Implementing security for a "very secret document"

D

D-B

I want to protect a document on a computer by disabling any kind of copy. Is
it possible ( i want this document can't leave my domain) ?

And how can i disable insertion of a usb key on a computer (this computer is
a member of my domain) ?

Thanks for your response,

--
_____________________________
D-B
 
A

Alun Jones

"D-B" <DB@discussions.microsoft.com> wrote in message
news:8D57FA47-2547-489A-B1DA-57F1160E8874@microsoft.com...
>I want to protect a document on a computer by disabling any kind of copy.
>Is
> it possible ( i want this document can't leave my domain) ?

Deny read access to the document, and it will be completely impossible to
copy it [from the account(s) that have been denied read access, unless they
are administrators].

A slightly less robust solution is to set up Rights Management Services on a
server, and protect the document that way. The user can still photograph
their screen, take the monitor to a photocopier, etc.

> And how can i disable insertion of a usb key on a computer (this computer
> is
> a member of my domain) ?

You can glue up the USB ports, you can delete the USB drivers, or you can
check other Group Policy settings - Vista has a bunch of them, as I describe
in the Syngress book, "Microsoft Vista for IT Security Professionals", but
Windows XP doesn't. A good support article on disabling the USB drivers
through Group Policy in XP is at http://support.microsoft.com/kb/555324 -
but bear in mind that some USB keys may not necessarily use USBSTOR.SYS.

Once the file is on the computer, of course, there's always the possibility
that the malicious user will boot to another OS - either from CD / DVD, or
through a bootable USB drive (disabling USBSTOR.SYS only works inside the OS
that you control - booting to another OS is not prevented).

Alun.
~~~~
 
S

Steve Riley [MSFT]

Two comments inline.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Alun Jones" <alun@texis.invalid> wrote in message
news:eF9E60WHIHA.4584@TK2MSFTNGP03.phx.gbl...
> "D-B" <DB@discussions.microsoft.com> wrote in message
> news:8D57FA47-2547-489A-B1DA-57F1160E8874@microsoft.com...
>>I want to protect a document on a computer by disabling any kind of copy.
>>Is
>> it possible ( i want this document can't leave my domain) ?
>
> Deny read access to the document, and it will be completely impossible to
> copy it [from the account(s) that have been denied read access, unless
> they are administrators].

Yes, but this would prevent even reading (except for administrators, as you
mention). Presumably the document exists because _someone_ needs to read it.
If the document were never to be read by anyone, then the best security
option would be to delete the document!

> A slightly less robust solution is to set up Rights Management Services on
> a server, and protect the document that way. The user can still photograph
> their screen, take the monitor to a photocopier, etc.

>> And how can i disable insertion of a usb key on a computer (this computer
>> is
>> a member of my domain) ?
>
> You can glue up the USB ports, you can delete the USB drivers, or you can
> check other Group Policy settings - Vista has a bunch of them, as I
> describe in the Syngress book, "Microsoft Vista for IT Security
> Professionals", but Windows XP doesn't. A good support article on
> disabling the USB drivers through Group Policy in XP is at
> http://support.microsoft.com/kb/555324 - but bear in mind that some USB
> keys may not necessarily use USBSTOR.SYS.
>
> Once the file is on the computer, of course, there's always the
> possibility that the malicious user will boot to another OS - either from
> CD / DVD, or through a bootable USB drive (disabling USBSTOR.SYS only
> works inside the OS that you control - booting to another OS is not
> prevented).

D-B, it's very important that you spend a few moments considering what risks
you (think you can) mitigate by disabling USB ports. What is it that you're
worried about?
 
K

Kerry Brown

Print the document. Store the printout in a secure place. Delete the
document with a program that will overwrite the physical space it occupied
on the disk. Alternatively remove the computer from the network and install
it in a secure area.

There are other methods like encryption, DRM, etc. but if the document is
that sensitive then the only real solution is to have it in a secured area
with only those people allowed to see it able to get into the secured area.
If it's not really that sensitive then some combination of encryption, DRM,
and company policy with significant penalties for disobeying should be
enough.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca


"D-B" <DB@discussions.microsoft.com> wrote in message
news:8D57FA47-2547-489A-B1DA-57F1160E8874@microsoft.com...
>I want to protect a document on a computer by disabling any kind of copy.
>Is
> it possible ( i want this document can't leave my domain) ?
>
> And how can i disable insertion of a usb key on a computer (this computer
> is
> a member of my domain) ?
>
> Thanks for your response,
>
> --
> _____________________________
> D-B
 
A

Alun Jones

"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
news:O4R9vCzHIHA.3916@TK2MSFTNGP02.phx.gbl...
> "Alun Jones" <alun@texis.invalid> wrote in message
> news:eF9E60WHIHA.4584@TK2MSFTNGP03.phx.gbl...
>> "D-B" <DB@discussions.microsoft.com> wrote in message
>> news:8D57FA47-2547-489A-B1DA-57F1160E8874@microsoft.com...
>>>I want to protect a document on a computer by disabling any kind of copy.
>>>Is
>>> it possible ( i want this document can't leave my domain) ?
>>
>> Deny read access to the document, and it will be completely impossible to
>> copy it [from the account(s) that have been denied read access, unless
>> they are administrators].
>
> Yes, but this would prevent even reading (except for administrators, as
> you mention). Presumably the document exists because _someone_ needs to
> read it. If the document were never to be read by anyone, then the best
> security option would be to delete the document!

I guess I didn't swing my sledge-hammer hard enough. My post was more subtle
than I intended it to be.

The key here is that "prevent copying" requires an understanding that
"copying" consists of two operations:
1. Reading the data.
2. Writing the data.

Prevent either of these actions, and you have prevented copying.

You can only prevent actions on devices that you control.

If protecting against writing the data, then, you have to ensure that the
only writable media is that which is under your control. That means blocking
the attachment of foreign devices, prohibiting cameras, notepads, or users
with really good memories.

Protecting against reading, by comparison, is relatively simple.

Alun.
~~~~
 
