Go Premium for a chance to win a PS4. Enter to Win


Prevent downloading and saving of files when connecting through VPN

Posted on 2013-11-28
Medium Priority
Last Modified: 2013-11-29

I have a client with an in-house Windows 2008 server that stores proprietary documents (Word, Excel, PPT, PDF etc.) and videos (demos and training materials) of CAD/CAM software.

They have a mobile workforce (marketing & sales) that travels around the country and connects to the server using USB modems (dongles or data cards). When visiting prospective clients, they connect to the in-house server remotely and pull up the relevant documents and videos to show to the prospects.

The client wants to secure the remote connectivity using VPN, which is not too difficult. However, the client also wants to ensure that none of these proprietary documents or videos can be downloaded or saved locally by any member of the travelling workforce.

Is there a way to do this at all? After all, if they are able to open the application that's needed to open the file/video, they would obviously have the ability to access that application's File menu, which would let them save or download the file to their system?

A bit stumped here and would be thankful for any pointers.

Someone told me to implement a File Server on the Windows Server and then make that accessible only through the Web. Then, the VPN could be configured to access the File Server only through the Web, which would prevent the downloading and saving of files and only enable opening or playback. I am not sure this makes sense to me.

Thanks in advance.
Question by:scmeeven
  • 4
  • 2
  • 2
  • +1
LVL 99

Expert Comment

by:John Hurst
ID: 39683651
If they have access to the file(s) via VPN (which is the same as local in-house access), you cannot prevent them from saving a copy of the file(s).

So there should be a strong company privacy policy to contro this, and employees should be trustworthy.

A reasonably shrewd employee would have a copy of the files on their computer before visting the client to prevent problems with live access during a presentation.

To your last comment, if you can open the file, you can save it elsewhere (even by copying the contents).

... Thinkpads_User
LVL 37

Expert Comment

ID: 39683664
"Opening or playing through a web interface" still doesn't equal "unable to save". You can make it harder, but not impossible (even if it was made impossible, there's still screenshots the person can take).
So you don't trust your own mobile workforce? What makes them so different from the other in house workforce?
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 1500 total points
ID: 39685086
VPN's are actually very unsecure for this reason, in addition to the fact that Viruses and unwanted files can be uploaded over a VPN unknowingly.  A better option would be to set up a terminal server (now called remote desktop services server) for the remote workers.  This way all data stays on the corporate site, and you can easily disable the ability to transfer files, cut and paste, and connect local USB or hard drives.  Terminal services will also perform better and have less connection issues than a VPN.  It still does not stop screenshots but does eliminate most potential issues.

Another option is to implement Microsoft Information Rights Management Services.  It is a fair amount of work to set up but it allows you to restrict documents from being copied, forwarded, or even printed.  This can be controlled even when sent in an e-mail.  The following is a primer for Office 2013 but it is available back as far as Office 2003.
Briefer outline, 2003 version):
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

LVL 37

Assisted Solution

Kimputer earned 500 total points
ID: 39685103
Terminal services will add costs for device/use access CALs and a heavier server. Also for displaying video, it's not optimal (even with the best bandwidth available it will still be quite choppy, in best case scenario). Screenshots are still available for the remote workers, as are secure https upload sites (for the video and document files if you fail to plug the holes, like forgetting to limit or disable browser access)
LVL 77

Accepted Solution

Rob Williams earned 1500 total points
ID: 39685122
No question Terminal Services will add costs, but there are costs involved with increasing security.   VPN's by many today are considered very risky.  Other than encryption they offer very little protection and open a whole series of performance, connectivity, and security issues.

My apologies I missed the video and CAD files, you are quite right RDP does not like streaming media or high resolution graphics such as CAD files.  In order to address those you need to use RemoteFX which works in exactly the same way but requires newer server software, 2008 R2 or newer, an expensive, compatible, video card on the server, and Windows 7 SP1 clients or newer.  RemoteFX is RDP on steroids and works very well with streaming media and high resolution graphics.

Another note/correction;  Microsoft Information Rights Management Services will only work with Microsoft documents.

Neither of these are the only options, just presenting a couple of common methods used to try to address the author's concerns.

Author Comment

ID: 39685299
@RobWill and @Kimputer, thank you both for the ideas, comments and guidance. I will checkout Remote FX.

It's not about not trusting the workforce, either. It's just that the client had some bad experiences before with some of their mobile workforce and got rapped on the knuckles by their vendor as the training materials and documents were proprietary.

I am surprised to hear than VPNs are seen as insecure. Got to learn more about that!

It struck me just now that a DLP solution might help prevent the downloading? For example, one of the DLP solutions from McAfee:

What are your thoughts about this? Would this take care of the data security aspect while the connectivity could still be through VPN or Remote FX etc.?
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 1500 total points
ID: 39685322
As mentioned the VPN tunnel itself is quite secure, assuming it is IPSec, but the concerns are you have a wide open tunnel allowing all traffic between the client and the server.  In most cases you do not have control over that client PC,
-The PC could contain viruses that spread over networks
-If Split-tunneling is enabled the PC could be hacked by a neighboring computer at home, an airport, or internet café, and access to your server easily gained
-You loose control of the data, any user can copy/steal documents

I am not familiar with McAfee's DLP, but there are many solutions similar to Microsoft's Information Rights Management service.  Third party services my have the advantage of protecting more than just Office documents.  They can be expensive though.  McAfee requires ePolicy, and several add-ons, with server and end user licensing.

You are not alone.  this is becoming more and more of a concern due to security,  various government compliance requirements, users bringing their own devices to work such as iPads, and hackers getting very cleaver.

Author Comment

ID: 39685344
@Rob, thank you for the explanation about the security concerns of a VPN.

I asked about McAfee because that's the only solution we are familiar with for DLP. You are right about the costs, though.

We were thinking of UTM boxes for the VPN and it was a tech guy from one vendor who suggested what I mentioned in my first post - that implementing a FileServer on the client's in-house server and accessing the docs on that file server through a web url (through VPN, which the UTM box would enable) would take care of this problem. I was skeptical and from your and other comments, it turns out that I was rightly so.

Glad to know I am not alone in this, though. :-)
LVL 77

Expert Comment

by:Rob Williams
ID: 39685738
Thanks scmeeven.
Good luck with the project.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question