Prevent downloading and saving of files when connecting through VPN


I have a client with an in-house Windows 2008 server that stores proprietary documents (Word, Excel, PPT, PDF etc.) and videos (demos and training materials) of CAD/CAM software.

They have a mobile workforce (marketing & sales) that travels around the country and connects to the server using USB modems (dongles or data cards). When visiting prospective clients, they connect to the in-house server remotely and pull up the relevant documents and videos to show to the prospects.

The client wants to secure the remote connectivity using VPN, which is not too difficult. However, the client also wants to ensure that none of these proprietary documents or videos can be downloaded or saved locally by any member of the travelling workforce.

Is there a way to do this at all? After all, if they are able to open the application that's needed to open the file/video, they would obviously have the ability to access that application's File menu, which would let them save or download the file to their system?

A bit stumped here and would be thankful for any pointers.

Someone told me to implement a File Server on the Windows Server and then make that accessible only through the Web. Then, the VPN could be configured to access the File Server only through the Web, which would prevent the downloading and saving of files and only enable opening or playback. I am not sure this makes sense to me.

Thanks in advance.
Who is Participating?
Rob WilliamsCommented:
No question Terminal Services will add costs, but there are costs involved with increasing security.   VPN's by many today are considered very risky.  Other than encryption they offer very little protection and open a whole series of performance, connectivity, and security issues.

My apologies I missed the video and CAD files, you are quite right RDP does not like streaming media or high resolution graphics such as CAD files.  In order to address those you need to use RemoteFX which works in exactly the same way but requires newer server software, 2008 R2 or newer, an expensive, compatible, video card on the server, and Windows 7 SP1 clients or newer.  RemoteFX is RDP on steroids and works very well with streaming media and high resolution graphics.

Another note/correction;  Microsoft Information Rights Management Services will only work with Microsoft documents.

Neither of these are the only options, just presenting a couple of common methods used to try to address the author's concerns.
JohnBusiness Consultant (Owner)Commented:
If they have access to the file(s) via VPN (which is the same as local in-house access), you cannot prevent them from saving a copy of the file(s).

So there should be a strong company privacy policy to contro this, and employees should be trustworthy.

A reasonably shrewd employee would have a copy of the files on their computer before visting the client to prevent problems with live access during a presentation.

To your last comment, if you can open the file, you can save it elsewhere (even by copying the contents).

... Thinkpads_User
"Opening or playing through a web interface" still doesn't equal "unable to save". You can make it harder, but not impossible (even if it was made impossible, there's still screenshots the person can take).
So you don't trust your own mobile workforce? What makes them so different from the other in house workforce?
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Rob WilliamsCommented:
VPN's are actually very unsecure for this reason, in addition to the fact that Viruses and unwanted files can be uploaded over a VPN unknowingly.  A better option would be to set up a terminal server (now called remote desktop services server) for the remote workers.  This way all data stays on the corporate site, and you can easily disable the ability to transfer files, cut and paste, and connect local USB or hard drives.  Terminal services will also perform better and have less connection issues than a VPN.  It still does not stop screenshots but does eliminate most potential issues.

Another option is to implement Microsoft Information Rights Management Services.  It is a fair amount of work to set up but it allows you to restrict documents from being copied, forwarded, or even printed.  This can be controlled even when sent in an e-mail.  The following is a primer for Office 2013 but it is available back as far as Office 2003.
Briefer outline, 2003 version):
Terminal services will add costs for device/use access CALs and a heavier server. Also for displaying video, it's not optimal (even with the best bandwidth available it will still be quite choppy, in best case scenario). Screenshots are still available for the remote workers, as are secure https upload sites (for the video and document files if you fail to plug the holes, like forgetting to limit or disable browser access)
scmeevenAuthor Commented:
@RobWill and @Kimputer, thank you both for the ideas, comments and guidance. I will checkout Remote FX.

It's not about not trusting the workforce, either. It's just that the client had some bad experiences before with some of their mobile workforce and got rapped on the knuckles by their vendor as the training materials and documents were proprietary.

I am surprised to hear than VPNs are seen as insecure. Got to learn more about that!

It struck me just now that a DLP solution might help prevent the downloading? For example, one of the DLP solutions from McAfee:

What are your thoughts about this? Would this take care of the data security aspect while the connectivity could still be through VPN or Remote FX etc.?
Rob WilliamsCommented:
As mentioned the VPN tunnel itself is quite secure, assuming it is IPSec, but the concerns are you have a wide open tunnel allowing all traffic between the client and the server.  In most cases you do not have control over that client PC,
-The PC could contain viruses that spread over networks
-If Split-tunneling is enabled the PC could be hacked by a neighboring computer at home, an airport, or internet café, and access to your server easily gained
-You loose control of the data, any user can copy/steal documents

I am not familiar with McAfee's DLP, but there are many solutions similar to Microsoft's Information Rights Management service.  Third party services my have the advantage of protecting more than just Office documents.  They can be expensive though.  McAfee requires ePolicy, and several add-ons, with server and end user licensing.

You are not alone.  this is becoming more and more of a concern due to security,  various government compliance requirements, users bringing their own devices to work such as iPads, and hackers getting very cleaver.
scmeevenAuthor Commented:
@Rob, thank you for the explanation about the security concerns of a VPN.

I asked about McAfee because that's the only solution we are familiar with for DLP. You are right about the costs, though.

We were thinking of UTM boxes for the VPN and it was a tech guy from one vendor who suggested what I mentioned in my first post - that implementing a FileServer on the client's in-house server and accessing the docs on that file server through a web url (through VPN, which the UTM box would enable) would take care of this problem. I was skeptical and from your and other comments, it turns out that I was rightly so.

Glad to know I am not alone in this, though. :-)
Rob WilliamsCommented:
Thanks scmeeven.
Good luck with the project.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.