U
U
Uncle Seryozha2015-04-14 16:55:13
Active Directory
Uncle Seryozha, 2015-04-14 16:55:13

How to prevent copying of a file or its parts in AD?

Tell me how to forbid and simply prohibit copying a file or text from a file to AD without bells and whistles (without IRM, SZI from NSD, DLP ...). Exception copying through screenshots.
Goal: Specific users can read the file, but cannot select text and copy it, nor can they copy the entire file.
Proposed solution (what brains were enough for):
The user enters the folder, launches a program that opens a "protected file" located in a subfolder inaccessible to the user, but accessible to the program.
In other words:
Folder "A" (access to it through the AD group - that is, we limit the circle of access).
//composition of the folder "A":
1) Program * opening the file stored in the folder "Folder1"
2) The folder "Folder1" invisible to users (we restrict copying of the file)
//composition of the subfolder "A \ Folder1":
2.1) The file "Protected file" (we limit the copying of text in the file)
Will this work at all? Or the program will not get access to the folder ?
* self-written program, script (not a problem)...
the program contains a static link to the file ("\Folder1\Protected file.txt"), i.e. the user can copy the file, but the path "\Folder1\Protected file.txt" will be invalid anywhere else.

73fffb54a0604909848e114c18006f51.jpg

Answer the question

In order to leave comments, you need to log in

7 answer(s)
T
t_q_l, 2015-04-15
@Protos

Write a program that will act as an image viewer and convert opened files into images in the background. An example is virtual printers that print documents as PDF, JPG, PNG files.
After the end of viewing, obviously, the converted files need to be deleted

E
Eugene, 2015-04-14
@yellowmew

As one of the options, you can offer thin clients - diskless stations, since you do not trust your users so much. There simply will not be uncontrolled data output.
Remote OS loading with a terminal client (thinstation for example), all the necessary software works on the terminal server.
Copying is not prohibited, however, all data can only be saved to a shared network folder or roaming desktop/documents located on the same file server.
Employees of the Security Council have access to mail and file resources, in which case they will make an atata.
IMHO, this is more logical than trying to implement the above.

N
Nikita, 2015-04-14
@Apologiz

The idea is certainly interesting, but for what purpose?
With the same success, you can make a copy-protected PDF file, but this is also not a perfect thing.
And what prevents the user from taking a screenshot?

M
mace-ftl, 2015-04-14
@mace-ftl

Program rights = user rights (domain) => you can not make a folder that is visible to the user, but not to the program launched by IM (an exception is folders with disabled listing, perhaps).
And so - just put an agent for the user that will block operations with the clipboard and a screenshot button.
P.S. - "read" operation = "copy" operation, i.e. The task you have is to prohibit RECORDING to the data clipboard.

A
Andrey Ermachenok, 2015-04-14
@eapeap

Exception copying through screenshots.

And what is the meaning of this trouble, if everything can be copied with screenshots?

T
tartarelin, 2015-04-14
@tartarelin

So far, I have done so, documents in the form of encrypted PDFs (copying and printing are prohibited) using a certificate that is installed on computers.
The management decided that this was enough, given the average level of computer literacy of employees.

A
athacker, 2015-04-15
@athacker

Microsoft Windows Rights Management Services: https://social.technet.microsoft.com/Forums/en-US/...

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question