Solved

Make Files Uncopyable

Posted on 2001-08-29
22
6,520 Views
Last Modified: 2013-12-28
We have some very sensitive files which we want to make available for viewing to users that have directory permissions, but I want to only allow them to look at the files, not to be able to copy them off to a disk.  I've tried making the files and the directories read-only, plus I tried the special permissions and selected read-only, but I can still copy the files.  Any ideas?
0
Comment
Question by:zschwed
  • 6
  • 6
  • 3
  • +5
22 Comments
 
LVL 6

Expert Comment

by:xSinbad
ID: 6439227
I dont suppose you are on a Novell network?
0
 
LVL 3

Accepted Solution

by:
Roscoe earned 100 total points
ID: 6439419
As xSinbad has suggested, short answer is no. DEC & IBM (mainframes) and NetWare systems have much tighter security than NT and UNIX.

The real problem here is the application being used to open the file. Off the top of my head, I would suggest use of a third-party viewer program accessible by the users of this group only, with a custom mapping to the directory where the data is stored. Tricky part would be how to prevent cut and paste....

Only method I can think of is embedding the viewer into an app launched via a browser, and the files rendered into HTML or variants thereof - the page permissions (as part of the page layout) can therefore be REALLY tightened down, even to the point of preventing printing....

Regards...
0
 
LVL 1

Expert Comment

by:rootnash
ID: 6439696
setting the director(y/ies) or file(s) to READ-ONLY prevents only from writing/appending/changing/creating files/directories. just like a CD-ROM, u can view/copy files but cannot create/save (new) files.


about your problem, just what like others say it isn't (currently) available in windows technologies.... third-party viewer program is a good suggestion!
0
 
LVL 10

Expert Comment

by:Longbow
ID: 6439797
Hi,

Select the permissions Read and Execute.

Longbow
0
 
LVL 10

Expert Comment

by:Longbow
ID: 6439804
First select "Special Permissions"
I have done this on a directory, not on a file.

Longbow
0
 
LVL 28

Expert Comment

by:vinnyd79
ID: 6440347
I recently had a need to do the same thing.I wrote a program for the boss to encrypt files into a directory on the network.I set permissions on the directory for the users who needed to access the files.I then created a viewer program that decrypted the files and does not allow cut,copy,paste,print,or save.I also created a program I called key.exe that hides a registry key.The viewer checks for this key,and if it does not exist the program will not start.I also hardcoded a check for i.p. address in the viewer as well.
0
 
LVL 3

Expert Comment

by:Roscoe
ID: 6440543
I like that one, vinnyd79... obviously great minds think alike <grin> (- please don't continue the rest of that Shakespeare quote)... my only quibble would be to have ability to toggle the IP address checking - does no good if the network uses DHCP
0
 
LVL 28

Expert Comment

by:vinnyd79
ID: 6440595
Roscoe,I use DHCP also and it works fine.I am actually checkin to make sure the machine is on a certain subnet by checking the first 3 bytes of the ip.(192.5.3.)I am not checking the fourth,so as long as they are on the certain subnet it will work.Even if i checked entire IP address it would still work for me as the pc's always get the same ip address from the DHCP server unless I renew the lease.
0
 
LVL 3

Expert Comment

by:Roscoe
ID: 6440682
That's cool... I'm used to having to allow for clients' short lease environments due to laptops, plus logins from different sites... but if the environment is stable, sure, no problem!!
0
 

Author Comment

by:zschwed
ID: 6442233
Aside from having a custom app written (no bucks available), I've already tried the other suggestions, except for Roscoe's.

I'm intrigued with embedding the viewer in a browser.  Specifically, these are TIF images of documents.  We view them with the Kodak Image Viewer that comes with Win98.  How would this viewer be embedded into IE?  If this is possible, how do you then enforce the "no copy" restriction?
0
 
LVL 3

Expert Comment

by:Roscoe
ID: 6443186
Hmm, the lack of bucks may be an issue.... here are my thoughts:

There are a number of plugins available that allow you to view TIF(F) files - do a search on google using the string "tif viewer browser plugin" - some of them are free or nearly so.

The problem is controlling what someone can do with the files once they're pulled down to the desktop. Your standard browser allows anyone to print and/or save the file to wherever he/she has rights. I know that there are ways of constructing a custom version of IE that is "stripped out" of all capabilities (which may make you run into dollars issue again)... but someone who is knowledgeable can (unless blocked by a policy, I guess) even get around that by doing a print screen...

Based on the constraints you've outlined, I can'y see any way of doing this without SOME sort of development dollars....

Anyone else have a suggestion?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 10

Expert Comment

by:HDWILKINS
ID: 6443820
Native NT (as you know) does not support this function.  From the server's point of view, there isn't any difference between having an application read the data, or printing or copying the data.  Its all a read function.

Regarding some of the other suggestions, my feeling is that if you can see it on the screen, you can copy it, one way or another (at least I know I could).

