Click here to get back home

Disallow File or Directory Copy
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Disallow File or Directory Copy bshort1023 10-15-2007
Posted by bshort1023 on October 15, 2007, 11:13 am
Please log in for more thread options
 I am trying to figure out how to prevent users from copying a file or
directory from the corporate network. The problem I have run into is
a user inadvertently copying a shared database to another location.
They now continue to use the wrong database and enter\modify data.
Once they realize something is wrong it takes some time to fix the
issue.

I am surprised that there is no security setting in Windows to
disallow copying of a directory or file. I was playing with the idea
of hiding the directory and creating another directory with shortcuts
only in it but that gets messy.

Has anyone else had a problem with this?

Thanks,

bshort1023


Posted by Steven L Umbach on October 15, 2007, 8:33 pm
Please log in for more thread options
 If a user has read access to the folder/file they can copy it to anywhere
they have write permission. Sounds like a training issue that needs to be
addressed. However if you can minimize the folders a user has write access
to you may help resolve the problem. If the users are local administrators
on their computer and/or on the computer with the database they can copy to
just about anywhere. So if they don't really need to be local administrators
that may be a good place to start solving the problem. Even regular users
however by default have the special permissions create folders and create
files to the drive/root folder of the computer but that can be changed if
that is what is happening.

Steve


>I am trying to figure out how to prevent users from copying a file or
> directory from the corporate network. The problem I have run into is
> a user inadvertently copying a shared database to another location.
> They now continue to use the wrong database and enter\modify data.
> Once they realize something is wrong it takes some time to fix the
> issue.
>
> I am surprised that there is no security setting in Windows to
> disallow copying of a directory or file. I was playing with the idea
> of hiding the directory and creating another directory with shortcuts
> only in it but that gets messy.
>
> Has anyone else had a problem with this?
>
> Thanks,
>
> bshort1023
>



Posted by DaveMo on October 16, 2007, 9:57 am
Please log in for more thread options
On Oct 15, 8:13 am, bshort1...@yahoo.com wrote:
> I am trying to figure out how to prevent users from copying a file or
> directory from the corporate network. The problem I have run into is
> a user inadvertently copying a shared database to another location.
> They now continue to use the wrong database and enter\modify data.
> Once they realize something is wrong it takes some time to fix the
> issue.
>
> I am surprised that there is no security setting in Windows to
> disallow copying of a directory or file. I was playing with the idea
> of hiding the directory and creating another directory with shortcuts
> only in it but that gets messy.
>
> Has anyone else had a problem with this?
>
> Thanks,
>
> bshort1023

Copying a file is really a combination of two actions. Reading the
file and then writing it somewhere else. While this sounds obvious,
your question was why isn't there a user permission in Windows to stop
a copy. The problem with trying to solve this is that the same rights
that are required to read the data are the same rights (neccessarily)
needed to read the file. You have to assume that the user has the
ability to write data somewhere, even if it is their local desktop or
My Documents folder. In reality you can't stop the read and you can't
stop the write - so you can't stop the copy operation by definition.

The real problem in the scenario you describe is that the user's have
complete and unrestrained access to the dataset and they know where it
lives. Client/Server or 3-tier application models solve the basic
problem by abstracting the data source behind a service which is
designed to offer up data as it is needed. This model allows you to do
more interesting things with access control and become much more
granular in how you allow access. In the most typical implementation,
the user wouldn't have any rights to the database at all, only some
service account does. This, IMO, is the best way to solve your
problem.

HTH,
Dave


Posted by John Fullbright on October 23, 2007, 1:28 pm
Please log in for more thread options
If you can read it, you can copy it. On thought though, have you looked at
any alternatives? Perhaps you could keep the user from writing the file to
specific locations. AV or quota management settings could be used to keep
the specific file off the local computer or home directory depending on what
you're using.

John

>I am trying to figure out how to prevent users from copying a file or
> directory from the corporate network. The problem I have run into is
> a user inadvertently copying a shared database to another location.
> They now continue to use the wrong database and enter\modify data.
> Once they realize something is wrong it takes some time to fix the
> issue.
>
> I am surprised that there is no security setting in Windows to
> disallow copying of a directory or file. I was playing with the idea
> of hiding the directory and creating another directory with shortcuts
> only in it but that gets messy.
>
> Has anyone else had a problem with this?
>
> Thanks,
>
> bshort1023
>



Similar ThreadsPosted
Naive question: how to copy security permissions of a given directory? November 10, 2007, 2:32 pm
File copy March 9, 2007, 10:29 am
Block file copy October 4, 2005, 10:10 am
File Copy Control March 20, 2006, 9:51 am
Share file, but dont allow copy May 15, 2006, 1:05 pm
File System / Directory Security August 17, 2007, 1:38 pm
Modify rights to single file in a directory with only list permiss September 21, 2006, 4:48 pm
Looking for best practices for setting up secure user home directory file structure October 6, 2006, 8:47 pm
GPO to disallow USB drives on workstations? August 7, 2007, 8:38 pm
Copy all ACLs from one folder to copy February 21, 2008, 2:46 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap