protecting sensitive data from being downloaded to USB or other devices

Posted on 2016-08-12
Last Modified: 2016-08-20

I am in the process of searching for third party or microsoft built in tools that will protect sensitive data from being downloaded to a usb or other device by users. Currently we have users on win 7 pro. Any suggestions or comments would be greatly appreciated.
Question by:Newguy 123
  • 4
  • 2
  • 2
  • +3
LVL 90

Expert Comment

by:John Hurst
ID: 41754122
You can disable USB devices, but then people can email sensitive data to themselves, print sensitive data, or even memorize sensitive data.

It is a bit of a losing battle and the real solution is to build trust with users and employees.

Expert Comment

by:Wayne Herbert
ID: 41754206
Or upload to Google Drive, Dropbox, OneDrive, or a host of others.  Or file transfer with Skype.  How does one lock out a user from

One of the questions I had to answer for an E&O insurance renewal questionnaire was:

Does your firm control access to information that can be displayed, printed, and/or downloaded to external storage devices?

I mean... what is the answer to that?
LVL 90

Expert Comment

by:John Hurst
ID: 41754208
That just amplifies what I said. No way to truly prevent taking sensitive data (short of not letting suspected employees use computers).
LVL 38

Accepted Solution

Adam Brown earned 500 total points
ID: 41754230
There are plenty of Data Loss Prevention solutions out there that can be used to prevent the theft of files. Active Directory Rights Management is the one that comes with Windows Server. has some information on the technology and what can be done with it. is another potential DLP solution that could work, but I haven't used it. It's just one that could do what you want.

It's important to note here, though, that implementing a DLP solution to secure your files is going to significantly increase the workload and cost of managing the IT environment, so you have to determine if the potential cost of losing files is significant enough to justify the increased cost of managing a solution to secure those files more thoroughly than they are already.
LVL 90

Expert Comment

by:John Hurst
ID: 41754237
Also (and I am highly cynical), nothing stops me from memorizing what I see or even taking a photo of a screen on my personal device. If people want the information they will get it. There needs to two way trust built up.
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

LVL 38

Expert Comment

by:Adam Brown
ID: 41754281
You can't keep people from remembering stuff they work with regularly (passwords and such), or taking pictures of file contents with personal devices (though this is much more obvious and easy to catch than a file transfer based on visual examination), but there is a very low upper limit to what people can remove from the premises (without getting caught) using those methods, barring an employee with serious photographic memory capabilities.

Security isn't about absolute prevention. It's about making things difficult enough that the vast majority of attempts to do something are technically impossible. You can't create a password that is unbreakable. Given time, every password can be broken. That is not a good justification for failing to implement passwords, though, because it *is* possible to create passwords that take so long to crack that the universe will implode before it can be done with current technology.

In the same turn, the fact that you can't prevent people from memorizing documents or taking pictures with their phones doesn't justify ignoring security solutions that prevent people from taking the files themselves, if the potential risk of losing those files justifies the costs involved in implementing such solutions.
LVL 16

Expert Comment

ID: 41754500
There is no full proof way to stop people from ex-filtrating data from your company. You can put in DLP but it can be bypassed or tricked. You can do whatever you want, if someone wants to get data out they will one way or another. It could be using a camera, printing the documents, memory, etc. What you need is proper security auditing combined with DLP protection and user education.

If someone is looking at data they should not be looking at you need to be able to detect that.

If someone is looking at data they have a right to look at; this is a trust thing then. You are at the mercy of that person's integrity. If they're looking at data they are allowed to be looking at but the scenario is suspect, you should be detecting that (for example someone looking up a friends finances). Where is the inbound request for them to take that action?

If someone wants to photo/scan/manually record can you stop that? I can tell you how we stop that for some of our staff.

1. When they enter the building they are searched top to bottom. Even their clothes are checked.
2. Everything they carry is taken off them.
3. They are weighed very accurately on entry and exit.
4. They are never allowed in on their own.
5. The environment is extremely locked down (physically, network and application levels).
6. They are watched on camera as well as an on the floor supervisor who is monitoring.

We do this for some of our people in China. It costs a lot of money and is a painful and arduous process. It would still not stop them sitting down and over time memorising something to ex-filtrate that data. So if one of these people was truly determined to memorise some data to get it out...what can you do? Unless its 1984 and you have the thought police, nothing. The point is to dissuade people from taking data. I would say the best way to do this is to keep them happy and make them have a vested interest in your business. Someone who feels part of something is less likely to screw you.
LVL 90

Expert Comment

by:John Hurst
ID: 41754504
I would not do that to people and I would not enter any premises that did that.

To my point above, simpler to engage in Trust and to restrict documents "for your eyes only" to a restricted, trusted group of people.
LVL 53

Expert Comment

ID: 41754761
More than 2 cents to add:

technical measures to solve the core question (stop downloads to removable devices) do exist. If you don't want to block removable devices completely, which is possible using GPOs, you can at least make sure that the data people copy to their USB devices can only be viewed on computers that belong to your domain. I wrote an article about this fairly unknown method. Please note that in order to take advantage of it, you'd need windows 8.x or windows 10, so you'd have to upgrade.
Please read A-new-aspect-to-securing-USB-data-SID-protectors

Expert Comment

by:Senior IT System Engineer
ID: 41754808
Or you can use the Symantec Endpoint Network Access Control (SNAC).
LVL 53

Expert Comment

ID: 41763678
Only one solution was helpful? All helpful solutions should be honored.

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now