Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

stopping user from exporting the data 1

Status
Not open for further replies.
xmario2013

xmario2013

IS-IT--Management
Feb 1, 2004
285
US
Hi :
anybody know if there is any 3rd party utility will stop user from exporting sensitive data off the network ? for example before a person quit in the company he or she may copy stuff onto a disk (USB pen or CD RW drive is a killer these days), of course we will try to limit people use of those device by disable the USB port if they dont need to or dont give them CDR drives,

but if the user is persistent enough, as long as they have read permssion to some thing, they can even simply just do a screen shot to copy the document,

how about some measure so that is disable users from being able to easily run with large amonut of data easily
out of the building

anybody have experience of doing that ?
thanks
XM
 
Sort by date Sort by votes
if you really think about it....
every device known to man comes with a camera now adays.
your best bet is to lock everything down with permissions.
security background checks are a must for new employees.
there are a gazziliion ways to steal data off of a PC. all you need is physical access to it and a copy of NTFS DOS for windows on a floppy or bootable CD. by by data.
you can allso set up auditing for object access on the most critical of files just to see who is going there and when.
but nothing is a sure thing anymore.
good luck
AJ
 
Upvote 0 Downvote
disable the floppy / usb for a start, floppy in BIOS & maybe USB I don't think you can disable it with Group Policy's.

Most other security could be dione with policy's

Tezdread
"With every solution comes a new problem"
 
Upvote 0 Downvote
You'd also need to stop them emailing it to themselves. A gmail account could take a pretty good chunk of data.

I'm not sure you really can do this.
 
Upvote 0 Downvote
thin client and controlled email and network management(ie. IM, FTP detection) will solve most of the problem

can an encryption software like PGP do the trick ?
(ie. install the whole company with PGP software to decrypt but dont give them the private key or allow them to export the key) so whatever they finally able to email or copy out is useless without the company network to decrypt it,

but how about user using low-tech like a screen print or hard copy print and take it out of the building ?

Thanks
XM
 
Upvote 0 Downvote
Firms I've worked for have been auditted by banks on a number of occasions and these are roughly the things they want. If they are happy with this then they must be pretty close to total security.

Install cameras in all sensitive areas.

Disable portable mass storage devices :
Limit the size of emails that can be sent and use journaling to make a copy of every email sent/received.

Only allow internet browsing through a proxy server and prevent user's from uploading over any protocol. Only allow internet browsing by trusted users or users who really need. Possibly use exclusive browsing so that only approved sites can be viewed.

Implement ACL's and Auditting on any sensitive files/directories.

Ensure that your security policy and your employee responsibility policy is up-to-date, legal and understood & signed by each employee. Ensure the right to search any employee on ingress or egress is there in big letters!!!

Don't allow users to have personal mobile phones in areas where computers are active.

All printing to be done through a central area and the user's must collect them and sign for them. A copy of the print is also to be kept centrally. I always thought this was totally over the top.

Don't allow any external computing devices onto the network.

Use switches and disable DHCP - use port security on your switches so only an assigned MAC address can connect to it. Setup syslog alerting if the mac address changes on any port - big red light time!

In reality, thin client is the way to go for total security. No local drive mappings - even better - stick a nice locked down version of Linux on the desktop and launch a thin client on startup. Or use KNOPPIX and let everyone boot from CD!

As a last resort, lock the doors, don't let anyone in and don't turn on the computers ;-)
 
Upvote 0 Downvote
....In addition to above .. what about using key loggers SW
 
Upvote 0 Downvote
You can block USB access through group policies but you have to disable access to all local drives.

However, Map drives will still work to network shares but are hidden so applications will still work.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
270
DrB0b
DrB0b
goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
368
goombawaho
goombawaho
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
383
gbaughma
gbaughma
DeepuM
  • Locked
  • Question
Web Response returned Web Exception : The underlying connection was closed error | Simphony & QS
Replies
0
Views
167
DeepuM
DeepuM
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
394
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top