James Osborne
asked on
Need help protecting our data...
I have a customer who is wanting to ensure his staff can't take any data with them. We can lock down USB devices (Thumb drives, Hard Drives, etc), but he's now concerned about them accessing things on the server and getting them off by using web mail clients (Yahoo, Gmail, Hotmail, AOL, etc) or file sharing sites (Dropbox, OneDrive, etc). Short of blocking access to these sites (which would be a pain), is there any way to restrict their ability to steal his work? And, if so, how difficult AND expensive would it be?
Failing that, is there some way of recording access so we can tell that John Doe accessed these 275 files today, and he was only supposed to be accessing 100 of them?
We're in a workgroup environment at the moment, switching to a Server 2016 AD domain. All users are local admins on their workstations (Windows 7 and Windows 10). A lot of the people in question will likely have to REMAIN local admins due to their software (AutoCAD, Quickbooks).
Please feel free to ask any questions for me to elaborate.
Failing that, is there some way of recording access so we can tell that John Doe accessed these 275 files today, and he was only supposed to be accessing 100 of them?
We're in a workgroup environment at the moment, switching to a Server 2016 AD domain. All users are local admins on their workstations (Windows 7 and Windows 10). A lot of the people in question will likely have to REMAIN local admins due to their software (AutoCAD, Quickbooks).
Please feel free to ask any questions for me to elaborate.
I think this is very hard to do.... To prevent uploading you effectively need to block internet access at large...
the better approach (IMHO) is to
0) Be sure ALL users can be uniquely identified, no group users, no genereci accounts etc.
1) be sure that data is only accessible to the users that need to have access to the data... Use ACLs, Databases with restrictions etc. etc.
i might get down to almost create access per user on file by file basis....
2) be sure to log any access to any system object on any system involved in storing this stuff.
best been done in a separate log server that only will take log data from the other servers.
(Local logs could possibly be forged ).
the better approach (IMHO) is to
0) Be sure ALL users can be uniquely identified, no group users, no genereci accounts etc.
1) be sure that data is only accessible to the users that need to have access to the data... Use ACLs, Databases with restrictions etc. etc.
i might get down to almost create access per user on file by file basis....
2) be sure to log any access to any system object on any system involved in storing this stuff.
best been done in a separate log server that only will take log data from the other servers.
(Local logs could possibly be forged ).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need intune windows information protection (wip) + Azure information protection (Azure rms) + intune
In short you need EMS E5 SUITE to achieve your goal
In short you need EMS E5 SUITE to achieve your goal
1) be sure that data is only accessible to the users that need to have access to the data... Use ACLs, Databases with restrictions etc. etc.For this, I script out the whole file server structure with my FSMainFolder tool which automatically does correct permissions etc.
i might get down to almost create access per user on file by file basis....
https://www.experts-exchange.com/articles/32349/FSMainFolder-Files-Server-Structure-Automation-Tool.html
There is a second part of the tool that removes these delegation groups when the folders are removed.
I would just put out a policy for Staff. If they violate that policy their will be consequences. You will never be able to stop everything, this seems more like a management issue not an IT issue.
Agree. You and I are both on the same page here. Privacy agreements are critical
From an enforcement standpoint, policy with leadership backing is absolutely essential. From a technical standpoint, it's a very wide net to cast, which could even include various types of DLP technologies. This is a VERY complex road to go down.
As you're thinking about all of this, how are you going to enforce this for any cloud services?
You can look at products such as those from Varonis (they offer an entire data security platform), but there are a number of vendors' products that do this.
As you're thinking about all of this, how are you going to enforce this for any cloud services?
You can look at products such as those from Varonis (they offer an entire data security platform), but there are a number of vendors' products that do this.
I'd recommend getting rid of the local Admins as well
You don't need admin rights to run Quick Books and as McKnife stated you don't (or shouldn't) need it to run AutoCAD
You don't need admin rights to run Quick Books and as McKnife stated you don't (or shouldn't) need it to run AutoCAD
Agree that you do not need admin rights to run Quick Books and Auto CAD, but you do need an admin person somewhere in the organization to update these and other applications.
