Prevent File Copying

B

Briliu

Limp Gawd
Joined
Apr 19, 2006
Messages
269
At work we have a document that is currently fully restricted on the network (no one but system admin and maybe some of the upper management can even get to the folder the file is in). The only way for us lowly peons to see the contents is to use the hard copy that is printed out and kept track of by the managers. This is highly inefficient because the document is something like 150 pages long and searching through by hand for a specific name/whatever is impractical.

At first I thought there was a way we could prevent the copying of the file that management fears so much by setting it to read only. I learned that this does not prevent copying by way of save as or print screen.

Our first intention was to set up folder permissions to only allow people who would need to use the document (the engineers and managers) to gain access to it. On top of that adding logging to the folder to see who/when someone has accessed it.

My questions are these:

  1. Does logging show if someone did a copy paste, a save as, or a print screen on the file?
  2. Is it possible to disable copy-paste in a folder?
  3. Is it possible to disable save as on a file?
  4. Is it possible to disable print screen in certain files or file types only? (We use print screen on CAD packages to take quick screen shots of concepts so it needs to be enabled)

From my research it doesn't seem like the last three are possible, but I thought it couldn't hurt to ask!

The real goal is to prevent any duplication of this document both for revision control and protection of proprietary information from being stolen. If this isn't possible I guess we're stuck with the good old papyrus copy that we have to sign out from our managers desk (I'm serious about the latter part) :mad:

Thank you for any help!
- Justin
 
You're in a tough spot and you're options are limited, none will 1000% prevent intentional copying of the document. Your best bet here is written policy, which would protect your company from anything that does happen. As for the technical side,

Everything that you want to do can be done by either registry modifications or through active directory. Personally, having a centralized file is an absolutely horrible idea. Database this information, custom front end client to give access to people that require the data that cannot be print screened, no print functions and will not allow the user to copy/paste. If the information is important enough, make people locker their cell phones and any other electronic devices so they cant take pictures.

Obviously, this leaves people physically writing the information down on paper... physical security will once again take care of this.

HTH.
 
I dont see how your copying issues are very different for the paper copy. It can be duplicated on a copy machine, camera, hand written copy/notes, photographic memory, memorization, etc.

The best way might be a web/server based app that requires a login, and doesnt allow access to the direct PDF, but instead renders it on the screen. Think web based book previews, etc. You cant block print screen though, but can rely on it being terribly inefficient.
 
I completely agree that the paper copy doesn't eliminate copying either. All it'd take is for someone to grab it, copy it when everyone is in a meeting (happens often *rolls eyes*) then turn it back in.

xphil3 said:
Everything that you want to do can be done by either registry modifications or through active directory. Personally, having a centralized file is an absolutely horrible idea. Database this information, custom front end client to give access to people that require the data that cannot be print screened, no print functions and will not allow the user to copy/paste. If the information is important enough, make people locker their cell phones and any other electronic devices so they cant take pictures.

Obviously, this leaves people physically writing the information down on paper... physical security will once again take care of this.

HTH.
Click to expand...


I very much like your idea about the database, I'd have to talk to our IT department about that. We already have something similar for engineering drawings (which by the way are also just stored on the network for ease of access, wtf?). We connect with a citrix client or something like that (we call the database IFS, not sure if that's internal or a general name for it).

Would the document still be searchable? That's really the main reason we'd want it in electronic format over just dealing with the hassles of paper.

ambientZ said:
The best way might be a web/server based app that requires a login, and doesnt allow access to the direct PDF, but instead renders it on the screen. Think web based book previews, etc. You cant block print screen though, but can rely on it being terribly inefficient.
Click to expand...

I pose the same question to you ambientZ, is the document still searchable in this form? From what I recall of books on google they are but I may be mistaken.

Thanks for the replies! I hadn't thought of either of these options :)
 
What about Sharepoint, can't it track who checks out documents?
 
Briliu said:
Would the document still be searchable? That's really the main reason we'd want it in electronic format over just dealing with the hassles of paper.
Click to expand...

If you go with a databased solution, you'll likely have to implement it in house, so you can pretty much do it however you want. Since you currently are passing a paper copy around the office, I'm going to assume that while you'd like this to not be released, it's not that critical. A suitable electronic version of what it sounds like you're using this for (ie. nobody needs the entire actual list, they are just using it to look up information based on some key, customer name, or product or whatever) might be to code a simple web interface to the database that only allows users to search and doesn't give them access to the full data set. Then, provided your application is developed properly, all they can do is search the data, and they can't dump it all without first knowing what to search for. This seems more secure than what you're doing now, but if you want to you can still get the data out.

As xphil3 suggests, as you try to increase security, you almost always decrease convenience. Another important point is that once the data is on a computer, you can generally get it off again, and preventing that is extremely difficult. For example the previous suggestion of viewing the PDF - the only security there is in the PDF application itself, and can be circumvented in several ways to obtain the displayed PDF. Similarly, opening a file over the network necessarily copies the data to the local computer and there is no truly secure way to prevent users from saving that copy. If you can read the data, you can save the data. Fundamentally, this is why copy protection will never succeed.
 
To simplify it down to the most basic level - if you can read something, you can copy it.

This applies to everything from cassette tapes to word processor files. If you can see the data, there's always a way to copy it. It might be locked down enough that it means viewing it on one PC and manually typing it into another PC, but there's ALWAYS a way to copy it.

For example, from the above link:
RMS augments an organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it goes.
Click to expand...

If the file has rights-management details embedded in it, some app needs to interpret the data and those rights details, then display the data according to the rights details. All you need to do is make an app that can interpret the data and the rights info, then simply ignore the rights info and just display the data normally.

With VPN-style encryption, you can secure private data on a public network because the public network doesn't have the key needed to unlock the data. WIth DRM-style encryption, you're handing them locked data and the key to unlock it, along with some instructions saying that you can't do certain things with it. The data must be unlockable to make it useful, so it's impossible to keep it locked up. Once it's been unlocked, the only thing protecting it is the note on it that says "Please don't X, Y, or Z the data in this file." Once something is able to read the data and ignore the rights stuff, the data is no longer secured.
 
You must log in or register to reply here.
Back
Top