Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Saving Locally

Posted on 2011-03-18
10
Medium Priority
?
354 Views
Last Modified: 2012-05-11
Is their anyway to prevent users saving data locally onto their local hard discs on their workstations, and can you differentiate between drives that are encrypted that are ok to save locally, and unencrypted drives that aren’t ok to save locally, or for piece of mind deny such a process on either. We have many information systems that have export features, or report features, whereby the user could potentially save data locally on their unencrypted C drive. My understanding was boot CD’s with an alternate operating system essentially can be used to bypass authentication and then it’s a relatively easy process to access any data resident on the machine, so any extracts of corporate sensitive or personal data would be obtainable with physical access to the PC.

Is there anyway corporately across a domain full of workstations to deny users the ability to save data locally. I am not convinced the less security savvy of our employees will know the risk, but even if they did I am not sure others will abide by any verbal recommendations. If all devices were encrypted does it matter as much if they can or can’t save data locally? Or should it still be denied? What if they need to work in an environment whereby they won’t have network access, what’s the solution then?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 600 total points
ID: 35165480
Use file system security (Computer Side- Windows Settings - in group policy) to set your local hard drive NTFS permissions. In our environment, only system and administrators can save locally.
0
 
LVL 4

Assisted Solution

by:LeDaouk
LeDaouk earned 200 total points
ID: 35165501
by default when you create a user it will be created as Domain User member, after and after logging on to the domain PC he will act as domain user, and by default he will not be able to save files on any folder, except his user profile.
check the security tab on each HDD, the group users should have read only access and everyone should not have place.
0
 
LVL 3

Author Comment

by:pma111
ID: 35165514
What about though, folk who need to work off-site, off-line, how can they edit docs and what not and save them locally? Have you any links on "how to" enforce your recommendation? Does that ability to only save on servers unless your an admin cause any issues in your environment?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35165535
We use offline files to do this. Users save files to their My Documents (with redirected folders). To them, it doesn't matter if they are on site or not because their my documents stay in sync. We do encrypt the offline file cache though.
0
 
LVL 3

Author Comment

by:pma111
ID: 35165551
LeDaouk:

What about saving to the root of the C:\ though, or outside the profile zones. I agree I as a domain user can write to c;\docs and sets\another user, but I can save to c:\docs and sets\myacct or the root of the local drive. Either way its poor practice as you can just take the drive out the machine with physical access and reattch to another drive ribbon and it treats it as a new volume and all security vanishes....
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35165560
Use bitlocker
0
 
LVL 3

Author Comment

by:pma111
ID: 35165565
>>We do encrypt the offline file cache though.

With what tool? Is this all done with group policy?
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35165571
That is done in group policy. There is a setting in the offline files section that says "Encrypt offline file cache"
0
 
LVL 3

Author Comment

by:pma111
ID: 35165693
If we use something like pointsec on every machine, is there any reason still do deny users the rights to save locally? Backups I guess is one reason still why not too
0
 
LVL 3

Author Comment

by:pma111
ID: 35165701
Can you provide some MS links to how to do all this stuff? I have searched and cant really locate it
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question