Jump to content



Photo

secure a file - view but not copy


  • Please log in to reply
23 replies to this topic

#1 Reb0ot

Reb0ot

    Neowinian

  • Joined: 15-July 08
  • Location: London
  • Phone: iphone 5

Posted 28 February 2014 - 11:19

Hi guys and girls,

 

I hope this is the right section to post this question.

 

is it possible to secure a file, such as an access database, where you could have a master account that is able to have full rights of the file as well as a slave account that is only able to view content on it? As well as locking the file from being copied (file copy, save as, copy content within the file, export, etc...)

 

I know the user would be able to do screenshots though, but we can ignore this as I imagine this would be a tricky way of blocking access to this.

 

I hope someone knows of a solution.

 

I was looking at Folder Lock, which is able to encrypt files and has a master account active on it to unlock files, but its a shame that it doesnt have a slave account to just lock users from copying things.




#2 Torolol

Torolol

  • Joined: 24-November 12

Posted 28 February 2014 - 11:41

no, if you can view it that mean you can read it,

and the program that read it, and store the information that was reads into memory/ram,

so to copy it, it just matter to write what was in ram into another storage location.



#3 OP Reb0ot

Reb0ot

    Neowinian

  • Joined: 15-July 08
  • Location: London
  • Phone: iphone 5

Posted 28 February 2014 - 12:11

yeah thats what I have in mind, but surely there must be a way to secure things.

 

How do banks control their databases from members of staff stealing their data?

Same applies to other corporations?



#4 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 85
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 28 February 2014 - 12:16

"How do banks control their databases from members of staff stealing their data?"
 
They hire staff that they trust, but there has been many cases of staff stealing info..  If I can view it what keeps me from taking a picture of it on the screen with my phone say?
 
You can set permissions in say a pdf that you can not print, save or copy from it etc.

 

securedpdf.png

 

See how print and save are grayed out - but I can still take a screenshot of the page in the pdf and and then print that or save that ;) Or lets say that sort of feature is disabled on the terminal - who says I can not whip out my phone and take a picture of the info?
 
http://www.wfmz.com/...hr/-/index.html
READING, Pa. - A former bank employee was arrested Wednesday on charges she stole and sold the identities of bank customers.



#5 OP Reb0ot

Reb0ot

    Neowinian

  • Joined: 15-July 08
  • Location: London
  • Phone: iphone 5

Posted 28 February 2014 - 14:13

absolutely true budman, I know re the screenshot/printscreen functionality, which one can disable with a lock key anyways, so not to worried about this key.

The photograph through a phone would be a problem indeed.

 

But if we concentrate only on software content locking, like the way the PDF is locked, and even though there are apps to crack the passwords of such files, i am looking for a way to secure an access database.

 

So not sure if maybe its best to import the data in a CRM and make sure the crm encrypts the visible data and uses javascript to disable right clicks and pressing of keys such as ctrl.



#6 OP Reb0ot

Reb0ot

    Neowinian

  • Joined: 15-July 08
  • Location: London
  • Phone: iphone 5

Posted 28 February 2014 - 14:42

http://www.door2wind...-files-folders/

 

seems to lock keys



#7 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 23
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 28 February 2014 - 15:13

How do banks do it? They don't give access to the local computer. How I did it was remove access to usb and local drives through group policy. There was no access to right click, command prompt, or any other utilities that would give them access. Even the network drives were locked down where they could not delete but they could copy.

#8 +Nik L

Nik L

    Where's my pants?

  • Tech Issues Solved: 2
  • Joined: 14-January 03

Posted 28 February 2014 - 15:19

And so you lock out the print screen button.  There are many more ways to grab a screenshot.



#9 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 23
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 28 February 2014 - 15:25

What would they copy it to. Any manipulation software was denied access to. Can't email, can't put it in paint, can't usb it. Great it it's in the computer memory, can't get it out. They would have to physically take pictures of the screen.

#10 +DonC

DonC

    Neowinian

  • Joined: 16-August 07
  • Location: England

Posted 28 February 2014 - 15:33

If you recorded with a GoPro or similar you could catch the information scrolling past quite quickly I should think. I think James Kingston used a chest mounted GoPro for one of his runs at least.

#11 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 23
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 28 February 2014 - 15:43

That would work and could open you up to a lawsuit.

My job was to secure the machine from being able to copy to anywhere but the intended location. How they handle other proposed issues was not my concern.

#12 OP Reb0ot

Reb0ot

    Neowinian

  • Joined: 15-July 08
  • Location: London
  • Phone: iphone 5

Posted 28 February 2014 - 16:01

if the computers are not in an AD network, would this be possible through local computer policies?



#13 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 23
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 28 February 2014 - 16:06

I can't think of how. I well need some time to ponder.

#14 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 85
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 28 February 2014 - 16:07

sc302 makes some valid points about preventing access to other media on the local machine they are using to prevent copy to portable media they can walk out with, etc.

 

There is nothing built into ntfs permissions that can prevent copy - if you allow read, now you can prevent writing data in locations - so where does the user copy it to is one method of mitigation.

 

Now access has some features that can prevent copy of the database

http://office.micros...P005188226.aspx

 

Need to look into that on your own, I have not had anything to do with access for years and years and years.  Its not really an enterprise sort of solution, great for small smb or something.  Normally you would limit the access user has, and prevent access to it all at once.  Users limited to specific form that gives them say limited access to only the aspect of the data they need, in small chunks, etc.  Common security practice of least privilege - show the user only the data they need access to perform their function.  



#15 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 23
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 28 February 2014 - 16:47

It is easier with ad because you can lock out the individual pc and what the individual user has access to as far as programs go and have a storage location that would give them access to be able to read or read/write to. With everything self contained on a pc it is a bit hard to lock out the hard drive.  You could still lock out the usbs and CD/DVD drive to prevent copy to, but it is a bit harder to lock out the rest of the computer as you need it to save to and you need storage locations. 

 

We could even lock it down to the point that when you logon it runs a specific application and you have no access to the windows gui at all other than ctrl/alt/del menu for shutdown access and change password access. If the application needs access to see the folders on the c drive, denying access to the c drive in explorer would be useless.

 

How I would do it with AD GPO is give a specific user group that would need limited access a desktop and startup folder redirection to a read only folder with the icons I wanted them to access.  I would also disallow access to the c drive in explorer, disable task manager, disable run, and disable the command prompt.  I could put an icon that points to a script to shutdown the computer, or give the user ctrl alt del rights to shut down the computer. 

 

If the computer only needed to access one specific program, say either microsoft terminal services client or the citrix ica client, I would change the shell=explorer.exe to shell=mstsc.exe or shell=ica32t.exe, which would bring up the application....if needed I created a script to call the executable after it was closed so that it would be in an endless loop if a user accidentally closed out of the application.  the only way to shut down the computer in this case would be to ctrl alt del and shutdown the computer or hit the power button to shut down the computer. 





Click here to login or here to register to remove this ad, it's free!