There are actually some features in AutoCAD that forced the issue of local admin rights. However, you should check with AutoDesk to see what the rights truly needed are. If you push hard enough they may tell you.. but sometimes if may be in the documentation as well.
(I fought with a software vendor over this topic recently, and they finally chose to reveal that rights over one folder was what was truly needed. A different vendor, I ended up finding out in their documentation that only a few extra rights were needed for a service account instead of domain admin rights)
(I fought with a software vendor over this topic recently, and they finally chose to reveal that rights over one folder was what was truly needed. A different vendor, I ended up finding out in their documentation that only a few extra rights were needed for a service account instead of domain admin rights)
You do need an admin person somewhere in the organization
Agreed, however try to limit who knows the password (Designated Admin, Owner, Support Staff, etc) and setup a policy where the password is changed at least every 4 - 6 months
ASKER
Thanks for all the comments so far. I'm going to look into some of these suggestions today.
As far as the local admins, that's just what's there currently...Windows 7/10 workstations with everyone a local admin, on a Workgroup (though it is Server 2008). I'm trying to get them to deploy a new server 2016 with full AD, and get most folks to the user role. I tried on both AutoCad and Quickbooks and neither liked it as a user. AutoCAD is a variety of versions (2013 or 2014 on forward), and Quickbooks is the Enterprise Contractor edition. There were odd issues with posting checks and Intuit indicated that everyone had to be a local admin.
Thanks for the info so far! I'll let you know what I figure out.
(I suspect this is 'pie in the sky' stuff from the owner and he'll balk when I tell him how complicated and/or expensive it's going to be.)
As far as the local admins, that's just what's there currently...Windows 7/10 workstations with everyone a local admin, on a Workgroup (though it is Server 2008). I'm trying to get them to deploy a new server 2016 with full AD, and get most folks to the user role. I tried on both AutoCad and Quickbooks and neither liked it as a user. AutoCAD is a variety of versions (2013 or 2014 on forward), and Quickbooks is the Enterprise Contractor edition. There were odd issues with posting checks and Intuit indicated that everyone had to be a local admin.
Thanks for the info so far! I'll let you know what I figure out.
(I suspect this is 'pie in the sky' stuff from the owner and he'll balk when I tell him how complicated and/or expensive it's going to be.)
I tried on both AutoCad and Quickbooks and neither liked it as a user. AutoCAD is a variety of versions (2013 or 2014 on forward), and Quickbooks is the Enterprise Contractor edition. There were odd issues with posting checks and Intuit indicated that everyone had to be a local admin.Contact the vendors. If you're persistent enough, you may get the real access required. More often than not, you don't 100% require admin rights.
The most extreme solution I've seen is an owner of a plumbing company block all machines from the internet except for his own. So yes, this naturally meant that they couldn't email either.
We used all Autocad versions and I can assure you, that 2013/14/15/16/17/18 run without admin need out of the box. Do you have anything installed that builds a bridge to another product (add-in in Autocad), maybe?
Don't use ADMIN.... use Admin_Joe, Admin_John, Admin_Jane... and those users have their regular accounts as well for all non-admin tasks (mail, internet research etc. etc.)... User_Joe, User_John, User_Jane...
"I'll let you know what I figure out. " - please do that, now :-)
One of my previous client had used AutoCAD R14 to AutoCAD 2000 / 2004 versions on domain joined machines (win XP at that time) and I never given admin rights to those draftsmen if I recollect to run AutoCAD application
Encrypting data so that it can be read only on company-connected machines is possible. This can be quickly googled, google ARDMS (AD rights management services). However, it will be a pain to administer. Also, people could film their screen using smartphones while scrolling through the pages and so on - always a hole somewhere.
That said, restricting local administrators is pretty pointless. You should get rid of local admins - not needed for autocad (we are using autocad from version 2000-2018 without administrative permissions). We don't use QuickBooks, however.