S

Steve Riley [MSFT]

Inline.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Alun Jones" <alun@texis.invalid> wrote in message
news:OygA018HIHA.1212@TK2MSFTNGP05.phx.gbl...
> "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
> news:O4R9vCzHIHA.3916@TK2MSFTNGP02.phx.gbl...
>> "Alun Jones" <alun@texis.invalid> wrote in message
>> news:eF9E60WHIHA.4584@TK2MSFTNGP03.phx.gbl...
>>> "D-B" <DB@discussions.microsoft.com> wrote in message
>>> news:8D57FA47-2547-489A-B1DA-57F1160E8874@microsoft.com...
>>>>I want to protect a document on a computer by disabling any kind of
>>>>copy. Is
>>>> it possible ( i want this document can't leave my domain) ?
>>>
>>> Deny read access to the document, and it will be completely impossible
>>> to copy it [from the account(s) that have been denied read access,
>>> unless they are administrators].
>>
>> Yes, but this would prevent even reading (except for administrators, as
>> you mention). Presumably the document exists because _someone_ needs to
>> read it. If the document were never to be read by anyone, then the best
>> security option would be to delete the document!
>
> I guess I didn't swing my sledge-hammer hard enough. My post was more
> subtle than I intended it to be.

Your swing was indeed an extremely subtle, barely noticeable delicate brush,
distinguished more by the air it moved than the impact it made. :)

> The key here is that "prevent copying" requires an understanding that
> "copying" consists of two operations:
> 1. Reading the data.
> 2. Writing the data.
>
> Prevent either of these actions, and you have prevented copying.
>
> You can only prevent actions on devices that you control.
>
> If protecting against writing the data, then, you have to ensure that the
> only writable media is that which is under your control. That means
> blocking the attachment of foreign devices, prohibiting cameras, notepads,
> or users with really good memories.
>
> Protecting against reading, by comparison, is relatively simple.

Kerry Brown, in another post, recommended printing the document, deleting
the file, and closely guarding access to the printed version. Elsewhere on
these groups we have discussed the merits of storing passwords on pieces of
paper. Perhaps 13th century technology
(http://en.wikipedia.org/wiki/Printing_press) isn't so useless as the
conventional wisdom seems to claim.
 
You must log in or register to reply here.

Similar threads

A
what she robbed from my document and what can do with my information. I had a lot of passwords in my laptop that was save. I cleared my cache but i do
Replies
0
Views
21
Aza Ahangarian
A
M
  • Article
Prioritizing security above all else
Replies
0
Views
76
Microsoft Corporate Blogs
M
T
Scan a document and catalogue
Replies
0
Views
46
T Ricci1
T
P
Reset computer without recovery key or microsoft ID
Replies
0
Views
27
Prayush Chotaliya
P
J
Error: The security database on the server does not have a computer account for this workstation trust relationship
Replies
0
Views
20
Justin Voo
J
Back
Top Bottom