And don't forget USB-based apps, such as http://www.portableapps.com
On Thu, May 12, 2011 at 12:36, Jeff S. Gottlieb <[email protected]> wrote: > > Yes Kurt [thanks]. The users in the department do not have local admin > rights, and the ability to print has been removed. Unfortunately, we have not > been able to prevent users from copy /paste. The rule is, IF a file can be > read... IT CAN be copied /pasted. If the end-users figure out that the > trigger preventing email in Vipre [Attachment filter] is within the name of > the file they can modify it. We are searching for a workaround. > > We were hoping to avoid the expense, but at the end of the day perhaps a DLP > professional firm will be needed. > Alan recommended http://www.verdasys.com/ > We've just seen a demo from http://www.gtbtechnologies.com/ [they use "finger > prints" signatures in documents, then an appliance gateway NOT CHEAP however] > > Cheers -J > > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Thursday, May 12, 2011 7:51 AM > To: NT System Admin Issues > Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... > > I'm sure you've also ensured that the users can't install alternate > software for reading and printing the document... > > Kurt > > On Wed, May 11, 2011 at 13:24, Jeff S. Gottlieb > <[email protected]> wrote: >> SOLUTION FOUND >> >> VIPRE Email Security has what's called Attachment Filter [was right under >> our noses]. We are *now* able to prevent specific documents from being >> attached and emailed by specific users [or department]. All Policy features >> in the Attachment Filter tabs worked quite well, with minor exceptions [*see >> below]. Our custom rule, "*(CLASSIFIED).PDF", stops PDF docs that end with >> "CLASSIFIED" in parenthesis. All classified documents were placed Read Only >> in a shared folder for all users. These documents will be given names for >> the above rule to catch, i.e., "Standards for Dakota (CLASSIFIED).pdf". The >> PDF documents are converted using Adobe security, whereby the users cannot >> modify, copy /paste, or print. Using Sophos we activated "Device Control" >> preventing the end-users from coping to Storage, Network, or Short Range >> devices. The last step is to prevent these PDF [Read Only] documents from >> being copied locally and renamed. We are searching for a good "Anti-copy" >> software. It appears that there are some choices. programs like "M File >> Anti-Copy" http://mini-products.net/ .so far untested. >> >> >> >> It appears we have a DLP solution to look forward to. Cheers -J >> >> >> >> Thank you all for the replies [contributions] including: >> >> Justin Thomas: [email protected] >> >> Martin Blackstone: [email protected] >> >> Angus Scott-Fleming: [email protected] >> >> Jim Kennedy: [email protected] >> >> Jeff Steward: [email protected] >> >> James Rankin: [email protected] >> >> Andrew S. Baker: [email protected] >> >> >> >> *The syntax "%FILENAME%" used under the Notifications tab oddly returned the >> subject of the email rather than the filename (GFI case is pending) >> >> *Earlier on, the Attachment Filter failing entirely. the result of our >> Digital signature in emails. Resolution came by changing the statement from >> "false" to "true" in >> <ScanDigitallySignedMessages>true</ScanDigitallySignedMessages> found in the >> directory \VIPRE Email Security\globalsettings.xml file >> >> >> >> The latter issue dragged on for what seemed like forever [5-days]. After >> several techs [3-4] it was finally resolved by Matthew D. (Nice Job!) >> >> >> >> >> >> From: Jeff S. Gottlieb [mailto:[email protected]] >> Sent: Friday, May 06, 2011 4:32 PM >> To: NT System Admin Issues >> Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... >> >> >> >> Agreed! .and thank you for your worthy replies. >> >> We recently discovered Vipre Email Security has what's called "Attachment >> Filter" .albeit it doesn't quite work AS OF YET, and no one [including >> Vipre Support] is able to say why. >> >> For the Vipre Security users out there.check out the "Rules" tab. Now this >> looks like something with tremendous DLP potential. Now if we can just get >> it to work. Cheers -J >> >> >> >> From: Jeff Steward [mailto:[email protected]] >> Sent: Friday, May 06, 2011 4:24 AM >> To: NT System Admin Issues >> Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... >> >> >> >> I asked that question as I have been involved in stolen/leaked Intellectual >> Property issues where someone was faxing CAD drawings to a competitor. If >> this data is truly considered 'the secret sauce' then as others have >> suggested, get a real DLP solution in place. There is no perfect security >> in business since you have to let the pesky end users, customers and sales >> folks interact. >> >> >> >> Good luck! >> >> >> >> -Jeff Steward >> >> On Thu, May 5, 2011 at 12:51 AM, Jeff S. Gottlieb >> <[email protected]> wrote: >> >> Thank you Jeff. >> >> >> >> The CAD operators cannot print the items of sensitivity [again we need to >> prevent the possibility to email only]. >> >> Many of these items [documents] represent "Standards" or dimensions which >> the engineers use for all projects, and are located in one folder. >> >> These docs are large, including roughly 130 pages each, and would easily >> allow other manufacturing firms to replicate the same exact pieces. >> >> This is VERY Similar to the secret recipes for the odors of Crayola crayons, >> or Papa John's Pizza garlic sauce, etc., etc. >> >> >> >> Ps. The latter is something I would LOVE getting my hands on. I would make a >> HUGE batch for home use to dip the crust of *any* pizza!! >> >> >> >> From: Jeff Steward [mailto: <mailto:[email protected]> [email protected]] >> Sent: Wednesday, May 04, 2011 8:14 PM >> >> >> To: NT System Admin Issues >> >> Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... >> >> >> >> Can the CAD operators print? Seriously, if the owners need to protect their >> intellectually property at that level, have the engineers upload the docs to >> a directory for review and approval and let a 3rd party review them prior to >> sending them to an external destination. >> >> >> >> -Jeff Steward >> >> On Wed, May 4, 2011 at 7:49 PM, Jeff S. Gottlieb <[email protected]> >> wrote: >> >> >> >> Thanks Martin >> >> >> >> We too were thinking that might be a viable option. If seems NOT good for >> two reasons. >> >> >> >> 1) That is a Global setting, whereby the entire company would be effected by >> the one Exchange server >> >> 2) This department needs to transfer large files MOSTLY internally, but on >> rare occasions outside >> >> >> >> Sorry I forgot to mention this in our original post. -J >> >> >> >> >> >> From: Martin Blackstone [mailto: <mailto:[email protected]> >> [email protected]] >> Sent: Wednesday, May 04, 2011 2:50 PM >> >> >> To: NT System Admin Issues >> >> Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... >> >> >> >> You could just put such a small attachment size restriction on them that >> nothing would go. >> >> Say 1K. >> >> >> >> >> >> From: Jeff S. Gottlieb [mailto: <mailto:[email protected]> >> [email protected]] >> >> Sent: Wednesday, May 04, 2011 1:47 PM >> To: NT System Admin Issues >> >> Subject: BLOCKING end-users from ATTACHING and EMAILING... >> >> >> >> >> >> We are searching for a method to BLOCK end-users from ATTACHING and EMAILING >> [sensitive] docs located on a SPECIFIC FOLDER of the share. >> >> >> >> What we have accomplished thus far: >> >> 1) Using Sophos we activated "Device Control" preventing end-user from >> coping to Storage, Network, or Short Range devices >> >> 2) Using Sophos we also activated "Data Control". thus creating email alerts >> detailing the sender /recipient, time /date, and name /location of >> attachment >> >> 3) All documents are converted to PDF with security options that prevent >> copy /paste, and printing >> >> 4) End-users are NOT allowed Internet access >> >> >> >> Owners are left *totally* unsatisfied with all the above, as these measures >> are not preventative enough. >> >> Leaving any of the end-users without ability to email is NOT an option. >> >> Leaving a [public] workstation open, available with access to this SPECIFIC >> FOLDER, and then having no email /Internet is NOT an option. >> >> >> >> These end-users are all in the CAD design department. >> >> Given the nature of the business, suffice-it-to-say, one drawing in email >> could represent a significant loss. >> >> Sadly, the owners feel they cannot entirely rely on the loyalty of >> generously paid employees [with great benefits], company policies, and or >> legalese. >> >> >> >> Thanks in advance for any suggestions. comments. Cheers, -J >> >> >> >> >> >> EMPLOYEE Supposition: >> >> Surely in created the level of sophistication placed in Sophos with Device & >> Data Control suggests that a greater need exists to protect the employer's >> intellectual property. Along with these concepts, the end-users themselves >> have become more sophisticated and perhaps unfortunately [these days] >> more-willing to place their positions on the line. >> >> >> >> I guess if we've done our IT job. than the end-users ONLY option is to snap >> a photo using a cell-phone. What then will the employer do?? Add company >> policy to include NO CELL PHONES?? Imagine a world AT WORK without texting, >> tweeting, and the occasional personal call??? Ouch! >> >> >> >> EMPLOYER Supposition [slave-master]: >> >> Add video surveillance too!!!! :--/ >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
