View previous topic :: View next topic |
Author |
Message |
angel_rc Just Arrived
Joined: 20 Feb 2007 Posts: 0
|
Posted: Tue Feb 20, 2007 8:11 pm Post subject: help: need recommendation for security software |
|
|
Hi everyone, i´m new to security software so i was hoping you could help me: o need a program to keep my files in my computers, i mean, need something that allows file sharing beetween my LAN and modify them normaly for use on the office, but prevent anybody from extracting anything, prevent files from being saved to usb drives, copied to cd/dvd, floppy, uploaded to a mail server, etc... basicly a need people to work with my files but prohibit them from taking them home becuase i have a designig company, does such software exisist? and am i posting in the right forum? thanks in advance
PD: pardon my bad english i´m from peru
--------------------------------------------------------------------------------------
Angel Reyes Cañas
|
|
Back to top |
|
|
Dan.M Trusted SF Member
Joined: 14 Feb 2007 Posts: 0 Location: Jacksonville, FL USA
|
Posted: Fri Feb 23, 2007 11:11 pm Post subject: |
|
|
I seriously doubt you could do all that with Windows. Are all of these machines XP on a 2003 Server AD domain? You can lock down a lot of stuff, but there's still workarounds.
What kind of files are we talking about? Microsoft Office? The new Office 2007 server gives you the level of control that you want, but the users would only be able to work with the files when they're in the office and they'd have to use Office 2007. You'd also need the above mentioned setup where all the machines were strictly locked down.
Also, you want to make sure that all the machines are using hard drive encryption (so they can't just walk out with a machine and use it at home) such as EFS (built into Windows). Even under this setup, a very sophisticated thief could do a bit-by-bit copy of their hard drive while at the office (using something like Knoppix) then grab the encryption hash being sent back and forth over the network and then use it to decrypt the hard drive when they get home.
In short: To do what you want in Windows you,
- Really need to know what you're doing.
- Need to spend a ton of money (likely over $100k).
- Need to lock down your computers to the point where it will cut into productivity.
- Freely admit that you absolutely do not trust you users (hurts morale).
It is also possible to do all of this in Linux, but you'd run into all the same problems with the exception of the weak encryption and the cost (only pay for labor).
In Linux, there's many ways to accomplish what you want, but here's how I'd do it...
- First, encrypt their home partition with a key that is accessed over the network only if they login successfully (preferably via ssh so it can't be intercepted).
- Lock down the system's HAL configuration so that users other than root can't mount anything.
- Deny users Internet access altogether (don't want them copying and pasting into a browser).
- Use a kernel patched with GRSecurity and PAX to really harden the system. This will allow you to prevent users from running applications in their home directories and also from running applications that listen on the network for connections.
- Lock down their access to GUI functions with either KDE's or Gnome's kiosk tools (they give you more granular control than Windows). You have to prevent them from running anything other that approved applications (especially the command prompt and the run command)
That's pretty much it. Under that config the users will essentially be limited to what applications you provide to them and they won't be able to copy things to disk, to the Internet, or to share files across the network (so they could bring in a PC and copy the files to that). They also won't be able to copy the hard drive (it would be futile without the encryption key) or take the machine home and access it there (since they can't login *or* get the encryption key over the network).
I sure wouldn't want to work at a place that does this though!
|
|
Back to top |
|
|
angel_rc Just Arrived
Joined: 20 Feb 2007 Posts: 0
|
Posted: Mon Feb 26, 2007 6:15 am Post subject: wow , thanxs |
|
|
Wow that seems like a lot of stuff, i seriusly don´t think someone in my office is going to take my CPU that prety extreme, i was more thinking in a simple password based program wich prevented files (word xp,exel xp,ppt xp,pdf,autocad, etc) from being extracted from my pc´s... well 100K is a bit out of my budget so i hope i find a simple/cheap solution, thanks for your help anyway and for informing me about the subject.
|
|
Back to top |
|
|
Dan.M Trusted SF Member
Joined: 14 Feb 2007 Posts: 0 Location: Jacksonville, FL USA
|
Posted: Mon Feb 26, 2007 4:10 pm Post subject: |
|
|
After reading my post again I realized I should have been more specific about Microsoft's Office Server... What you'd need is Microsoft Office Sharepoint Server 2007 + Microsoft Office 2007 (for all your employees) + Microsoft Active Directory along with all of their prerequisites.
If you add it all up, it gets very expensive.
|
|
Back to top |
|
|
|