Folder Security best practise

So we currently have 150 users who have access to the J: XXX and the V: XXX these shares have security groups which give permissions to all folders within the share.

We had an issue with users stealing documents before they leave.

My question is what would be best practice when a user hands in there resignation - would I just give the user access to the folders they need access to within the shares or is there a better solution?

Please advise
LVL 2
Technical InformationAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Adam BrownConnect With a Mentor Sr Solutions ArchitectCommented:
There isn't a way to prevent people from taking files they have access to with just the normal Folder security settings. What you would need to utilize is a Data Loss Prevention (DLP) solution. With just windows server, you would utilize AD Rights Management Services to limit users' ability to copy data to other locations, forward messages, or perform other actions with files that are not covered specifically by file permissions. https://technet.microsoft.com/en-us/library/cc771627(v=ws.11).aspx has a lot of information on AD RMS that should help you understand some of what you can do.
0
 
Alexandre MichelManager; IT ConsultantCommented:
Hi

It is very hard to stop someone from stealing information if they have access to your server.
You can certainly change their permissions when they give their resignation, but you should discuss this with their direct supervisor. Doing this might affect their work and stop them from working efficiently  ... and could possibly aggravate them.

Someone that wants to steal  from your company, can very well start copying files & folders well before they submit their resignation.

Unless you invest in 3rd party applications, if they can read a folder, then they can copy the content of the folder and it is hard to monitor, prove, alert you they are doing this right now. You can block access to USB ports, you can block access to cloud storage devices, you can monitor emails, etc...

This where a good employment contract  covers your company against such actions

Assuming the employee stole the information to use at his/her next employer, you can contact the next employer (via a law firm) and inform them they risk legal action if they do not delete immediately any copy of the stolen info (as a Network Admin in a company that had just hired someone that had - unknown to us - also stolen info from his previous employer, I was at the receiving end of such letter)

Alex
0
 
Technical InformationAuthor Commented:
Thanks for the advice - I understand the above but would like instructions regarding Folder security
0
 
madunixConnect With a Mentor Chief Information Security Officer Commented:
We have implemented Fortigate as DLP;  Its an automated preventive device that can block sensitive information from leaving the internal network, while at the same time logging the offenders. http://cookbook.fortinet.com/preventing-data-leaks/
0
 
Adam BrownSr Solutions ArchitectCommented:
Closing. Noted answers give the information requested or provide solutions that meet the original question requirements
0
All Courses

From novice to tech pro — start learning today.