Implementing security for a

Implementing security for a "very secret document"
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Implementing security for a "very secret document" D-B 11-02-2007
Posted by =?Utf-8?B?RC1C?= on November 2, 2007, 9:21 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I want to protect a document on a computer by disabling any kind of copy. Is
it possible ( i want this document can't leave my domain) ?

And how can i disable insertion of a usb key on a computer (this computer is
a member of my domain) ?

Thanks for your response,

--
_____________________________
D-B

Posted by Alun Jones on November 2, 2007, 12:25 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
>I want to protect a document on a computer by disabling any kind of copy.
>Is
> it possible ( i want this document can't leave my domain) ?

Deny read access to the document, and it will be completely impossible to
copy it [from the account(s) that have been denied read access, unless they
are administrators].

A slightly less robust solution is to set up Rights Management Services on a
server, and protect the document that way. The user can still photograph
their screen, take the monitor to a photocopier, etc.

> And how can i disable insertion of a usb key on a computer (this computer
> is
> a member of my domain) ?

You can glue up the USB ports, you can delete the USB drivers, or you can
check other Group Policy settings - Vista has a bunch of them, as I describe
in the Syngress book, "Microsoft Vista for IT Security Professionals", but
Windows XP doesn't. A good support article on disabling the USB drivers
through Group Policy in XP is at http://support.microsoft.com/kb/555324 -
but bear in mind that some USB keys may not necessarily use USBSTOR.SYS.

Once the file is on the computer, of course, there's always the possibility
that the malicious user will boot to another OS - either from CD / DVD, or
through a bootable USB drive (disabling USBSTOR.SYS only works inside the OS
that you control - booting to another OS is not prevented).

Alun.
~~~~



Posted by Steve Riley [MSFT] on November 4, 2007, 5:18 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Two comments inline.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


>>I want to protect a document on a computer by disabling any kind of copy.
>>Is
>> it possible ( i want this document can't leave my domain) ?
>
> Deny read access to the document, and it will be completely impossible to
> copy it [from the account(s) that have been denied read access, unless
> they are administrators].

Yes, but this would prevent even reading (except for administrators, as you
mention). Presumably the document exists because _someone_ needs to read it.
If the document were never to be read by anyone, then the best security
option would be to delete the document!

> A slightly less robust solution is to set up Rights Management Services on
> a server, and protect the document that way. The user can still photograph
> their screen, take the monitor to a photocopier, etc.

>> And how can i disable insertion of a usb key on a computer (this computer
>> is
>> a member of my domain) ?
>
> You can glue up the USB ports, you can delete the USB drivers, or you can
> check other Group Policy settings - Vista has a bunch of them, as I
> describe in the Syngress book, "Microsoft Vista for IT Security
> Professionals", but Windows XP doesn't. A good support article on
> disabling the USB drivers through Group Policy in XP is at
> http://support.microsoft.com/kb/555324 - but bear in mind that some USB
> keys may not necessarily use USBSTOR.SYS.
>
> Once the file is on the computer, of course, there's always the
> possibility that the malicious user will boot to another OS - either from
> CD / DVD, or through a bootable USB drive (disabling USBSTOR.SYS only
> works inside the OS that you control - booting to another OS is not
> prevented).

D-B, it's very important that you spend a few moments considering what risks
you (think you can) mitigate by disabling USB ports. What is it that you're
worried about?



Posted by Alun Jones on November 5, 2007, 11:36 am
If you were  Registered and logged in, you could reply and use other advanced thread options
>>>I want to protect a document on a computer by disabling any kind of copy.
>>>Is
>>> it possible ( i want this document can't leave my domain) ?
>>
>> Deny read access to the document, and it will be completely impossible to
>> copy it [from the account(s) that have been denied read access, unless
>> they are administrators].
>
> Yes, but this would prevent even reading (except for administrators, as
> you mention). Presumably the document exists because _someone_ needs to
> read it. If the document were never to be read by anyone, then the best
> security option would be to delete the document!

I guess I didn't swing my sledge-hammer hard enough. My post was more subtle
than I intended it to be.

The key here is that "prevent copying" requires an understanding that
"copying" consists of two operations:
1. Reading the data.
2. Writing the data.

Prevent either of these actions, and you have prevented copying.

You can only prevent actions on devices that you control.

If protecting against writing the data, then, you have to ensure that the
only writable media is that which is under your control. That means blocking
the attachment of foreign devices, prohibiting cameras, notepads, or users
with really good memories.

Protecting against reading, by comparison, is relatively simple.

Alun.
~~~~



Posted by Steve Riley [MSFT] on November 5, 2007, 3:35 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Inline.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


>>>>I want to protect a document on a computer by disabling any kind of
>>>>copy. Is
>>>> it possible ( i want this document can't leave my domain) ?
>>>
>>> Deny read access to the document, and it will be completely impossible
>>> to copy it [from the account(s) that have been denied read access,
>>> unless they are administrators].
>>
>> Yes, but this would prevent even reading (except for administrators, as
>> you mention). Presumably the document exists because _someone_ needs to
>> read it. If the document were never to be read by anyone, then the best
>> security option would be to delete the document!
>
> I guess I didn't swing my sledge-hammer hard enough. My post was more
> subtle than I intended it to be.

Your swing was indeed an extremely subtle, barely noticeable delicate brush,
distinguished more by the air it moved than the impact it made. :)

> The key here is that "prevent copying" requires an understanding that
> "copying" consists of two operations:
> 1. Reading the data.
> 2. Writing the data.
>
> Prevent either of these actions, and you have prevented copying.
>
> You can only prevent actions on devices that you control.
>
> If protecting against writing the data, then, you have to ensure that the
> only writable media is that which is under your control. That means
> blocking the attachment of foreign devices, prohibiting cameras, notepads,
> or users with really good memories.
>
> Protecting against reading, by comparison, is relatively simple.

Kerry Brown, in another post, recommended printing the document, deleting
the file, and closely guarding access to the printed version. Elsewhere on
these groups we have discussed the merits of storing passwords on pieces of
paper. Perhaps 13th century technology
(http://en.wikipedia.org/wiki/Printing_press) isn't so useless as the
conventional wisdom seems to claim.




Similar ThreadsPosted
Security Document Handling February 9, 2006, 10:04 am
Secret Sector Backdoor / Security Breach October 21, 2007, 2:11 pm
Secret Sector Backdoor / Security Breach October 21, 2007, 2:11 pm
Implementing EFS April 1, 2008, 11:01 am
GetEffectivePermissions and Implementing DACL Inheritence August 26, 2005, 7:41 pm
still having problems after implementing the revised MS06-015 July 15, 2006, 6:35 am
Small error in "Best Practices for Implementing a MS W2003 PKI" June 30, 2005, 9:31 am
Re: Secret Windows In IE?? June 25, 2005, 2:05 am
MS document encryption June 13, 2005, 12:35 pm
A technical question for implementing CIS's Windows XP Professional Benchmark November 28, 2007, 4:37 pm

The site map in XML format XML site map

Contact Us | Privacy Policy