on mix of win xp and win98. I want to protect certain files from being copied (as in backed up or copied to removable media fro security reasons) by users. However I still need users to be able to access the files in order to update / amend them.
    The files are mainly excel and xpress (accounts package) files. Any suggestions gratefully received.

    Mitch

  • #2
    Re: File Security Settings

    Only by hardware restrictions, I think. If a user can get to a USB drive on his PC, he can Save As... to that drive when the document is open in Excel or whatever. So no amount of software security on the server will suffice. therefore, you need to disable all optical writable drives and all USB ports, as well as removing all floppy drives (or disabling them), and not letting any other machine connect to your LAN.

    I'm discounting using GPO to prohibit Save As... to the local PC simply because you have W98 stations. Using GPO you could restrict access to the local machine so that nobody can save locally, but that isn't going to work in your environment.

    A worker at a security company here in the UK has told me approximately what they do: remove all floppy and CD drives from workstations, lock all the PC cases witha padlock, ban laptops coming in and out of the building, don't have wireless LAN, etc. etc. you can go as far as you like depending on the paranoia level.

    There is another post in these Petri forums that talks about disabling USB ports too - not sure how conclusive that is.

    I'm just saying that I don't think NTFS permissions are going to let you achieve your objective - it's got to be hardware lockdown.

    Also, what's stopping someone printing a file out and walking offsite with it? This is a difficult one to get 100% secure.
    Best wishes,
    PaulH.
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

    Comment


    • #3
      Re: File Security Settings

      Thank you Paul very much for a very comprehensive answer.
      Does this mean that if we upgrade everyone to XP then by using GPO we can stop the users saving to local machine? Sorry for my ignorance I have just started using GPOs but where would I set these restrictions?

      Comment


      • #4
        Re: File Security Settings

        Yes, if you have Win2000 up computers on your domain, you can restrict allsorts of things on the local machine. You can highly manage and restrict what users do, even down to running only 1 application with no "Start" button! (that's called a Kiosk, by the way).

        If you read up on Common Scenarios which you can download you will be able to seriously restrict your end users computers

        BUT:

        Warning !!! Using the Common Scenarios group policy objects must be thoroughly tested out first. They need modifying to suit your environment and they are very powerful. Incorrect use of them can mess up the client PC totally. So, install a virtual PC to play with on the domain first, and do not rollout a Common Scenario GPO until you are convinced it will do what you want.

        I can't give you GPO instructions here to teach you all about GPO, so if you don't know much about Group Policy then do please read up on it a lot first, before you even download Common Scenarios as you do need to be pretty reasonable at editing GPOs and understanding them before you play with Common Scenarios.

        Happy hunting!
        Best wishes,
        PaulH.
        MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

        Comment


        • #5
          Re: File Security Settings

          Thanks again Paul!

          Comment

          Working...
          X