Why don't you remove the floppy drives from the workstations.  Prohibit non-corporate e-mail and restrict the sending of attachments.  Sounds like a restrictive environment to me but thats about the only way you can secure your data - even then, someone could bring in a zip drive.

How serious are you about this.  Can you be more specific about what the files contain.  Are they documents or tables or what.  I guess I could write a program that would encript the data into a database and unencript it to the screen (not hard to do) but then any screen capture program could capture the image and print it.

But, at least they couldn't copy the raw data or if they did, it would be unreadable.

HW
0
 
LVL 10

Expert Comment

by:Longbow
ID: 6443923
zschwed,

Have tried again my above answer

From the DIRECTORY
Set permissions Read and Execute in Special File Access

It works !
0
 

Author Comment

by:zschwed
ID: 6446361
Thanks for the great replies!

Longbow:  This was one of the options I tried before I posted the question.  I also tried it with READ only in Special File Access.  In both cases, I logged on as a non-admin person, was able to see and copy the files, as long as I copied them to another directory that had write permissions.

Roscoe/HDWILKINS:  These are loan documents that will be used in-house in lieu of the "live" paper documents that are stored offsite in a fire proof vault.  I have the permissions to read the docs well locked down, but if my loan servicing manager goes off the deep end, he can now "borrow" tens of thousands of customer docs, and walk out with them on a CD.

I think I'm screwed.... at least I can set audit properties to track when people come in and sniff around...
0
 
LVL 10

Expert Comment

by:HDWILKINS
ID: 6446394
Ok, I deal with sensitive stuff also so here is my best advice.

1.  The loan officer etc., should all be under strict non-disclosure agreements.  At least it keeps an honest man honest.

2.  There is very little reason I can think of that the computers with access to this information should have CD Burners on them.

3.  You can log access to the files if its an NTSF partition.

In the end, if he's got the job, then management needs to have some confidence in him - if not, then something else has to change.  Is this a concern of management, or are you just being cautious.

HW
0
 
LVL 3

Expert Comment

by:Roscoe
ID: 6446673
I agree with HDWilkins - this is more of a business issue as opposed to a technical issue - change your focus to government, for instance... non-disclosure  is part of the job (Deep Throat and Watergate notwithstanding <grin>).

Here's a thought exercise - A partial compromise that could a) be a minor development project and b) provide pretty ironclad tracing would be to have that TIFF reader embedded as an ActiveX or Java routine, with a way of embedding (in the file) the users login id in a non-printing area of the file as it's being called from the server. File gets saved elsewhere with incriminating link... smoking gun. [Of course, if users leave their passords on post-it notes, you could have a problem....<g>] A method similar to this has been used for years in the music industry as a way of tracking promotional releases of music... a station may get a copy that (if duped) can be traced back to them...
0
 
LVL 10

Expert Comment

by:Longbow
ID: 6447656
Sorry, i have tried a copy in the same directory ;-)
Effectively the file is not copied at all ;-)

Try File Protector
http://mikkoaj.hypermart.net/index.html
0
 
LVL 10

Expert Comment

by:Longbow
ID: 6447748
And this, Security Department
http://www.mybestsoft.com/sd.html
0
 

Author Comment

by:zschwed
ID: 6448880
HDWILKINS,Roscoe, Longbow;

Thank you all for the great input.  We already have the NDA's in place with our loan folks, and to be in banking, you need a background check and must be bondable.  Our concern really gets down to what the Feds will now think with the passing of the Gramm/Leach/Bliley privacy act, and if we have enough protection from insider "rogues".

I think we'll be OK because, effectively, they don't have a way for getting the files off the network (no one has CD burners) and the files are all 4mb+ in size.  They could do a backup of the file and restore it to a home PC, but the majority of the folks that will be accessing the images aren't that knowledgable of their PC to do this.

Access to the files via our VPN is restricted only to senior VP's and above, and if they wanted to screw us, they have many BETTER ways of doing this besides taking some loan documents.

I'm going to up the points on this to 300 and split them between the 3 of you.  Thanks for all of your help.
0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6448980
Points for HDWILKINS
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?qid=20177473

Points for Longbow
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?qid=20177472

Point split complete, as requested by zschwed.

Moondancer
Community Support Moderator @ Experts Exchange
0
 
LVL 3

Expert Comment

by:Roscoe
ID: 6449577
Thank you. zschwed. Another possible way (outside of the technology scope of this discussion, probably illegal, but nice to think about dept.) would be small remote-controlled shaped charges you-know-where that would SURELY guarantee loyalty <EVIL GRIN> - an explicit version of what is implied with some employment agreements - could be a bummer near airports and other areas with high EMF noise....
0
 
LVL 10

Expert Comment

by:Longbow
ID: 6450779
Thanks zschwed,
Save these links, they may be useful for another problem ;-)
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now