Windows 7 Thread, Prevent audio files from being stored locally on a workstation. in Technical; Hi,
Is it possible to prevent a user saving certain user file types, such as audio, locally to their hard ...
26th February 2013, 02:43 AM #1
- Rep Power
Prevent audio files from being stored locally on a workstation.
Is it possible to prevent a user saving certain user file types, such as audio, locally to their hard drive or removable disk ?
Can I prevent a user copying files from a network share where they have read access to ?
Why you ask?
Well our phone systems run on Asterisk and every telephone conversation is recorded, encrypted then archived away each night on a file server. Sometimes sensitive information is exchanged during a telephone call which is why we encrypt them in case our systems were ever breached. From time to time, we need to pull call recordings for users, decrypt them and copy them to a network share that has tight access rights for a small group of users to retrieve. I have a script which runs through this location on a weekly bases and shred's all it's contents.
Here's some background info:
- We run Server 2008 r2 or greater across multiple sites.
- Roaming profiles are not enabled
- Each user has a home directory drive mapped to H which is replicated across all the sites.
- Unencrypted call recordings are in saved in the wav format.
- We are only allowed to store calls for upto 7 days in an unencrypted format.
- Workstations are all Windows 7 Ultimate, with the exception of about 30 x Vista SP2 Business Machines.
- All workstations are switched off after hours.
- Users can only write files inside their user profile.
Once we have retrieved a call and moved it to the special network share, users can go in and listen to the call(s). As users can read files from this directory, they can also copy from it so that can make it difficult for us to keep track of the unenrypted calls and recently we've discovered some users are copying the call locally hard drive to avoid the call being deleted on a weekly bases. In most environments, this wouldn't be an issue however we (IT Depart) don't know the call has been copied so it could sit unencrypted locally on their local hard drive for weeks if not months before it's picked up by an IT staff member who would then shred it. Back to my questions: Is it possible to prevent a user saving certain user file types, such as audio, locally to their hard drive or removable disk ? And, can I prevent a user copying files from a network share where they have read access to ? Or is there a better solution ?
Any help an/or advice would be much appreciated ! Thanks in advanced
It's been a while since I posted in here and I see the site has had a wee face lift - looking good guys!
IDG Tech News
26th February 2013, 10:38 AM #2
you could use the software restriction policy on those areas and include audio extensions in the designated file types. it may require some testing
EDIT: Damn it would stop them from running not from being stored...
Last edited by chazzy2501; 26th February 2013 at 10:47 AM.
26th February 2013, 10:59 AM #3
ok, you could reencode the audio files as WMA with DRM (playcount or expiring)on them. or you could store the files on a windows media server and offer mms links. Basically I think you should tackle how you share the files.
3rd March 2013, 04:24 PM #4
Dynamic Access Control in Windows Server 2012 might be worth looking into too.
7th March 2013, 12:13 PM #5
- Rep Power
There is no way to do this via permissions on a folderfile or drive...once you give anyone READ access to a folder/file/drive, reading is actually coping. One of these days we may get a server OS that includes such functionality....but until then....
What id do, and its a quick solution and i believe the best and only 100% effective method, is disable their access to local drives via GPO (including USB), if they need to copy files from a share or home folder (which hopefully has a filescreen policy applied to it) to a usb key, they request it and staff does it. You said it was only a small group that needs access. As a side effect of this, i will bet you get less requests than you had file copies, because as with any file copying lockdown ive ever seen, people are less likely to come and ask you copy a file than when they could do it themselves. People are not motivated to come and ask when they have less than good motives for needing a file.
Sometimes its just better to go a manual route rather than looking at a way to automate a solution that still leaves the user with more access than they should have.
In this day and age giving people carte blanche access with a USB drive is just asking them to abuse your system. Its not much better to give them access of a specifically limited kind and ignore the overall security implications, its kind of the reverse of poking holes through a firewall...what youre trying to do is put the holes in place and ignore the firewall completely.
Im not aware of a free way to do this without creating a lot more work for yourself than the simple GPO method....
While software like Prevent: http://www.thewindowsclub.com/preven...-files-folders soudn good, they do NOT stop dragging and dropping of files and folders
If youre determined to explore a software method, then the only thing im aware of that *might* do it is Active Directory Rights Management:
Server 2008: http://technet.microsoft.com/en-us/l.../cc771627.aspx
Server 2012: http://technet.microsoft.com/en-au/l.../hh831364.aspx
Last edited by stylemessiah; 7th March 2013 at 12:54 PM.
Last Post: 8th September 2013, 03:43 AM
By bondbill2k2 in forum Windows
Last Post: 30th January 2012, 12:20 PM
By link470 in forum Windows
Last Post: 1st December 2008, 07:08 PM
By tosca925 in forum How do you do....it?
Last Post: 28th April 2007, 08:31 AM
Last Post: 24th January 2006, 10:44 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)