Solved

Prevent downloading and saving of files when connecting through VPN

Posted on 2013-11-28
9
565 Views
Last Modified: 2013-11-29
Hi,

I have a client with an in-house Windows 2008 server that stores proprietary documents (Word, Excel, PPT, PDF etc.) and videos (demos and training materials) of CAD/CAM software.

They have a mobile workforce (marketing & sales) that travels around the country and connects to the server using USB modems (dongles or data cards). When visiting prospective clients, they connect to the in-house server remotely and pull up the relevant documents and videos to show to the prospects.

The client wants to secure the remote connectivity using VPN, which is not too difficult. However, the client also wants to ensure that none of these proprietary documents or videos can be downloaded or saved locally by any member of the travelling workforce.

Is there a way to do this at all? After all, if they are able to open the application that's needed to open the file/video, they would obviously have the ability to access that application's File menu, which would let them save or download the file to their system?

A bit stumped here and would be thankful for any pointers.

Someone told me to implement a File Server on the Windows Server and then make that accessible only through the Web. Then, the VPN could be configured to access the File Server only through the Web, which would prevent the downloading and saving of files and only enable opening or playback. I am not sure this makes sense to me.

Thanks in advance.
0
Comment
Question by:scmeeven
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 39683651
If they have access to the file(s) via VPN (which is the same as local in-house access), you cannot prevent them from saving a copy of the file(s).

So there should be a strong company privacy policy to contro this, and employees should be trustworthy.

A reasonably shrewd employee would have a copy of the files on their computer before visting the client to prevent problems with live access during a presentation.

To your last comment, if you can open the file, you can save it elsewhere (even by copying the contents).

... Thinkpads_User
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 39683664
"Opening or playing through a web interface" still doesn't equal "unable to save". You can make it harder, but not impossible (even if it was made impossible, there's still screenshots the person can take).
So you don't trust your own mobile workforce? What makes them so different from the other in house workforce?
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 375 total points
ID: 39685086
VPN's are actually very unsecure for this reason, in addition to the fact that Viruses and unwanted files can be uploaded over a VPN unknowingly.  A better option would be to set up a terminal server (now called remote desktop services server) for the remote workers.  This way all data stays on the corporate site, and you can easily disable the ability to transfer files, cut and paste, and connect local USB or hard drives.  Terminal services will also perform better and have less connection issues than a VPN.  It still does not stop screenshots but does eliminate most potential issues.

Another option is to implement Microsoft Information Rights Management Services.  It is a fair amount of work to set up but it allows you to restrict documents from being copied, forwarded, or even printed.  This can be controlled even when sent in an e-mail.  The following is a primer for Office 2013 but it is available back as far as Office 2003.
http://technet.microsoft.com/en-us/library/cc179103.aspx
Briefer outline, 2003 version):
http://office.microsoft.com/en-us/help/about-information-rights-management-HP006220859.aspx
0
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 125 total points
ID: 39685103
Terminal services will add costs for device/use access CALs and a heavier server. Also for displaying video, it's not optimal (even with the best bandwidth available it will still be quite choppy, in best case scenario). Screenshots are still available for the remote workers, as are secure https upload sites (for the video and document files if you fail to plug the holes, like forgetting to limit or disable browser access)
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 77

Accepted Solution

by:
Rob Williams earned 375 total points
ID: 39685122
No question Terminal Services will add costs, but there are costs involved with increasing security.   VPN's by many today are considered very risky.  Other than encryption they offer very little protection and open a whole series of performance, connectivity, and security issues.

My apologies I missed the video and CAD files, you are quite right RDP does not like streaming media or high resolution graphics such as CAD files.  In order to address those you need to use RemoteFX which works in exactly the same way but requires newer server software, 2008 R2 or newer, an expensive, compatible, video card on the server, and Windows 7 SP1 clients or newer.  RemoteFX is RDP on steroids and works very well with streaming media and high resolution graphics.

Another note/correction;  Microsoft Information Rights Management Services will only work with Microsoft documents.

Neither of these are the only options, just presenting a couple of common methods used to try to address the author's concerns.
0
 

Author Comment

by:scmeeven
ID: 39685299
@RobWill and @Kimputer, thank you both for the ideas, comments and guidance. I will checkout Remote FX.

It's not about not trusting the workforce, either. It's just that the client had some bad experiences before with some of their mobile workforce and got rapped on the knuckles by their vendor as the training materials and documents were proprietary.

I am surprised to hear than VPNs are seen as insecure. Got to learn more about that!

It struck me just now that a DLP solution might help prevent the downloading? For example, one of the DLP solutions from McAfee:
http://www.mcafee.com/in/products/data-protection/data-loss-prevention.aspx

What are your thoughts about this? Would this take care of the data security aspect while the connectivity could still be through VPN or Remote FX etc.?
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 375 total points
ID: 39685322
As mentioned the VPN tunnel itself is quite secure, assuming it is IPSec, but the concerns are you have a wide open tunnel allowing all traffic between the client and the server.  In most cases you do not have control over that client PC,
-The PC could contain viruses that spread over networks
-If Split-tunneling is enabled the PC could be hacked by a neighboring computer at home, an airport, or internet café, and access to your server easily gained
-You loose control of the data, any user can copy/steal documents

I am not familiar with McAfee's DLP, but there are many solutions similar to Microsoft's Information Rights Management service.  Third party services my have the advantage of protecting more than just Office documents.  They can be expensive though.  McAfee requires ePolicy, and several add-ons, with server and end user licensing.

You are not alone.  this is becoming more and more of a concern due to security,  various government compliance requirements, users bringing their own devices to work such as iPads, and hackers getting very cleaver.
0
 

Author Comment

by:scmeeven
ID: 39685344
@Rob, thank you for the explanation about the security concerns of a VPN.

I asked about McAfee because that's the only solution we are familiar with for DLP. You are right about the costs, though.

We were thinking of UTM boxes for the VPN and it was a tech guy from one vendor who suggested what I mentioned in my first post - that implementing a FileServer on the client's in-house server and accessing the docs on that file server through a web url (through VPN, which the UTM box would enable) would take care of this problem. I was skeptical and from your and other comments, it turns out that I was rightly so.

Glad to know I am not alone in this, though. :-)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39685738
Thanks scmeeven.
Good luck with the project.
Cheers!
--Rob
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now