Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Deny access to copy files

From: "Shreyas Zare" <shreyas () technitium com>
Date: Mon, 23 Jun 2008 22:23:49 +0530
Hi,

It would be great if you point to some reference for this. Thanks in advance.

Regards

On Mon, Jun 23, 2008 at 10:21 PM, Michael P. Carter
<mcarter () electracash com> wrote:

Do your research more deeply.

Michael P. Carter
Network Manager
mcarter () electracash com
562-498-6888


-----Original Message-----
From: Shreyas Zare [mailto:shreyas () technitium com]
Sent: Monday, June 23, 2008 9:50 AM
To: Michael P. Carter; security-basics () securityfocus com
Subject: Re: Deny access to copy files

Hi,

I dont think software use copy method to do Save As. Once a program
opens a file and reads data into a buffer its free to write that
buffer anywhere it has access to. No need to use system copy
functions.

Regards,

On Mon, Jun 23, 2008 at 9:58 PM, Michael P. Carter
<mcarter () electracash com> wrote:


Not so - any user denied permission to COPY will inherently be denied
permission to Save As (that's a simple copy operation to a new
location).

Michael P. Carter
Network Manager
mcarter () electracash com
562-498-6888


-----Original Message-----
From: Shreyas Zare [mailto:shreyas () technitium com]
Sent: Friday, June 20, 2008 2:31 AM
To: Michael P. Carter
Cc: Atif Azim; GSO GSO; James Finnican; Kevin Ortloff; Ahmed Khalid;
focus-ms () securityfocus com; security-basics () lists securityfocus com
Subject: Re: Deny access to copy files

Hi,

Even if you have special COPY permission in NTFS, any user with READ
access will open the file and just use Save As to save it anywhere, or
just write a small code, possible in any programming language, to read
file and write a new file. So COPY thing is useless, MS is intelligent
enough.

Regards,

On Fri, Jun 20, 2008 at 12:39 AM, Michael P. Carter
<mcarter () electracash com> wrote:


Also, the NTFS permission READ will allow anyone with that

permission

to

also copy (the EXECUTE part allows them to launch the appropriate
program to open the file), so the Windows permissions don't meet

your

security needs (it's something that we've been harassing Microsoft

about

for more than a decade - separate permissions for READ and COPY)).

Michael P. Carter
Network Manager
mcarter () electracash com
562-498-6888

-----Original Message-----
From: listbounce () securityfocus com

[mailto:listbounce () securityfocus com]

On Behalf Of Atif Azim
Sent: Wednesday, June 18, 2008 11:44 PM
To: GSO GSO
Cc: James Finnican; Kevin Ortloff; Ahmed Khalid;
focus-ms () securityfocus com; security-basics () lists securityfocus com
Subject: Re: Deny access to copy files

Indeed a technical control is not the only thing you should be

looking

forward to in such a scenario.First, you need to set your policies
straight and results for non-compliance leading to consequences for
leaking intellectual property. When looking forward to technical
controls, checkout McAfee Data loss Prevention (DLP).It addresses
issues related to source code leakage as well. Go to





http://www.mcafee.com/us/enterprise/products/data_loss_prevention/data_l

oss_prevention.html

and also see the flash demo at





http://www.mcafee.com/us/local_content/demos/dlp_technical_demo/dlp_flas

h_demo.html

Regards,
Atif Azim






On Wed, Jun 18, 2008 at 1:16 AM, GSO GSO <gso.gsecur () gmail com>

wrote:

DeviceLock is a great program.  Besides the very granular

permission

levels, I have also like the fact I can create temporary access

codes.

 So if an individual needs access to a USB device for an hour or

even

a month, I can give it to them.

B

http://GovernmentSecurity.org

On Tue, Jun 17, 2008 at 2:43 PM, James Finnican

<jfinnica () bebe com>

wrote:

DeviceLock and, disable access to the internet with exception to

accepted resources, Wiki's subscribed sites. You can do this from IE
directly or, configure it at the firewall if it allows.


-----Original Message-----
From: listbounce () securityfocus com

[mailto:listbounce () securityfocus com] On Behalf Of Kevin Ortloff

Sent: Friday, June 13, 2008 9:31 AM
To: Ahmed Khalid; focus-ms () securityfocus com
Cc: security-basics () lists securityfocus com
Subject: RE: Deny access to copy files

If you don't mind spending a 2-3 thousand, there is a good

product

called ' DeviceLock '. This is a global policy enforcer that will
restrict activates on USB, External Storage, etc, etc.. You can be

very

specific too like only a certain kind of thumb drive can be used by

a

particular individual ( this allows you to control who has the

ability

to even use an approved drive ). Or, maybe you only want read, but

no

write. You can do that too.


Anyway, hope that helps. I'm sure there are other apps that can

do

this. I liked DeviceLock when I did my evals.




-----Original Message-----
From: listbounce () securityfocus com

[mailto:listbounce () securityfocus com] On Behalf Of Ahmed Khalid

Sent: Sunday, June 01, 2008 11:20 AM
To: focus-ms () securityfocus com
Cc: security-basics () lists securityfocus com
Subject: Deny access to copy files

I am working for a software house, they are developing a software

product and their requirement is to restrict programmers to take the
code out of office premises due to company policy. I am trying to
configure a windows based machine which denies access to copy files

to

external storage devices connected to USB. There is an NTFS

permission

"Read + Execute" I guess this could do the work but is there any

other

way to do it?


They also don't need programmers to take the code with them in

their

email.

I can restrict SMTP and POP ports but when it comes to web based

emails I am clueless,  How can I restrict web based emails like

hotmail,

gmail, yahoo there are so many of these and if I somehow manage to

block

all web based email sites someone can write a script to send emails,

if

not a script HTTP tunneling would bypass any checks and bounds

defined

by my proxy/gateway machine. How can I block such thing?


Any help would be highly appreciated.

Regards,
Ahmed Khalid




This email, its contents and attachments contain information from

j2

Global Communications, Inc. and/or its affiliates which may be
privileged, confidential or otherwise protected from disclosure. The
information is intended to be for the addressee(s) only.  If you are

not

an addressee, any disclosure, copy, distribution, or use of the

contents

of this message is prohibited.  If you have received this email in

error

please notify the sender by reply e-mail and delete the original

message

and any copies. j2 Global Communications. 6922 Hollywood Blvd.,
Hollywood, CA 90028.






--
Security/Hacking Paper Contest Win $100
http://GovernmentSecurity.org





--
("There are only 10 kinds of people in this world: those who know
binary and those who don't.")

Shreyas Zare
Co-Founder, Technitium
eMail: shreyas () technitium com

..::< The Technitium Team >::..
Visit us at www.technitium.com
Contact us at theteam () technitium com

Technitium Personal Computers
We believe in quality.
Visit http://pc.technitium.com for details.




--
("There are only 10 kinds of people in this world: those who know
binary and those who don't.")

Shreyas Zare
Co-Founder, Technitium
eMail: shreyas () technitium com

..::< The Technitium Team >::..
Visit us at www.technitium.com
Contact us at theteam () technitium com

Technitium Personal Computers
We believe in quality.
Visit http://pc.technitium.com for details.





-- 
("There are only 10 kinds of people in this world: those who know
binary and those who don't.")

Shreyas Zare
Co-Founder, Technitium
eMail: shreyas () technitium com

..::< The Technitium Team >::..
Visit us at www.technitium.com
Contact us at theteam () technitium com

Technitium Personal Computers
We believe in quality.
Visit http://pc.technitium.com for details.
Previous By Date Next
Previous By Thread Next

Current thread: