Securing SBS 2003 data from internal mis-use or robbery

I have an SBS 2003 server and XP Pro workstations. We have less than 10 users. Our data is extremely valuable and often confidential. I have 2 areas which are currently security holes for data in my network:

1. I assign users particular projects. These users have the ability to work with the data (mostly MS Word docs) regarding the project. Other users must not be allowed access.

Possible solution: NTFS permissions. But this does not prevent users with the permission to access files, copying them and making them available to other persons.

2. I need to prevent that any data from leaving our premises (either via email, copying to floppy, USB stick or even the servers hard disk being removed!). Putting it blunting, I don't want data to be stolen!

Possible solution: Encryption using private/public key rings? Administrative nightmare? Expensive?

Any ideas what measures I can put into practise to allow data just to be used by authorised persons and preventing it from wandering outside of our network.

Thanks for your comments.
LVL 3
ombAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rant32Commented:
Have a look at Terminal Services and thin clients, this might prove to be the ultimate solution. Set up a separate Windows 2003 Terminal Server (this will be a completely locked down workstation) and some Wyse thin clients (for example Winterm 1125SE, http://www.wyse.com/products/winterm/1125se/index.asp)

True thin clients do not have any means of copying data to other media (no usb, floppy drives, etc) and data cannot be copy/pasted from the client. As long as they can't use e-mail or a webbrowser from the Terminal Server, that is.

100% security is probably utopia. If somebody wants to steal data, they can copy it with pencil and paper.

Terminal Services is a one time investment that, in your situation, will probably be around $4000-$5000 depending on your server performance needs. But it'll protect your data far better than XP clients with encryption and this it offers great central management features.
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
omb,

For sure you should be using file Encryption but are you aware of Office 2003's Information Rights Management feature?
http://r.office.microsoft.com/r/rlidDRMMoreInfoLicenseReq?clid=1033

I think that this would really be the way for you to manage these things.  It's not expensive (you already have it if you have Office 2003 and Windows Server 2003) and it's fairly easy to manage, considering the complexity of it all.

Then, to stop any document or data from being taken, you need to ensure that you disable all USB ports on each workstation.  But there are many other things to consider, such as emailing information, etc.  You should probably take a look at this article which is quite good:  http://www.windowsecurity.com/articles/-Windows-XP-Security-Guide.html

Jeff
TechSoEasy

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.