• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8377
  • Last Modified:

Make Files Uncopyable

We have some very sensitive files which we want to make available for viewing to users that have directory permissions, but I want to only allow them to look at the files, not to be able to copy them off to a disk.  I've tried making the files and the directories read-only, plus I tried the special permissions and selected read-only, but I can still copy the files.  Any ideas?
0
zschwed
Asked:
zschwed
  • 6
  • 6
  • 3
  • +5
1 Solution
 
xSinbadCommented:
I dont suppose you are on a Novell network?
0
 
RoscoeCommented:
As xSinbad has suggested, short answer is no. DEC & IBM (mainframes) and NetWare systems have much tighter security than NT and UNIX.

The real problem here is the application being used to open the file. Off the top of my head, I would suggest use of a third-party viewer program accessible by the users of this group only, with a custom mapping to the directory where the data is stored. Tricky part would be how to prevent cut and paste....

Only method I can think of is embedding the viewer into an app launched via a browser, and the files rendered into HTML or variants thereof - the page permissions (as part of the page layout) can therefore be REALLY tightened down, even to the point of preventing printing....

Regards...
0
 
rootnashCommented:
setting the director(y/ies) or file(s) to READ-ONLY prevents only from writing/appending/changing/creating files/directories. just like a CD-ROM, u can view/copy files but cannot create/save (new) files.


about your problem, just what like others say it isn't (currently) available in windows technologies.... third-party viewer program is a good suggestion!
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

 
LongbowCommented:
Hi,

Select the permissions Read and Execute.

Longbow
0
 
LongbowCommented:
First select "Special Permissions"
I have done this on a directory, not on a file.

Longbow
0
 
vinnyd79Commented:
I recently had a need to do the same thing.I wrote a program for the boss to encrypt files into a directory on the network.I set permissions on the directory for the users who needed to access the files.I then created a viewer program that decrypted the files and does not allow cut,copy,paste,print,or save.I also created a program I called key.exe that hides a registry key.The viewer checks for this key,and if it does not exist the program will not start.I also hardcoded a check for i.p. address in the viewer as well.
0
 
RoscoeCommented:
I like that one, vinnyd79... obviously great minds think alike <grin> (- please don't continue the rest of that Shakespeare quote)... my only quibble would be to have ability to toggle the IP address checking - does no good if the network uses DHCP
0
 
vinnyd79Commented:
Roscoe,I use DHCP also and it works fine.I am actually checkin to make sure the machine is on a certain subnet by checking the first 3 bytes of the ip.(192.5.3.)I am not checking the fourth,so as long as they are on the certain subnet it will work.Even if i checked entire IP address it would still work for me as the pc's always get the same ip address from the DHCP server unless I renew the lease.
0
 
RoscoeCommented:
That's cool... I'm used to having to allow for clients' short lease environments due to laptops, plus logins from different sites... but if the environment is stable, sure, no problem!!
0
 
zschwedAuthor Commented:
Aside from having a custom app written (no bucks available), I've already tried the other suggestions, except for Roscoe's.

I'm intrigued with embedding the viewer in a browser.  Specifically, these are TIF images of documents.  We view them with the Kodak Image Viewer that comes with Win98.  How would this viewer be embedded into IE?  If this is possible, how do you then enforce the "no copy" restriction?
0
 
RoscoeCommented:
Hmm, the lack of bucks may be an issue.... here are my thoughts:

There are a number of plugins available that allow you to view TIF(F) files - do a search on google using the string "tif viewer browser plugin" - some of them are free or nearly so.

The problem is controlling what someone can do with the files once they're pulled down to the desktop. Your standard browser allows anyone to print and/or save the file to wherever he/she has rights. I know that there are ways of constructing a custom version of IE that is "stripped out" of all capabilities (which may make you run into dollars issue again)... but someone who is knowledgeable can (unless blocked by a policy, I guess) even get around that by doing a print screen...

Based on the constraints you've outlined, I can'y see any way of doing this without SOME sort of development dollars....

Anyone else have a suggestion?
0
 
HDWILKINSCommented:
Native NT (as you know) does not support this function.  From the server's point of view, there isn't any difference between having an application read the data, or printing or copying the data.  Its all a read function.

Regarding some of the other suggestions, my feeling is that if you can see it on the screen, you can copy it, one way or another (at least I know I could).

Why don't you remove the floppy drives from the workstations.  Prohibit non-corporate e-mail and restrict the sending of attachments.  Sounds like a restrictive environment to me but thats about the only way you can secure your data - even then, someone could bring in a zip drive.

How serious are you about this.  Can you be more specific about what the files contain.  Are they documents or tables or what.  I guess I could write a program that would encript the data into a database and unencript it to the screen (not hard to do) but then any screen capture program could capture the image and print it.

But, at least they couldn't copy the raw data or if they did, it would be unreadable.

HW
0
 
LongbowCommented:
zschwed,

Have tried again my above answer

From the DIRECTORY
Set permissions Read and Execute in Special File Access

It works !
0
 
zschwedAuthor Commented:
Thanks for the great replies!

Longbow:  This was one of the options I tried before I posted the question.  I also tried it with READ only in Special File Access.  In both cases, I logged on as a non-admin person, was able to see and copy the files, as long as I copied them to another directory that had write permissions.

Roscoe/HDWILKINS:  These are loan documents that will be used in-house in lieu of the "live" paper documents that are stored offsite in a fire proof vault.  I have the permissions to read the docs well locked down, but if my loan servicing manager goes off the deep end, he can now "borrow" tens of thousands of customer docs, and walk out with them on a CD.

I think I'm screwed.... at least I can set audit properties to track when people come in and sniff around...
0
 
HDWILKINSCommented:
Ok, I deal with sensitive stuff also so here is my best advice.

1.  The loan officer etc., should all be under strict non-disclosure agreements.  At least it keeps an honest man honest.

2.  There is very little reason I can think of that the computers with access to this information should have CD Burners on them.

3.  You can log access to the files if its an NTSF partition.

In the end, if he's got the job, then management needs to have some confidence in him - if not, then something else has to change.  Is this a concern of management, or are you just being cautious.

HW
0
 
RoscoeCommented:
I agree with HDWilkins - this is more of a business issue as opposed to a technical issue - change your focus to government, for instance... non-disclosure  is part of the job (Deep Throat and Watergate notwithstanding <grin>).

Here's a thought exercise - A partial compromise that could a) be a minor development project and b) provide pretty ironclad tracing would be to have that TIFF reader embedded as an ActiveX or Java routine, with a way of embedding (in the file) the users login id in a non-printing area of the file as it's being called from the server. File gets saved elsewhere with incriminating link... smoking gun. [Of course, if users leave their passords on post-it notes, you could have a problem....<g>] A method similar to this has been used for years in the music industry as a way of tracking promotional releases of music... a station may get a copy that (if duped) can be traced back to them...
0
 
LongbowCommented:
Sorry, i have tried a copy in the same directory ;-)
Effectively the file is not copied at all ;-)

Try File Protector
http://mikkoaj.hypermart.net/index.html
0
 
LongbowCommented:
And this, Security Department
http://www.mybestsoft.com/sd.html
0
 
zschwedAuthor Commented:
HDWILKINS,Roscoe, Longbow;

Thank you all for the great input.  We already have the NDA's in place with our loan folks, and to be in banking, you need a background check and must be bondable.  Our concern really gets down to what the Feds will now think with the passing of the Gramm/Leach/Bliley privacy act, and if we have enough protection from insider "rogues".

I think we'll be OK because, effectively, they don't have a way for getting the files off the network (no one has CD burners) and the files are all 4mb+ in size.  They could do a backup of the file and restore it to a home PC, but the majority of the folks that will be accessing the images aren't that knowledgable of their PC to do this.

Access to the files via our VPN is restricted only to senior VP's and above, and if they wanted to screw us, they have many BETTER ways of doing this besides taking some loan documents.

I'm going to up the points on this to 300 and split them between the 3 of you.  Thanks for all of your help.
0
 
MoondancerCommented:
Points for HDWILKINS
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?qid=20177473

Points for Longbow
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?qid=20177472

Point split complete, as requested by zschwed.

Moondancer
Community Support Moderator @ Experts Exchange
0
 
RoscoeCommented:
Thank you. zschwed. Another possible way (outside of the technology scope of this discussion, probably illegal, but nice to think about dept.) would be small remote-controlled shaped charges you-know-where that would SURELY guarantee loyalty <EVIL GRIN> - an explicit version of what is implied with some employment agreements - could be a bummer near airports and other areas with high EMF noise....
0
 
LongbowCommented:
Thanks zschwed,
Save these links, they may be useful for another problem ;-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

  • 6
  • 6
  • 3
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now