Best way to restrict saving documents locally

Abraham Deutsch
Abraham Deutsch used Ask the Experts™
on
I set up a computer “not domain joined” “windows 10 home (does not have local GP)” for a remote employee, she will connect with remote desktop to the office, I restricted saving any documents locally.
The way I did it, I removed the users write permission from document/desktop/pictures/music. In addition, took ownership so the user cannot change the permission.
Any other quicker or more efficient way to accomplish the above?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Mike SchrockIT Operations Manager

Commented:
Could always Deep Freeze/clean slate it as well, teaches some hard lessons at first however long run tends to gets rid of headaches.
You cannot safely prevent that. the user will always be able to write to places you did not think of, remote devices. And places you cannot removd access without breaking stuff : tmp dirs for example.

It seems easier to provide her with a remote desktop on a machine hosted on premices
Abraham DeutschIT professional
Top Expert 2016

Author

Commented:
It seems easier to provide her with a remote desktop on a machine hosted on premise

This is how I set it up, all the restrictions I did is on the client laptop (that is used to make the connection the the PC in the office)
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

sorry, i missed the obvious

short answer is you can't

longer answer

- you can forbid file transfers, shared clipboards, and printing on the client side in the server's config ( i assume you already did that )

- you can provide a client hardened operating system ( possibly virtualised ) that will not allow it's user to do anything besides using the remote desktop. that's a bit of work and requires to setup an additional trust mechanism so you can both check the hardened host is being used and the client knows the password.

- whatever you attempt, you cannot prevent a user to record their screen using a hand camera.
Abraham DeutschIT professional
Top Expert 2016

Author

Commented:
Thank you
sorry i cannot come with an actual solution to your problem.

if you need tips on setting up a hardened host, i'll be happy to oblige. this should actually be relatively easy using a minimal distro such as alpine, or possibly an in-ram distro like slitaz, openvpn/sshtunnel to guarantee only said host can access the server, xorg with no config file, and rdesktop started full screen without a desktop or window manager.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial