I'm sure you've also ensured that the users can't install alternate software for reading and printing the document...
Kurt On Wed, May 11, 2011 at 13:24, Jeff S. Gottlieb <jeff.s.gottl...@gmail.com> wrote: > SOLUTION FOUND > > VIPRE Email Security has what's called Attachment Filter [was right under > our noses]. We are *now* able to prevent specific documents from being > attached and emailed by specific users [or department]. All Policy features > in the Attachment Filter tabs worked quite well, with minor exceptions [*see > below]. Our custom rule, "*(CLASSIFIED).PDF", stops PDF docs that end with > "CLASSIFIED" in parenthesis. All classified documents were placed Read Only > in a shared folder for all users. These documents will be given names for > the above rule to catch, i.e., "Standards for Dakota (CLASSIFIED).pdf". The > PDF documents are converted using Adobe security, whereby the users cannot > modify, copy /paste, or print. Using Sophos we activated "Device Control" > preventing the end-users from coping to Storage, Network, or Short Range > devices. The last step is to prevent these PDF [Read Only] documents from > being copied locally and renamed. We are searching for a good "Anti-copy" > software. It appears that there are some choices. programs like "M File > Anti-Copy" http://mini-products.net/ .so far untested. > > > > It appears we have a DLP solution to look forward to. Cheers -J > > > > Thank you all for the replies [contributions] including: > > Justin Thomas: jat...@gmail.com > > Martin Blackstone: mblackst...@gmail.com > > Angus Scott-Fleming: angu...@geoapps.com > > Jim Kennedy: kennedy...@elyriaschools.org > > Jeff Steward: jstew...@gmail.com > > James Rankin: kz2...@googlemail.com > > Andrew S. Baker: asbz...@gmail.com > > > > *The syntax "%FILENAME%" used under the Notifications tab oddly returned the > subject of the email rather than the filename (GFI case is pending) > > *Earlier on, the Attachment Filter failing entirely. the result of our > Digital signature in emails. Resolution came by changing the statement from > "false" to "true" in > <ScanDigitallySignedMessages>true</ScanDigitallySignedMessages> found in the > directory \VIPRE Email Security\globalsettings.xml file > > > > The latter issue dragged on for what seemed like forever [5-days]. After > several techs [3-4] it was finally resolved by Matthew D. (Nice Job!) > > > > > > From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] > Sent: Friday, May 06, 2011 4:32 PM > To: NT System Admin Issues > Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... > > > > Agreed! .and thank you for your worthy replies. > > We recently discovered Vipre Email Security has what's called "Attachment > Filter" .albeit it doesn't quite work AS OF YET, and no one [including > Vipre Support] is able to say why. > > For the Vipre Security users out there.check out the "Rules" tab. Now this > looks like something with tremendous DLP potential. Now if we can just get > it to work. Cheers -J > > > > From: Jeff Steward [mailto:jstew...@gmail.com] > Sent: Friday, May 06, 2011 4:24 AM > To: NT System Admin Issues > Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... > > > > I asked that question as I have been involved in stolen/leaked Intellectual > Property issues where someone was faxing CAD drawings to a competitor. If > this data is truly considered 'the secret sauce' then as others have > suggested, get a real DLP solution in place. There is no perfect security > in business since you have to let the pesky end users, customers and sales > folks interact. > > > > Good luck! > > > > -Jeff Steward > > On Thu, May 5, 2011 at 12:51 AM, Jeff S. Gottlieb > <jeff.s.gottl...@gmail.com> wrote: > > Thank you Jeff. > > > > The CAD operators cannot print the items of sensitivity [again we need to > prevent the possibility to email only]. > > Many of these items [documents] represent "Standards" or dimensions which > the engineers use for all projects, and are located in one folder. > > These docs are large, including roughly 130 pages each, and would easily > allow other manufacturing firms to replicate the same exact pieces. > > This is VERY Similar to the secret recipes for the odors of Crayola crayons, > or Papa John's Pizza garlic sauce, etc., etc. > > > > Ps. The latter is something I would LOVE getting my hands on. I would make a > HUGE batch for home use to dip the crust of *any* pizza!! > > > > From: Jeff Steward [mailto: <mailto:jstew...@gmail.com> jstew...@gmail.com] > Sent: Wednesday, May 04, 2011 8:14 PM > > > To: NT System Admin Issues > > Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... > > > > Can the CAD operators print? Seriously, if the owners need to protect their > intellectually property at that level, have the engineers upload the docs to > a directory for review and approval and let a 3rd party review them prior to > sending them to an external destination. > > > > -Jeff Steward > > On Wed, May 4, 2011 at 7:49 PM, Jeff S. Gottlieb <jeff.s.gottl...@gmail.com> > wrote: > > > > Thanks Martin > > > > We too were thinking that might be a viable option. If seems NOT good for > two reasons. > > > > 1) That is a Global setting, whereby the entire company would be effected by > the one Exchange server > > 2) This department needs to transfer large files MOSTLY internally, but on > rare occasions outside > > > > Sorry I forgot to mention this in our original post. -J > > > > > > From: Martin Blackstone [mailto: <mailto:mblackst...@gmail.com> > mblackst...@gmail.com] > Sent: Wednesday, May 04, 2011 2:50 PM > > > To: NT System Admin Issues > > Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... > > > > You could just put such a small attachment size restriction on them that > nothing would go. > > Say 1K. > > > > > > From: Jeff S. Gottlieb [mailto: <mailto:jeff.s.gottl...@gmail.com> > jeff.s.gottl...@gmail.com] > > Sent: Wednesday, May 04, 2011 1:47 PM > To: NT System Admin Issues > > Subject: BLOCKING end-users from ATTACHING and EMAILING... > > > > > > We are searching for a method to BLOCK end-users from ATTACHING and EMAILING > [sensitive] docs located on a SPECIFIC FOLDER of the share. > > > > What we have accomplished thus far: > > 1) Using Sophos we activated "Device Control" preventing end-user from > coping to Storage, Network, or Short Range devices > > 2) Using Sophos we also activated "Data Control". thus creating email alerts > detailing the sender /recipient, time /date, and name /location of > attachment > > 3) All documents are converted to PDF with security options that prevent > copy /paste, and printing > > 4) End-users are NOT allowed Internet access > > > > Owners are left *totally* unsatisfied with all the above, as these measures > are not preventative enough. > > Leaving any of the end-users without ability to email is NOT an option. > > Leaving a [public] workstation open, available with access to this SPECIFIC > FOLDER, and then having no email /Internet is NOT an option. > > > > These end-users are all in the CAD design department. > > Given the nature of the business, suffice-it-to-say, one drawing in email > could represent a significant loss. > > Sadly, the owners feel they cannot entirely rely on the loyalty of > generously paid employees [with great benefits], company policies, and or > legalese. > > > > Thanks in advance for any suggestions. comments. Cheers, -J > > > > > > EMPLOYEE Supposition: > > Surely in created the level of sophistication placed in Sophos with Device & > Data Control suggests that a greater need exists to protect the employer's > intellectual property. Along with these concepts, the end-users themselves > have become more sophisticated and perhaps unfortunately [these days] > more-willing to place their positions on the line. > > > > I guess if we've done our IT job. than the end-users ONLY option is to snap > a photo using a cell-phone. What then will the employer do?? Add company > policy to include NO CELL PHONES?? Imagine a world AT WORK without texting, > tweeting, and the occasional personal call??? Ouch! > > > > EMPLOYER Supposition [slave-master]: > > Add video surveillance too!!!! :--/ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin