Best Windows Integrity Mechanism design?


I'm looking for a a good solution for file security. We have a single file server with several shares for different departments. These contents cannot "cross contaminate". So, Share A's contents cannot be in Share B, even though some personnel will have permissions to both. What's the best approach to tighten access to this level?

Michael LPr. SysadminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You have users that may write to multiple shares and you want to prevent that they copy content between shares? That is not possible.
Michael LPr. SysadminAuthor Commented:
Correct, and I was afraid of that. Is there not even some third party system that can enable this? If not, what's some good tracking/auditing solution to monitor this at s higher level for not technical folks like management or IA?
With windows' internals, you would only be able to track writes to shares in general - not file copying or moving from share A to share B.
It could be that there are tracking Softwares specializing in this - let's see if others know some, I don't.
SolarWinds® VoIP and Network Quality Manager(VNQM)

WAN and VoIP monitoring tools that can help with troubleshooting via an intuitive web interface. Review quality of service data, including jitter, latency, packet loss, and MOS. Troubleshoot call performance and correlate call issues with WAN performance for Cisco and Avaya calls

slightwv (䄆 Netminder) Commented:
Even if you could prevent a direct copy from shareA to shareB, I just copy from shareA to localD then to shareB.
Michael LPr. SysadminAuthor Commented:
It's better than nothing. Any means to mitigate accidental contamination. Could also be false security, though...  Does something like NetApp have that granular capability?
It's not better than nothing, in my opinion. slightwv / Netminder's example with local copy shows, that the guarding software cannot possibly know the way the data took and thus, offers no protection.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
slightwv (䄆 Netminder) Commented:
You can probably write a powershell or similar script to compare file names between the shares if that helps?

The problem you have is if file names can be the same between them.  Even if you compare current files in a share with a shadow copy to look for "changes", how will you determine the source of the change?

I suppose if there are filenames the same, you can then diff the files named the same across the shares?

Can't prevent it but there may be ways to audit for it after it happens.  If you have shadow copies, you should be able to retrieve the "good" one when you find a common file.
Michael LPr. SysadminAuthor Commented:
This is a lot to consider and I appreciate the help. It may have been a Hail Mary expecting to find a simple solution for this. I might need a different approach with multiple user logins, but man that'd tick them off.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.