OK, hypothetical, I am researching some solutions and am looking for any of your recent experiences solving portions of this problem:

Setup:

Office has 20-40 workstations (mix of Laptop and Desktop)

Office is a high tech firm with lots of collaboration.

"Subnetworks" exist where some docs reside on one or more networked machines but are not networked with others. I.E. Production or R+D staff may have 6 workstations and management may have 8, but to get some files from production to management, they are manually copied to USB or email and then transported as they are not all linked for file sharing and data is not centrally stored.

Office has many sensitive documents and some secret docs. All are used regularly by portions of staff on the workstations.

Issue:

Office would like to accomplish the following as best as possible:

- Restrict use of USB devices to ONLY company authorized ones
- Restrict use of some or all company files to ONLY on company workstations
- Allow for non-overly cumbersome collaboration of documents with a higher level of auditing insofar as who accessed what, when
- Prevent the spread of data to non-company workstations via email and USB drives

I realize there is probably no "one size fits all solution" but I am looking for any suggestions that may help accomplish some or all of the above.

 

Dynamic Access Control in Server 2012

http://www.windowsecurity.com/articl...rver-2012.html

 

Probably massive overkill but could they purchase a (DoD) 5015.02-STD certified
Records Management / Content Management system to use in conjunction with a strict
outbound email filters?

 

Ask somebody in the DOR of South Carolina and see how 4 million people had their id stole.

 

Brilliant

 

I need to read up on this a bit more. Looks very promising, thanks Daniel.

Any idea what controls would be in place if a company were using this and someone did manage to get a doc out of the system? Would the doc be un-openable?

 

Dude, pretty clear to me that you're in over your head. I'd punt, just saying... Don't hate on me for honesty.

 

he is only hypothetically over his head.

 

Or he's doing some research to come up with the best solution?

Don't have to tell you that every solution doesn't just appear in your mind. And if an idea did pop up right away, I'd still research the issue further to see what else is out there

 

May a thousand camel spiders infest your mother's tent!

 

Stogie,

Think about your liability and reputation if you fail....You are just starting to get back on your feet with the new business.

I wouldn't risk it unless you are absolutely sure you can do it right, without having the "deer in the headlights" look in your eyes when problems arise (and they will, it happens to everyone) during the implementation.

 

Yeah I can't answer that question, I'd like to know myself if you find out. My guess would be that it would be unopenable on an unapproved device.

 

Seems like you'd need to be running server 2012 as the main domain controller so if the network is already setup running an older version of AD then you might have to make a new domain. I don't think domains are upgradeable

 

I also wonder about copying and pasting from the document. If that's blocked can you still do it within different parts of the same document?

Also what about screenshots, might want to find a way to disable that too. Then maybe forbid cameras and camera phones too if they're hella paranoid.

 

Dude, relax.

A. It's hypothetical
B. I do not generally do network installs or setups (I use contractors), so while I may get paid to advise people on possibilities, I do not do implementation in this realm.

 

New User Dennis Ho PM'ed me (thanks, your mail box is full) indicating he works for a company called Devicelock that seems to address some of these issues as well (Screen capture, copy paste, etc.). I know nothing about the company, but here is a link: www.devicelock.com. Might be interesting to talk to a few folks who have used this...

 

Interesting... not exactly cheap up front, but could prove priceless even in the short run...

Trend also has a tool:

http://www.trendmicro.com/us/enterpr...uct/index.html

and pretty sure Symantec as well...

 

Netnanny?

 

These things are all great until you piss off the one guy that knows the master admin password.

 

It's OK. Password is probably "password"