+ Post New Thread
Results 1 to 5 of 5
Windows 7 Thread, Prevent audio files from being stored locally on a workstation. in Technical; Hi, Is it possible to prevent a user saving certain user file types, such as audio, locally to their hard ...
  1. #1

    Join Date
    Mar 2009
    Location
    Ayrshire, Scotland
    Posts
    78
    Thank Post
    8
    Thanked 5 Times in 5 Posts
    Rep Power
    11

    Question Prevent audio files from being stored locally on a workstation.

    Hi,


    Is it possible to prevent a user saving certain user file types, such as audio, locally to their hard drive or removable disk ?
    and,
    Can I prevent a user copying files from a network share where they have read access to ?



    Why you ask?
    Well our phone systems run on Asterisk and every telephone conversation is recorded, encrypted then archived away each night on a file server. Sometimes sensitive information is exchanged during a telephone call which is why we encrypt them in case our systems were ever breached. From time to time, we need to pull call recordings for users, decrypt them and copy them to a network share that has tight access rights for a small group of users to retrieve. I have a script which runs through this location on a weekly bases and shred's all it's contents.


    Here's some background info:
    • We run Server 2008 r2 or greater across multiple sites.
    • Roaming profiles are not enabled
    • Each user has a home directory drive mapped to H which is replicated across all the sites.
    • Unencrypted call recordings are in saved in the wav format.
    • We are only allowed to store calls for upto 7 days in an unencrypted format.
    • Workstations are all Windows 7 Ultimate, with the exception of about 30 x Vista SP2 Business Machines.
    • All workstations are switched off after hours.
    • Users can only write files inside their user profile.


    Problem:
    Once we have retrieved a call and moved it to the special network share, users can go in and listen to the call(s). As users can read files from this directory, they can also copy from it so that can make it difficult for us to keep track of the unenrypted calls and recently we've discovered some users are copying the call locally hard drive to avoid the call being deleted on a weekly bases. In most environments, this wouldn't be an issue however we (IT Depart) don't know the call has been copied so it could sit unencrypted locally on their local hard drive for weeks if not months before it's picked up by an IT staff member who would then shred it. Back to my questions: Is it possible to prevent a user saving certain user file types, such as audio, locally to their hard drive or removable disk ? And, can I prevent a user copying files from a network share where they have read access to ? Or is there a better solution ?

    Any help an/or advice would be much appreciated ! Thanks in advanced


    It's been a while since I posted in here and I see the site has had a wee face lift - looking good guys!


    Fraser

  2. #2
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,774
    Thank Post
    213
    Thanked 263 Times in 213 Posts
    Rep Power
    67
    you could use the software restriction policy on those areas and include audio extensions in the designated file types. it may require some testing

    EDIT: Damn it would stop them from running not from being stored...
    Last edited by chazzy2501; 26th February 2013 at 09:47 AM.

  3. #3
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,774
    Thank Post
    213
    Thanked 263 Times in 213 Posts
    Rep Power
    67
    ok, you could reencode the audio files as WMA with DRM (playcount or expiring)on them. or you could store the files on a windows media server and offer mms links. Basically I think you should tackle how you share the files.

  4. #4


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,709
    Thank Post
    220
    Thanked 2,615 Times in 1,926 Posts
    Rep Power
    777
    Dynamic Access Control in Windows Server 2012 might be worth looking into too.

  5. #5

    Join Date
    Mar 2013
    Location
    Sydney
    Posts
    35
    Thank Post
    0
    Thanked 4 Times in 3 Posts
    Rep Power
    6
    There is no way to do this via permissions on a folderfile or drive...once you give anyone READ access to a folder/file/drive, reading is actually coping. One of these days we may get a server OS that includes such functionality....but until then....

    What id do, and its a quick solution and i believe the best and only 100% effective method, is disable their access to local drives via GPO (including USB), if they need to copy files from a share or home folder (which hopefully has a filescreen policy applied to it) to a usb key, they request it and staff does it. You said it was only a small group that needs access. As a side effect of this, i will bet you get less requests than you had file copies, because as with any file copying lockdown ive ever seen, people are less likely to come and ask you copy a file than when they could do it themselves. People are not motivated to come and ask when they have less than good motives for needing a file.

    Sometimes its just better to go a manual route rather than looking at a way to automate a solution that still leaves the user with more access than they should have.

    In this day and age giving people carte blanche access with a USB drive is just asking them to abuse your system. Its not much better to give them access of a specifically limited kind and ignore the overall security implications, its kind of the reverse of poking holes through a firewall...what youre trying to do is put the holes in place and ignore the firewall completely.

    Im not aware of a free way to do this without creating a lot more work for yourself than the simple GPO method....

    While software like Prevent: http://www.thewindowsclub.com/preven...-files-folders soudn good, they do NOT stop dragging and dropping of files and folders

    If youre determined to explore a software method, then the only thing im aware of that *might* do it is Active Directory Rights Management:

    Server 2008: http://technet.microsoft.com/en-us/l.../cc771627.aspx
    Server 2012: http://technet.microsoft.com/en-au/l.../hh831364.aspx
    Last edited by stylemessiah; 7th March 2013 at 11:54 AM.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 43
    Last Post: 8th September 2013, 02:43 AM
  2. Prevent certain named files from being saved
    By bondbill2k2 in forum Windows
    Replies: 13
    Last Post: 30th January 2012, 11:20 AM
  3. Replies: 9
    Last Post: 1st December 2008, 06:08 PM
  4. Converting video files to be used on the web site
    By tosca925 in forum How do you do....it?
    Replies: 5
    Last Post: 28th April 2007, 07:31 AM
  5. Replies: 3
    Last Post: 24th January 2006, 09:44 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •