RE: BLOCKING end-users from ATTACHING and EMAILING...
Data tagging/waterprinting is an option too perhaps (ie. avoiding reliance on filename and possibly format) ... a -Original Message- From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: 12 May 2011 20:36 To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... Yes Kurt [thanks]. The users in the department do not have local admin rights, and the ability to print has been removed. Unfortunately, we have not been able to prevent users from copy /paste. The rule is, IF a file can be read... IT CAN be copied /pasted. If the end-users figure out that the trigger preventing email in Vipre [Attachment filter] is within the name of the file they can modify it. We are searching for a workaround. We were hoping to avoid the expense, but at the end of the day perhaps a DLP professional firm will be needed. Alan recommended http://www.verdasys.com/ We've just seen a demo from http://www.gtbtechnologies.com/ [they use finger prints signatures in documents, then an appliance gateway NOT CHEAP however] Cheers -J -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Thursday, May 12, 2011 7:51 AM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... I'm sure you've also ensured that the users can't install alternate software for reading and printing the document... Kurt On Wed, May 11, 2011 at 13:24, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: SOLUTION FOUND VIPRE Email Security has what's called Attachment Filter [was right under our noses]. We are *now* able to prevent specific documents from being attached and emailed by specific users [or department]. All Policy features in the Attachment Filter tabs worked quite well, with minor exceptions [*see below]. Our custom rule, *(CLASSIFIED).PDF, stops PDF docs that end with CLASSIFIED in parenthesis. All classified documents were placed Read Only in a shared folder for all users. These documents will be given names for the above rule to catch, i.e., Standards for Dakota (CLASSIFIED).pdf. The PDF documents are converted using Adobe security, whereby the users cannot modify, copy /paste, or print. Using Sophos we activated Device Control preventing the end-users from coping to Storage, Network, or Short Range devices. The last step is to prevent these PDF [Read Only] documents from being copied locally and renamed. We are searching for a good Anti-copy software. It appears that there are some choices. programs like M File Anti-Copy http://mini-products.net/ .so far untested. It appears we have a DLP solution to look forward to. Cheers -J Thank you all for the replies [contributions] including: Justin Thomas: jat...@gmail.com Martin Blackstone: mblackst...@gmail.com Angus Scott-Fleming: angu...@geoapps.com Jim Kennedy: kennedy...@elyriaschools.org Jeff Steward: jstew...@gmail.com James Rankin: kz2...@googlemail.com Andrew S. Baker: asbz...@gmail.com *The syntax %FILENAME% used under the Notifications tab oddly returned the subject of the email rather than the filename (GFI case is pending) *Earlier on, the Attachment Filter failing entirely. the result of our Digital signature in emails. Resolution came by changing the statement from false to true in ScanDigitallySignedMessagestrue/ScanDigitallySignedMessages found in the directory \VIPRE Email Security\globalsettings.xml file The latter issue dragged on for what seemed like forever [5-days]. After several techs [3-4] it was finally resolved by Matthew D. (Nice Job!) From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: Friday, May 06, 2011 4:32 PM To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... Agreed! .and thank you for your worthy replies. We recently discovered Vipre Email Security has what's called Attachment Filter .albeit it doesn't quite work AS OF YET, and no one [including Vipre Support] is able to say why. For the Vipre Security users out there.check out the Rules tab. Now this looks like something with tremendous DLP potential. Now if we can just get it to work. Cheers -J From: Jeff Steward [mailto:jstew...@gmail.com] Sent: Friday, May 06, 2011 4:24 AM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... I asked that question as I have been involved in stolen/leaked Intellectual Property issues where someone was faxing CAD drawings to a competitor. If this data is truly considered 'the secret sauce' then as others have suggested, get a real DLP solution in place. There is no perfect security in business since you have to let the pesky end users, customers and sales folks interact. Good luck! -Jeff Steward On Thu, May 5, 2011 at 12:51 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Thank you Jeff. The CAD operators cannot print the items
RE: BLOCKING end-users from ATTACHING and EMAILING...
Do you block/quarantine encrypted email too? If not, they can encrypt the email and your attachment filter won't be able to see it. Otherwise, good solution - you may find, particularly if you need strong anti-copy type controls, that you could get some value from a DLP suite - Verdasys Digital Guardian for example is one I implemented in a past role to strictly control that type of activity. Cost will be an issue. a -Original Message- From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: 11 May 2011 21:25 To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... SOLUTION FOUND VIPRE Email Security has what's called Attachment Filter [was right under our noses]. We are *now* able to prevent specific documents from being attached and emailed by specific users [or department]. All Policy features in the Attachment Filter tabs worked quite well, with minor exceptions [*see below]. Our custom rule, *(CLASSIFIED).PDF, stops PDF docs that end with CLASSIFIED in parenthesis. All classified documents were placed Read Only in a shared folder for all users. These documents will be given names for the above rule to catch, i.e., Standards for Dakota (CLASSIFIED).pdf. The PDF documents are converted using Adobe security, whereby the users cannot modify, copy /paste, or print. Using Sophos we activated Device Control preventing the end-users from coping to Storage, Network, or Short Range devices. The last step is to prevent these PDF [Read Only] documents from being copied locally and renamed. We are searching for a good Anti-copy software. It appears that there are some choices. programs like M File Anti-Copy http://mini-products.net/ .so far untested. It appears we have a DLP solution to look forward to. Cheers -J Thank you all for the replies [contributions] including: Justin Thomas: jat...@gmail.com Martin Blackstone: mblackst...@gmail.com Angus Scott-Fleming: angu...@geoapps.com Jim Kennedy: kennedy...@elyriaschools.org Jeff Steward: jstew...@gmail.com James Rankin: kz2...@googlemail.com Andrew S. Baker: asbz...@gmail.com *The syntax %FILENAME% used under the Notifications tab oddly returned the subject of the email rather than the filename (GFI case is pending) *Earlier on, the Attachment Filter failing entirely. the result of our Digital signature in emails. Resolution came by changing the statement from false to true in ScanDigitallySignedMessagestrue/ScanDigitallySignedMessages found in the directory \VIPRE Email Security\globalsettings.xml file The latter issue dragged on for what seemed like forever [5-days]. After several techs [3-4] it was finally resolved by Matthew D. (Nice Job!) From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: Friday, May 06, 2011 4:32 PM To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... Agreed! .and thank you for your worthy replies. We recently discovered Vipre Email Security has what's called Attachment Filter .albeit it doesn't quite work AS OF YET, and no one [including Vipre Support] is able to say why. For the Vipre Security users out there.check out the Rules tab. Now this looks like something with tremendous DLP potential. Now if we can just get it to work. Cheers -J From: Jeff Steward [mailto:jstew...@gmail.com] Sent: Friday, May 06, 2011 4:24 AM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... I asked that question as I have been involved in stolen/leaked Intellectual Property issues where someone was faxing CAD drawings to a competitor. If this data is truly considered 'the secret sauce' then as others have suggested, get a real DLP solution in place. There is no perfect security in business since you have to let the pesky end users, customers and sales folks interact. Good luck! -Jeff Steward On Thu, May 5, 2011 at 12:51 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Thank you Jeff. The CAD operators cannot print the items of sensitivity [again we need to prevent the possibility to email only]. Many of these items [documents] represent Standards or dimensions which the engineers use for all projects, and are located in one folder. These docs are large, including roughly 130 pages each, and would easily allow other manufacturing firms to replicate the same exact pieces. This is VERY Similar to the secret recipes for the odors of Crayola crayons, or Papa John's Pizza garlic sauce, etc., etc. Ps. The latter is something I would LOVE getting my hands on. I would make a HUGE batch for home use to dip the crust of *any* pizza!! From: Jeff Steward [mailto: mailto:jstew...@gmail.com jstew...@gmail.com] Sent: Wednesday, May 04, 2011 8:14 PM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... Can the CAD operators print? Seriously, if the owners need to protect their intellectually property at that level
Re: BLOCKING end-users from ATTACHING and EMAILING...
Also, are users able to printscreen? Got to block that if you don't want users making screenshots of your PDFs. Bill Alan Davies wrote: Do you block/quarantine encrypted email too? If not, they can encrypt the email and your attachment filter won't be able to see it. Otherwise, good solution - you may find, particularly if you need strong anti-copy type controls, that you could get some value from a DLP suite - Verdasys Digital Guardian for example is one I implemented in a past role to strictly control that type of activity. Cost will be an issue. a -Original Message- From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: 11 May 2011 21:25 To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... SOLUTION FOUND VIPRE Email Security has what's called Attachment Filter [was right under our noses]. We are *now* able to prevent specific documents from being attached and emailed by specific users [or department]. All Policy features in the Attachment Filter tabs worked quite well, with minor exceptions [*see below]. Our custom rule, *(CLASSIFIED).PDF, stops PDF docs that end with CLASSIFIED in parenthesis. All classified documents were placed Read Only in a shared folder for all users. These documents will be given names for the above rule to catch, i.e., Standards for Dakota (CLASSIFIED).pdf. The PDF documents are converted using Adobe security, whereby the users cannot modify, copy /paste, or print. Using Sophos we activated Device Control preventing the end-users from coping to Storage, Network, or Short Range devices. The last step is to prevent these PDF [Read Only] documents from being copied locally and renamed. We are searching for a good Anti-copy software. It appears that there are some choices. programs like M File Anti-Copy http://mini-products.net/ .so far untested. It appears we have a DLP solution to look forward to. Cheers -J Thank you all for the replies [contributions] including: Justin Thomas: jat...@gmail.com Martin Blackstone: mblackst...@gmail.com Angus Scott-Fleming: angu...@geoapps.com Jim Kennedy: kennedy...@elyriaschools.org Jeff Steward: jstew...@gmail.com James Rankin: kz2...@googlemail.com Andrew S. Baker: asbz...@gmail.com *The syntax %FILENAME% used under the Notifications tab oddly returned the subject of the email rather than the filename (GFI case is pending) *Earlier on, the Attachment Filter failing entirely. the result of our Digital signature in emails. Resolution came by changing the statement from false to true in ScanDigitallySignedMessagestrue/ScanDigitallySignedMessages found in the directory \VIPRE Email Security\globalsettings.xml file The latter issue dragged on for what seemed like forever [5-days]. After several techs [3-4] it was finally resolved by Matthew D. (Nice Job!) From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: Friday, May 06, 2011 4:32 PM To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... Agreed! .and thank you for your worthy replies. We recently discovered Vipre Email Security has what's called Attachment Filter .albeit it doesn't quite work AS OF YET, and no one [including Vipre Support] is able to say why. For the Vipre Security users out there.check out the Rules tab. Now this looks like something with tremendous DLP potential. Now if we can just get it to work. Cheers -J From: Jeff Steward [mailto:jstew...@gmail.com] Sent: Friday, May 06, 2011 4:24 AM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... I asked that question as I have been involved in stolen/leaked Intellectual Property issues where someone was faxing CAD drawings to a competitor. If this data is truly considered 'the secret sauce' then as others have suggested, get a real DLP solution in place. There is no perfect security in business since you have to let the pesky end users, customers and sales folks interact. Good luck! -Jeff Steward On Thu, May 5, 2011 at 12:51 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Thank you Jeff. The CAD operators cannot print the items of sensitivity [again we need to prevent the possibility to email only]. Many of these items [documents] represent Standards or dimensions which the engineers use for all projects, and are located in one folder. These docs are large, including roughly 130 pages each, and would easily allow other manufacturing firms to replicate the same exact pieces. This is VERY Similar to the secret recipes for the odors of Crayola crayons, or Papa John's Pizza garlic sauce, etc., etc. Ps. The latter is something I would LOVE getting my hands on. I would make a HUGE batch for home use to dip the crust of *any* pizza!! From: Jeff Steward [mailto: mailto:jstew...@gmail.com jstew...@gmail.com] Sent: Wednesday, May 04, 2011 8:14 PM To: NT System Admin Issues Subject: Re: BLOCKING
RE: BLOCKING end-users from ATTACHING and EMAILING...
That and hi-res smartphone photos! Hell .. some *people* have photographic memory and can easily reproduce insanely detailed images from memory. The list goes on ;o) At least with things like printscreen and file operations, a DLP product can control and report on it. a -Original Message- From: Bill Humphries [mailto:nt...@hedgedigger.com] Sent: 12 May 2011 14:20 To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... Also, are users able to printscreen? Got to block that if you don't want users making screenshots of your PDFs. Bill Alan Davies wrote: Do you block/quarantine encrypted email too? If not, they can encrypt the email and your attachment filter won't be able to see it. Otherwise, good solution - you may find, particularly if you need strong anti-copy type controls, that you could get some value from a DLP suite - Verdasys Digital Guardian for example is one I implemented in a past role to strictly control that type of activity. Cost will be an issue. a -Original Message- From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: 11 May 2011 21:25 To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... SOLUTION FOUND VIPRE Email Security has what's called Attachment Filter [was right under our noses]. We are *now* able to prevent specific documents from being attached and emailed by specific users [or department]. All Policy features in the Attachment Filter tabs worked quite well, with minor exceptions [*see below]. Our custom rule, *(CLASSIFIED).PDF, stops PDF docs that end with CLASSIFIED in parenthesis. All classified documents were placed Read Only in a shared folder for all users. These documents will be given names for the above rule to catch, i.e., Standards for Dakota (CLASSIFIED).pdf. The PDF documents are converted using Adobe security, whereby the users cannot modify, copy /paste, or print. Using Sophos we activated Device Control preventing the end-users from coping to Storage, Network, or Short Range devices. The last step is to prevent these PDF [Read Only] documents from being copied locally and renamed. We are searching for a good Anti-copy software. It appears that there are some choices. programs like M File Anti-Copy http://mini-products.net/ .so far untested. It appears we have a DLP solution to look forward to. Cheers -J Thank you all for the replies [contributions] including: Justin Thomas: jat...@gmail.com Martin Blackstone: mblackst...@gmail.com Angus Scott-Fleming: angu...@geoapps.com Jim Kennedy: kennedy...@elyriaschools.org Jeff Steward: jstew...@gmail.com James Rankin: kz2...@googlemail.com Andrew S. Baker: asbz...@gmail.com *The syntax %FILENAME% used under the Notifications tab oddly returned the subject of the email rather than the filename (GFI case is pending) *Earlier on, the Attachment Filter failing entirely. the result of our Digital signature in emails. Resolution came by changing the statement from false to true in ScanDigitallySignedMessagestrue/ScanDigitallySignedMessages found in the directory \VIPRE Email Security\globalsettings.xml file The latter issue dragged on for what seemed like forever [5-days]. After several techs [3-4] it was finally resolved by Matthew D. (Nice Job!) From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: Friday, May 06, 2011 4:32 PM To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... Agreed! .and thank you for your worthy replies. We recently discovered Vipre Email Security has what's called Attachment Filter .albeit it doesn't quite work AS OF YET, and no one [including Vipre Support] is able to say why. For the Vipre Security users out there.check out the Rules tab. Now this looks like something with tremendous DLP potential. Now if we can just get it to work. Cheers -J From: Jeff Steward [mailto:jstew...@gmail.com] Sent: Friday, May 06, 2011 4:24 AM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... I asked that question as I have been involved in stolen/leaked Intellectual Property issues where someone was faxing CAD drawings to a competitor. If this data is truly considered 'the secret sauce' then as others have suggested, get a real DLP solution in place. There is no perfect security in business since you have to let the pesky end users, customers and sales folks interact. Good luck! -Jeff Steward On Thu, May 5, 2011 at 12:51 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Thank you Jeff. The CAD operators cannot print the items of sensitivity [again we need to prevent the possibility to email only]. Many of these items [documents] represent Standards or dimensions which the engineers use for all projects, and are located
Re: BLOCKING end-users from ATTACHING and EMAILING...
I'm sure you've also ensured that the users can't install alternate software for reading and printing the document... Kurt On Wed, May 11, 2011 at 13:24, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: SOLUTION FOUND VIPRE Email Security has what's called Attachment Filter [was right under our noses]. We are *now* able to prevent specific documents from being attached and emailed by specific users [or department]. All Policy features in the Attachment Filter tabs worked quite well, with minor exceptions [*see below]. Our custom rule, *(CLASSIFIED).PDF, stops PDF docs that end with CLASSIFIED in parenthesis. All classified documents were placed Read Only in a shared folder for all users. These documents will be given names for the above rule to catch, i.e., Standards for Dakota (CLASSIFIED).pdf. The PDF documents are converted using Adobe security, whereby the users cannot modify, copy /paste, or print. Using Sophos we activated Device Control preventing the end-users from coping to Storage, Network, or Short Range devices. The last step is to prevent these PDF [Read Only] documents from being copied locally and renamed. We are searching for a good Anti-copy software. It appears that there are some choices. programs like M File Anti-Copy http://mini-products.net/ .so far untested. It appears we have a DLP solution to look forward to. Cheers -J Thank you all for the replies [contributions] including: Justin Thomas: jat...@gmail.com Martin Blackstone: mblackst...@gmail.com Angus Scott-Fleming: angu...@geoapps.com Jim Kennedy: kennedy...@elyriaschools.org Jeff Steward: jstew...@gmail.com James Rankin: kz2...@googlemail.com Andrew S. Baker: asbz...@gmail.com *The syntax %FILENAME% used under the Notifications tab oddly returned the subject of the email rather than the filename (GFI case is pending) *Earlier on, the Attachment Filter failing entirely. the result of our Digital signature in emails. Resolution came by changing the statement from false to true in ScanDigitallySignedMessagestrue/ScanDigitallySignedMessages found in the directory \VIPRE Email Security\globalsettings.xml file The latter issue dragged on for what seemed like forever [5-days]. After several techs [3-4] it was finally resolved by Matthew D. (Nice Job!) From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: Friday, May 06, 2011 4:32 PM To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... Agreed! .and thank you for your worthy replies. We recently discovered Vipre Email Security has what's called Attachment Filter .albeit it doesn't quite work AS OF YET, and no one [including Vipre Support] is able to say why. For the Vipre Security users out there.check out the Rules tab. Now this looks like something with tremendous DLP potential. Now if we can just get it to work. Cheers -J From: Jeff Steward [mailto:jstew...@gmail.com] Sent: Friday, May 06, 2011 4:24 AM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... I asked that question as I have been involved in stolen/leaked Intellectual Property issues where someone was faxing CAD drawings to a competitor. If this data is truly considered 'the secret sauce' then as others have suggested, get a real DLP solution in place. There is no perfect security in business since you have to let the pesky end users, customers and sales folks interact. Good luck! -Jeff Steward On Thu, May 5, 2011 at 12:51 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Thank you Jeff. The CAD operators cannot print the items of sensitivity [again we need to prevent the possibility to email only]. Many of these items [documents] represent Standards or dimensions which the engineers use for all projects, and are located in one folder. These docs are large, including roughly 130 pages each, and would easily allow other manufacturing firms to replicate the same exact pieces. This is VERY Similar to the secret recipes for the odors of Crayola crayons, or Papa John's Pizza garlic sauce, etc., etc. Ps. The latter is something I would LOVE getting my hands on. I would make a HUGE batch for home use to dip the crust of *any* pizza!! From: Jeff Steward [mailto: mailto:jstew...@gmail.com jstew...@gmail.com] Sent: Wednesday, May 04, 2011 8:14 PM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... Can the CAD operators print? Seriously, if the owners need to protect their intellectually property at that level, have the engineers upload the docs to a directory for review and approval and let a 3rd party review them prior to sending them to an external destination. -Jeff Steward On Wed, May 4, 2011 at 7:49 PM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Thanks Martin We too were thinking that might be a viable option. If seems NOT good for two
Re: BLOCKING end-users from ATTACHING and EMAILING...
Hijack: How did you like Verdasys? Remember any lessons learned? Thanks Kevin On Thu, May 12, 2011 at 5:08 AM, Alan Davies adav...@cls-services.comwrote: Do you block/quarantine encrypted email too? If not, they can encrypt the email and your attachment filter won't be able to see it. Otherwise, good solution - you may find, particularly if you need strong anti-copy type controls, that you could get some value from a DLP suite - Verdasys Digital Guardian for example is one I implemented in a past role to strictly control that type of activity. Cost will be an issue. a ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: BLOCKING end-users from ATTACHING and EMAILING... [Verdasys feedback]
Yes - plan well ahead, have deep pockets, lots of resource and lots of patience! ;o) It's a great product, but a little sharp around the edges. We started out 3-4 years back and had a lot of stability problems at first with other kernel level stuff (Proventia, Sophos, etc.) so went through a lot of dev work with them to remove all the BSODs, but I think back then they just didn't do much testing against the non McAfee/Symantec type part of the market, so should have matured a bit since. The level of control is incredible - you can literally intercept anything the OS may normally choose to do and modify it, but there are so many ways to do any one thing and most of them are wrong or inefficient ;o) You learn the best way to achieve your goals over time. It really depends how complex you want to get with it. We were doing a lot around movement of files, use of removable media and upstream data to the web. We also exposed the agent collection part of it to the Internet to ensure we could get output back when outside the office (where people usually figure they're safe to abuse data!). Took us 2 years to really start moving full steam ahead with it, but we did have occasional resource issues and we were basically up and running in 12 months (though not doing very much and only covering workstations at that stage). a From: Kevin Lundy [mailto:klu...@gmail.com] Sent: 12 May 2011 16:13 To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... Hijack: How did you like Verdasys? Remember any lessons learned? Thanks Kevin On Thu, May 12, 2011 at 5:08 AM, Alan Davies adav...@cls-services.com wrote: Do you block/quarantine encrypted email too? If not, they can encrypt the email and your attachment filter won't be able to see it. Otherwise, good solution - you may find, particularly if you need strong anti-copy type controls, that you could get some value from a DLP suite - Verdasys Digital Guardian for example is one I implemented in a past role to strictly control that type of activity. Cost will be an issue. a ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: BLOCKING end-users from ATTACHING and EMAILING...
Great point Bill!! ...and NO we have not thought of that. Imagine this could be done through group policy. -J -Original Message- From: Bill Humphries [mailto:nt...@hedgedigger.com] Sent: Thursday, May 12, 2011 6:20 AM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... Also, are users able to printscreen? Got to block that if you don't want users making screenshots of your PDFs. Bill Alan Davies wrote: Do you block/quarantine encrypted email too? If not, they can encrypt the email and your attachment filter won't be able to see it. Otherwise, good solution - you may find, particularly if you need strong anti-copy type controls, that you could get some value from a DLP suite - Verdasys Digital Guardian for example is one I implemented in a past role to strictly control that type of activity. Cost will be an issue. a -Original Message- From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: 11 May 2011 21:25 To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... SOLUTION FOUND VIPRE Email Security has what's called Attachment Filter [was right under our noses]. We are *now* able to prevent specific documents from being attached and emailed by specific users [or department]. All Policy features in the Attachment Filter tabs worked quite well, with minor exceptions [*see below]. Our custom rule, *(CLASSIFIED).PDF, stops PDF docs that end with CLASSIFIED in parenthesis. All classified documents were placed Read Only in a shared folder for all users. These documents will be given names for the above rule to catch, i.e., Standards for Dakota (CLASSIFIED).pdf. The PDF documents are converted using Adobe security, whereby the users cannot modify, copy /paste, or print. Using Sophos we activated Device Control preventing the end-users from coping to Storage, Network, or Short Range devices. The last step is to prevent these PDF [Read Only] documents from being copied locally and renamed. We are searching for a good Anti-copy software. It appears that there are some choices. programs like M File Anti-Copy http://mini-products.net/ .so far untested. It appears we have a DLP solution to look forward to. Cheers -J Thank you all for the replies [contributions] including: Justin Thomas: jat...@gmail.com Martin Blackstone: mblackst...@gmail.com Angus Scott-Fleming: angu...@geoapps.com Jim Kennedy: kennedy...@elyriaschools.org Jeff Steward: jstew...@gmail.com James Rankin: kz2...@googlemail.com Andrew S. Baker: asbz...@gmail.com *The syntax %FILENAME% used under the Notifications tab oddly returned the subject of the email rather than the filename (GFI case is pending) *Earlier on, the Attachment Filter failing entirely. the result of our Digital signature in emails. Resolution came by changing the statement from false to true in ScanDigitallySignedMessagestrue/ScanDigitallySignedMessages found in the directory \VIPRE Email Security\globalsettings.xml file The latter issue dragged on for what seemed like forever [5-days]. After several techs [3-4] it was finally resolved by Matthew D. (Nice Job!) From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: Friday, May 06, 2011 4:32 PM To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... Agreed! .and thank you for your worthy replies. We recently discovered Vipre Email Security has what's called Attachment Filter .albeit it doesn't quite work AS OF YET, and no one [including Vipre Support] is able to say why. For the Vipre Security users out there.check out the Rules tab. Now this looks like something with tremendous DLP potential. Now if we can just get it to work. Cheers -J From: Jeff Steward [mailto:jstew...@gmail.com] Sent: Friday, May 06, 2011 4:24 AM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... I asked that question as I have been involved in stolen/leaked Intellectual Property issues where someone was faxing CAD drawings to a competitor. If this data is truly considered 'the secret sauce' then as others have suggested, get a real DLP solution in place. There is no perfect security in business since you have to let the pesky end users, customers and sales folks interact. Good luck! -Jeff Steward On Thu, May 5, 2011 at 12:51 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Thank you Jeff. The CAD operators cannot print the items of sensitivity [again we need to prevent the possibility to email only]. Many of these items [documents] represent Standards or dimensions which the engineers use for all projects, and are located in one folder. These docs are large, including roughly 130 pages each, and would easily allow other manufacturing firms to replicate the same exact pieces. This is VERY Similar
RE: BLOCKING end-users from ATTACHING and EMAILING...
Yes Kurt [thanks]. The users in the department do not have local admin rights, and the ability to print has been removed. Unfortunately, we have not been able to prevent users from copy /paste. The rule is, IF a file can be read... IT CAN be copied /pasted. If the end-users figure out that the trigger preventing email in Vipre [Attachment filter] is within the name of the file they can modify it. We are searching for a workaround. We were hoping to avoid the expense, but at the end of the day perhaps a DLP professional firm will be needed. Alan recommended http://www.verdasys.com/ We've just seen a demo from http://www.gtbtechnologies.com/ [they use finger prints signatures in documents, then an appliance gateway NOT CHEAP however] Cheers -J -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Thursday, May 12, 2011 7:51 AM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... I'm sure you've also ensured that the users can't install alternate software for reading and printing the document... Kurt On Wed, May 11, 2011 at 13:24, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: SOLUTION FOUND VIPRE Email Security has what's called Attachment Filter [was right under our noses]. We are *now* able to prevent specific documents from being attached and emailed by specific users [or department]. All Policy features in the Attachment Filter tabs worked quite well, with minor exceptions [*see below]. Our custom rule, *(CLASSIFIED).PDF, stops PDF docs that end with CLASSIFIED in parenthesis. All classified documents were placed Read Only in a shared folder for all users. These documents will be given names for the above rule to catch, i.e., Standards for Dakota (CLASSIFIED).pdf. The PDF documents are converted using Adobe security, whereby the users cannot modify, copy /paste, or print. Using Sophos we activated Device Control preventing the end-users from coping to Storage, Network, or Short Range devices. The last step is to prevent these PDF [Read Only] documents from being copied locally and renamed. We are searching for a good Anti-copy software. It appears that there are some choices. programs like M File Anti-Copy http://mini-products.net/ .so far untested. It appears we have a DLP solution to look forward to. Cheers -J Thank you all for the replies [contributions] including: Justin Thomas: jat...@gmail.com Martin Blackstone: mblackst...@gmail.com Angus Scott-Fleming: angu...@geoapps.com Jim Kennedy: kennedy...@elyriaschools.org Jeff Steward: jstew...@gmail.com James Rankin: kz2...@googlemail.com Andrew S. Baker: asbz...@gmail.com *The syntax %FILENAME% used under the Notifications tab oddly returned the subject of the email rather than the filename (GFI case is pending) *Earlier on, the Attachment Filter failing entirely. the result of our Digital signature in emails. Resolution came by changing the statement from false to true in ScanDigitallySignedMessagestrue/ScanDigitallySignedMessages found in the directory \VIPRE Email Security\globalsettings.xml file The latter issue dragged on for what seemed like forever [5-days]. After several techs [3-4] it was finally resolved by Matthew D. (Nice Job!) From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: Friday, May 06, 2011 4:32 PM To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... Agreed! .and thank you for your worthy replies. We recently discovered Vipre Email Security has what's called Attachment Filter .albeit it doesn't quite work AS OF YET, and no one [including Vipre Support] is able to say why. For the Vipre Security users out there.check out the Rules tab. Now this looks like something with tremendous DLP potential. Now if we can just get it to work. Cheers -J From: Jeff Steward [mailto:jstew...@gmail.com] Sent: Friday, May 06, 2011 4:24 AM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... I asked that question as I have been involved in stolen/leaked Intellectual Property issues where someone was faxing CAD drawings to a competitor. If this data is truly considered 'the secret sauce' then as others have suggested, get a real DLP solution in place. There is no perfect security in business since you have to let the pesky end users, customers and sales folks interact. Good luck! -Jeff Steward On Thu, May 5, 2011 at 12:51 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Thank you Jeff. The CAD operators cannot print the items of sensitivity [again we need to prevent the possibility to email only]. Many of these items [documents] represent Standards or dimensions which the engineers use for all projects, and are located in one folder. These docs are large, including roughly 130 pages each, and would easily allow other manufacturing firms to replicate the same exact
Re: BLOCKING end-users from ATTACHING and EMAILING...
And don't forget USB-based apps, such as http://www.portableapps.com On Thu, May 12, 2011 at 12:36, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Yes Kurt [thanks]. The users in the department do not have local admin rights, and the ability to print has been removed. Unfortunately, we have not been able to prevent users from copy /paste. The rule is, IF a file can be read... IT CAN be copied /pasted. If the end-users figure out that the trigger preventing email in Vipre [Attachment filter] is within the name of the file they can modify it. We are searching for a workaround. We were hoping to avoid the expense, but at the end of the day perhaps a DLP professional firm will be needed. Alan recommended http://www.verdasys.com/ We've just seen a demo from http://www.gtbtechnologies.com/ [they use finger prints signatures in documents, then an appliance gateway NOT CHEAP however] Cheers -J -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Thursday, May 12, 2011 7:51 AM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... I'm sure you've also ensured that the users can't install alternate software for reading and printing the document... Kurt On Wed, May 11, 2011 at 13:24, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: SOLUTION FOUND VIPRE Email Security has what's called Attachment Filter [was right under our noses]. We are *now* able to prevent specific documents from being attached and emailed by specific users [or department]. All Policy features in the Attachment Filter tabs worked quite well, with minor exceptions [*see below]. Our custom rule, *(CLASSIFIED).PDF, stops PDF docs that end with CLASSIFIED in parenthesis. All classified documents were placed Read Only in a shared folder for all users. These documents will be given names for the above rule to catch, i.e., Standards for Dakota (CLASSIFIED).pdf. The PDF documents are converted using Adobe security, whereby the users cannot modify, copy /paste, or print. Using Sophos we activated Device Control preventing the end-users from coping to Storage, Network, or Short Range devices. The last step is to prevent these PDF [Read Only] documents from being copied locally and renamed. We are searching for a good Anti-copy software. It appears that there are some choices. programs like M File Anti-Copy http://mini-products.net/ .so far untested. It appears we have a DLP solution to look forward to. Cheers -J Thank you all for the replies [contributions] including: Justin Thomas: jat...@gmail.com Martin Blackstone: mblackst...@gmail.com Angus Scott-Fleming: angu...@geoapps.com Jim Kennedy: kennedy...@elyriaschools.org Jeff Steward: jstew...@gmail.com James Rankin: kz2...@googlemail.com Andrew S. Baker: asbz...@gmail.com *The syntax %FILENAME% used under the Notifications tab oddly returned the subject of the email rather than the filename (GFI case is pending) *Earlier on, the Attachment Filter failing entirely. the result of our Digital signature in emails. Resolution came by changing the statement from false to true in ScanDigitallySignedMessagestrue/ScanDigitallySignedMessages found in the directory \VIPRE Email Security\globalsettings.xml file The latter issue dragged on for what seemed like forever [5-days]. After several techs [3-4] it was finally resolved by Matthew D. (Nice Job!) From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: Friday, May 06, 2011 4:32 PM To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... Agreed! .and thank you for your worthy replies. We recently discovered Vipre Email Security has what's called Attachment Filter .albeit it doesn't quite work AS OF YET, and no one [including Vipre Support] is able to say why. For the Vipre Security users out there.check out the Rules tab. Now this looks like something with tremendous DLP potential. Now if we can just get it to work. Cheers -J From: Jeff Steward [mailto:jstew...@gmail.com] Sent: Friday, May 06, 2011 4:24 AM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... I asked that question as I have been involved in stolen/leaked Intellectual Property issues where someone was faxing CAD drawings to a competitor. If this data is truly considered 'the secret sauce' then as others have suggested, get a real DLP solution in place. There is no perfect security in business since you have to let the pesky end users, customers and sales folks interact. Good luck! -Jeff Steward On Thu, May 5, 2011 at 12:51 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Thank you Jeff. The CAD operators cannot print the items of sensitivity [again we need to prevent the possibility to email only]. Many of these items [documents] represent Standards or dimensions which the engineers use for all projects
Re: BLOCKING end-users from ATTACHING and EMAILING...
*We were hoping to avoid the expense, but at the end of the day perhaps a DLP professional firm will be needed.* Time is money. You're going to end up spending both in this case... *ASB *(Professional Bio http://about.me/Andrew.S.Baker/bio) *Harnessing the Advantages of Technology for the SMB market... * On Thu, May 12, 2011 at 3:36 PM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Yes Kurt [thanks]. The users in the department do not have local admin rights, and the ability to print has been removed. Unfortunately, we have not been able to prevent users from copy /paste. The rule is, IF a file can be read... IT CAN be copied /pasted. If the end-users figure out that the trigger preventing email in Vipre [Attachment filter] is within the name of the file they can modify it. We are searching for a workaround. We were hoping to avoid the expense, but at the end of the day perhaps a DLP professional firm will be needed. Alan recommended http://www.verdasys.com/ We've just seen a demo from http://www.gtbtechnologies.com/ [they use finger prints signatures in documents, then an appliance gateway NOT CHEAP however] Cheers -J -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Thursday, May 12, 2011 7:51 AM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... I'm sure you've also ensured that the users can't install alternate software for reading and printing the document... Kurt On Wed, May 11, 2011 at 13:24, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: SOLUTION FOUND VIPRE Email Security has what's called Attachment Filter [was right under our noses]. We are *now* able to prevent specific documents from being attached and emailed by specific users [or department]. All Policy features in the Attachment Filter tabs worked quite well, with minor exceptions [*see below]. Our custom rule, *(CLASSIFIED).PDF, stops PDF docs that end with CLASSIFIED in parenthesis. All classified documents were placed Read Only in a shared folder for all users. These documents will be given names for the above rule to catch, i.e., Standards for Dakota (CLASSIFIED).pdf. The PDF documents are converted using Adobe security, whereby the users cannot modify, copy /paste, or print. Using Sophos we activated Device Control preventing the end-users from coping to Storage, Network, or Short Range devices. The last step is to prevent these PDF [Read Only] documents from being copied locally and renamed. We are searching for a good Anti-copy software. It appears that there are some choices. programs like M File Anti-Copy http://mini-products.net/ .so far untested. It appears we have a DLP solution to look forward to. Cheers -J Thank you all for the replies [contributions] including: Justin Thomas: jat...@gmail.com Martin Blackstone: mblackst...@gmail.com Angus Scott-Fleming: angu...@geoapps.com Jim Kennedy: kennedy...@elyriaschools.org Jeff Steward: jstew...@gmail.com James Rankin: kz2...@googlemail.com Andrew S. Baker: asbz...@gmail.com *The syntax %FILENAME% used under the Notifications tab oddly returned the subject of the email rather than the filename (GFI case is pending) *Earlier on, the Attachment Filter failing entirely. the result of our Digital signature in emails. Resolution came by changing the statement from false to true in ScanDigitallySignedMessagestrue/ScanDigitallySignedMessages found in the directory \VIPRE Email Security\globalsettings.xml file The latter issue dragged on for what seemed like forever [5-days]. After several techs [3-4] it was finally resolved by Matthew D. (Nice Job!) From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: Friday, May 06, 2011 4:32 PM To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... Agreed! .and thank you for your worthy replies. We recently discovered Vipre Email Security has what's called Attachment Filter .albeit it doesn't quite work AS OF YET, and no one [including Vipre Support] is able to say why. For the Vipre Security users out there.check out the Rules tab. Now this looks like something with tremendous DLP potential. Now if we can just get it to work. Cheers -J From: Jeff Steward [mailto:jstew...@gmail.com] Sent: Friday, May 06, 2011 4:24 AM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... I asked that question as I have been involved in stolen/leaked Intellectual Property issues where someone was faxing CAD drawings to a competitor. If this data is truly considered 'the secret sauce' then as others have suggested, get a real DLP solution in place. There is no perfect security in business since you have to let the pesky end users, customers and sales folks interact. Good
RE: BLOCKING end-users from ATTACHING and EMAILING...
SOLUTION FOUND VIPRE Email Security has what's called Attachment Filter [was right under our noses]. We are *now* able to prevent specific documents from being attached and emailed by specific users [or department]. All Policy features in the Attachment Filter tabs worked quite well, with minor exceptions [*see below]. Our custom rule, *(CLASSIFIED).PDF, stops PDF docs that end with CLASSIFIED in parenthesis. All classified documents were placed Read Only in a shared folder for all users. These documents will be given names for the above rule to catch, i.e., Standards for Dakota (CLASSIFIED).pdf. The PDF documents are converted using Adobe security, whereby the users cannot modify, copy /paste, or print. Using Sophos we activated Device Control preventing the end-users from coping to Storage, Network, or Short Range devices. The last step is to prevent these PDF [Read Only] documents from being copied locally and renamed. We are searching for a good Anti-copy software. It appears that there are some choices. programs like M File Anti-Copy http://mini-products.net/ .so far untested. It appears we have a DLP solution to look forward to. Cheers -J Thank you all for the replies [contributions] including: Justin Thomas: jat...@gmail.com Martin Blackstone: mblackst...@gmail.com Angus Scott-Fleming: angu...@geoapps.com Jim Kennedy: kennedy...@elyriaschools.org Jeff Steward: jstew...@gmail.com James Rankin: kz2...@googlemail.com Andrew S. Baker: asbz...@gmail.com *The syntax %FILENAME% used under the Notifications tab oddly returned the subject of the email rather than the filename (GFI case is pending) *Earlier on, the Attachment Filter failing entirely. the result of our Digital signature in emails. Resolution came by changing the statement from false to true in ScanDigitallySignedMessagestrue/ScanDigitallySignedMessages found in the directory \VIPRE Email Security\globalsettings.xml file The latter issue dragged on for what seemed like forever [5-days]. After several techs [3-4] it was finally resolved by Matthew D. (Nice Job!) From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: Friday, May 06, 2011 4:32 PM To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... Agreed! .and thank you for your worthy replies. We recently discovered Vipre Email Security has what's called Attachment Filter .albeit it doesn't quite work AS OF YET, and no one [including Vipre Support] is able to say why. For the Vipre Security users out there.check out the Rules tab. Now this looks like something with tremendous DLP potential. Now if we can just get it to work. Cheers -J From: Jeff Steward [mailto:jstew...@gmail.com] Sent: Friday, May 06, 2011 4:24 AM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... I asked that question as I have been involved in stolen/leaked Intellectual Property issues where someone was faxing CAD drawings to a competitor. If this data is truly considered 'the secret sauce' then as others have suggested, get a real DLP solution in place. There is no perfect security in business since you have to let the pesky end users, customers and sales folks interact. Good luck! -Jeff Steward On Thu, May 5, 2011 at 12:51 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Thank you Jeff. The CAD operators cannot print the items of sensitivity [again we need to prevent the possibility to email only]. Many of these items [documents] represent Standards or dimensions which the engineers use for all projects, and are located in one folder. These docs are large, including roughly 130 pages each, and would easily allow other manufacturing firms to replicate the same exact pieces. This is VERY Similar to the secret recipes for the odors of Crayola crayons, or Papa John's Pizza garlic sauce, etc., etc. Ps. The latter is something I would LOVE getting my hands on. I would make a HUGE batch for home use to dip the crust of *any* pizza!! From: Jeff Steward [mailto: mailto:jstew...@gmail.com jstew...@gmail.com] Sent: Wednesday, May 04, 2011 8:14 PM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... Can the CAD operators print? Seriously, if the owners need to protect their intellectually property at that level, have the engineers upload the docs to a directory for review and approval and let a 3rd party review them prior to sending them to an external destination. -Jeff Steward On Wed, May 4, 2011 at 7:49 PM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Thanks Martin We too were thinking that might be a viable option. If seems NOT good for two reasons. 1) That is a Global setting, whereby the entire company would be effected by the one Exchange server 2) This department needs to transfer large files MOSTLY internally, but on rare occasions outside Sorry I forgot to mention this in our original post
RE: BLOCKING end-users from ATTACHING and EMAILING...
Agreed! .and thank you for your worthy replies. We recently discovered Vipre Email Security has what's called Attachment Filter .albeit it doesn't quite work AS OF YET, and no one [including Vipre Support] is able to say why. For the Vipre Security users out there.check out the Rules tab. Now this looks like something with tremendous DLP potential. Now if we can just get it to work. Cheers -J From: Jeff Steward [mailto:jstew...@gmail.com] Sent: Friday, May 06, 2011 4:24 AM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... I asked that question as I have been involved in stolen/leaked Intellectual Property issues where someone was faxing CAD drawings to a competitor. If this data is truly considered 'the secret sauce' then as others have suggested, get a real DLP solution in place. There is no perfect security in business since you have to let the pesky end users, customers and sales folks interact. Good luck! -Jeff Steward On Thu, May 5, 2011 at 12:51 AM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Thank you Jeff. The CAD operators cannot print the items of sensitivity [again we need to prevent the possibility to email only]. Many of these items [documents] represent Standards or dimensions which the engineers use for all projects, and are located in one folder. These docs are large, including roughly 130 pages each, and would easily allow other manufacturing firms to replicate the same exact pieces. This is VERY Similar to the secret recipes for the odors of Crayola crayons, or Papa John's Pizza garlic sauce, etc., etc. Ps. The latter is something I would LOVE getting my hands on. I would make a HUGE batch for home use to dip the crust of *any* pizza!! From: Jeff Steward [mailto:jstew...@gmail.com] Sent: Wednesday, May 04, 2011 8:14 PM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... Can the CAD operators print? Seriously, if the owners need to protect their intellectually property at that level, have the engineers upload the docs to a directory for review and approval and let a 3rd party review them prior to sending them to an external destination. -Jeff Steward On Wed, May 4, 2011 at 7:49 PM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Thanks Martin We too were thinking that might be a viable option. If seems NOT good for two reasons. 1) That is a Global setting, whereby the entire company would be effected by the one Exchange server 2) This department needs to transfer large files MOSTLY internally, but on rare occasions outside Sorry I forgot to mention this in our original post. -J From: Martin Blackstone [mailto:mblackst...@gmail.com] Sent: Wednesday, May 04, 2011 2:50 PM To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... You could just put such a small attachment size restriction on them that nothing would go. Say 1K. From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: Wednesday, May 04, 2011 1:47 PM To: NT System Admin Issues Subject: BLOCKING end-users from ATTACHING and EMAILING... We are searching for a method to BLOCK end-users from ATTACHING and EMAILING [sensitive] docs located on a SPECIFIC FOLDER of the share. What we have accomplished thus far: 1) Using Sophos we activated Device Control preventing end-user from coping to Storage, Network, or Short Range devices 2) Using Sophos we also activated Data Control. thus creating email alerts detailing the sender /recipient, time /date, and name /location of attachment 3) All documents are converted to PDF with security options that prevent copy /paste, and printing 4) End-users are NOT allowed Internet access Owners are left *totally* unsatisfied with all the above, as these measures are not preventative enough. Leaving any of the end-users without ability to email is NOT an option. Leaving a [public] workstation open, available with access to this SPECIFIC FOLDER, and then having no email /Internet is NOT an option. These end-users are all in the CAD design department. Given the nature of the business, suffice-it-to-say, one drawing in email could represent a significant loss. Sadly, the owners feel they cannot entirely rely on the loyalty of generously paid employees [with great benefits], company policies, and or legalese. Thanks in advance for any suggestions. comments. Cheers, -J EMPLOYEE Supposition: Surely in created the level of sophistication placed in Sophos with Device Data Control suggests that a greater need exists to protect the employer's intellectual property. Along with these concepts, the end-users themselves have become more sophisticated and perhaps unfortunately [these days] more-willing to place their positions on the line. I guess if we've done our IT job. than the end-users ONLY option is to snap a photo using a cell-phone. What
Re: BLOCKING end-users from ATTACHING and EMAILING...
How do you stop the use of the Print Screen function? Seriously, trying to lock down users to this level is a real minefield. If you are determined to do it, why not have a look at a product like AppSense (specifically Environment Manager)? It can lock out parts of the user interface, keystrokes, text entry into fields, applications, drives and removable drives, prevent Registry keys and processes from existing, and a vast array of other things. It is now available on a more sensible per-user basis as well. On 5 May 2011 05:51, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Thank you Jeff. The CAD operators cannot print the items of sensitivity [again we need to prevent the possibility to email only]. Many of these items [documents] represent “Standards” or dimensions which the engineers use for all projects, and are located in one folder. These docs are large, including roughly 130 pages each, and would easily allow other manufacturing firms to replicate the same exact pieces. This is VERY Similar to the secret recipes for the odors of Crayola crayons, or Papa John’s Pizza garlic sauce, etc., etc. Ps. The latter is something I would LOVE getting my hands on. I would make a HUGE batch for home use to dip the crust of **any** pizza!! *From:* Jeff Steward [mailto:jstew...@gmail.com] *Sent:* Wednesday, May 04, 2011 8:14 PM *To:* NT System Admin Issues *Subject:* Re: BLOCKING end-users from ATTACHING and EMAILING... Can the CAD operators print? Seriously, if the owners need to protect their intellectually property at that level, have the engineers upload the docs to a directory for review and approval and let a 3rd party review them prior to sending them to an external destination. -Jeff Steward On Wed, May 4, 2011 at 7:49 PM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Thanks Martin We too were thinking that might be a viable option. If seems NOT good for two reasons. 1) That is a Global setting, whereby the entire company would be effected by the one Exchange server 2) This department needs to transfer large files MOSTLY internally, but on rare occasions outside Sorry I forgot to mention this in our original post. –J *From:* Martin Blackstone [mailto:mblackst...@gmail.com] *Sent:* Wednesday, May 04, 2011 2:50 PM *To:* NT System Admin Issues *Subject:* RE: BLOCKING end-users from ATTACHING and EMAILING... You could just put such a small attachment size restriction on them that nothing would go. Say 1K. *From:* Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] *Sent:* Wednesday, May 04, 2011 1:47 PM *To:* NT System Admin Issues *Subject:* BLOCKING end-users from ATTACHING and EMAILING... We are searching for a method to BLOCK end-users from ATTACHING and EMAILING [sensitive] docs located on a SPECIFIC FOLDER of the share. *What we have accomplished thus far:* 1) Using Sophos we activated “*Device* Control” preventing end-user from coping to Storage, Network, or Short Range devices 2) Using Sophos we also activated “*Data* Control”… thus creating email alerts detailing the sender /recipient, time /date, and name /location of attachment 3) All documents are converted to PDF with security options that prevent copy /paste, and printing 4) End-users are NOT allowed Internet access Owners are left **totally** unsatisfied with all the above, as these measures are not preventative enough. Leaving any of the end-users without ability to email is NOT an option. Leaving a [public] workstation open, available with access to this SPECIFIC FOLDER, and then having no email /Internet is NOT an option. These end-users are all in the CAD design department. Given the nature of the business, suffice-it-to-say, one drawing in email could represent a significant loss. Sadly, the owners feel they cannot entirely rely on the loyalty of generously paid employees [with great benefits], company policies, and or legalese. Thanks in advance for any suggestions… comments. Cheers, -J *EMPLOYEE Supposition:* Surely in created the level of sophistication placed in Sophos with *Device Data* Control suggests that a greater need exists to protect the employer’s intellectual property. Along with these concepts, the end-users themselves have become more sophisticated and perhaps unfortunately [these days] more-willing to place their positions on the line. I guess if we’ve done our IT job… than the end-users ONLY option is to snap a photo using a cell-phone. What then will the employer do?? Add company policy to include NO CELL PHONES?? Imagine a world AT WORK without texting, tweeting, and the occasional personal call??? Ouch! *EMPLOYER Supposition [slave-master]:* Add video surveillance too :--/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage
Re: BLOCKING end-users from ATTACHING and EMAILING...
If you did use AppSense to do this, you could either remove the *Attach*functions from the menus and command bars in their email client, or you could simply prevent the *Attach A File* dialog box from being able to browse to a pre-defined list of restricted locations. On 4 May 2011 21:47, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: We are searching for a method to BLOCK end-users from ATTACHING and EMAILING [sensitive] docs located on a SPECIFIC FOLDER of the share. *What we have accomplished thus far:* 1) Using Sophos we activated “*Device* Control” preventing end-user from coping to Storage, Network, or Short Range devices 2) Using Sophos we also activated “*Data* Control”… thus creating email alerts detailing the sender /recipient, time /date, and name /location of attachment 3) All documents are converted to PDF with security options that prevent copy /paste, and printing 4) End-users are NOT allowed Internet access Owners are left **totally** unsatisfied with all the above, as these measures are not preventative enough. Leaving any of the end-users without ability to email is NOT an option. Leaving a [public] workstation open, available with access to this SPECIFIC FOLDER, and then having no email /Internet is NOT an option. These end-users are all in the CAD design department. Given the nature of the business, suffice-it-to-say, one drawing in email could represent a significant loss. Sadly, the owners feel they cannot entirely rely on the loyalty of generously paid employees [with great benefits], company policies, and or legalese. Thanks in advance for any suggestions… comments. Cheers, -J *EMPLOYEE Supposition:* Surely in created the level of sophistication placed in Sophos with *Device Data* Control suggests that a greater need exists to protect the employer’s intellectual property. Along with these concepts, the end-users themselves have become more sophisticated and perhaps unfortunately [these days] more-willing to place their positions on the line. I guess if we’ve done our IT job… than the end-users ONLY option is to snap a photo using a cell-phone. What then will the employer do?? Add company policy to include NO CELL PHONES?? Imagine a world AT WORK without texting, tweeting, and the occasional personal call??? Ouch! *EMPLOYER Supposition [slave-master]:* Add video surveillance too :--/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. *IMPORTANT: The information in this email is CONFIDENTIAL. If its contents are disclosed in any way my lawyers will swoop down from black helicopters like Seal Team Six and drag you away with a black bag over your head. They will then take you to a secret prison and make you fight to the death with other people who dared to share this email. You will be given a large bowie knife and a supply of methamphetamines while I watch the said deathmatch and wager vast sums of money on who will be the winner. If the fight becomes boring or there is a stalemate, I will release rabid dogs and my two-stone cat into the arena to liven things up a bit. If these animals become in any way docile, I will squirt them with water pistols until they become a bit more temperamental.* ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: BLOCKING end-users from ATTACHING and EMAILING...
You're using an entry level pretend DLP feature of an AV product to try and do enterprise style DLP. You get what you pay for. However, something like MIMEsweeper in your email flow would easily achieve what you desire and could sandbox for approval rather than forbid, which is a far better business enabler. If you want granular control over things like this and other actions with files, then you may want to look at the full DLP suites (deep breath for costs though!). a From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: 04 May 2011 21:47 To: NT System Admin Issues Subject: BLOCKING end-users from ATTACHING and EMAILING... We are searching for a method to BLOCK end-users from ATTACHING and EMAILING [sensitive] docs located on a SPECIFIC FOLDER of the share. What we have accomplished thus far: 1) Using Sophos we activated Device Control preventing end-user from coping to Storage, Network, or Short Range devices 2) Using Sophos we also activated Data Control... thus creating email alerts detailing the sender /recipient, time /date, and name /location of attachment 3) All documents are converted to PDF with security options that prevent copy /paste, and printing 4) End-users are NOT allowed Internet access Owners are left *totally* unsatisfied with all the above, as these measures are not preventative enough. Leaving any of the end-users without ability to email is NOT an option. Leaving a [public] workstation open, available with access to this SPECIFIC FOLDER, and then having no email /Internet is NOT an option. These end-users are all in the CAD design department. Given the nature of the business, suffice-it-to-say, one drawing in email could represent a significant loss. Sadly, the owners feel they cannot entirely rely on the loyalty of generously paid employees [with great benefits], company policies, and or legalese. Thanks in advance for any suggestions... comments. Cheers, -J EMPLOYEE Supposition: Surely in created the level of sophistication placed in Sophos with Device Data Control suggests that a greater need exists to protect the employer's intellectual property. Along with these concepts, the end-users themselves have become more sophisticated and perhaps unfortunately [these days] more-willing to place their positions on the line. I guess if we've done our IT job... than the end-users ONLY option is to snap a photo using a cell-phone. What then will the employer do?? Add company policy to include NO CELL PHONES?? Imagine a world AT WORK without texting, tweeting, and the occasional personal call??? Ouch! EMPLOYER Supposition [slave-master]: Add video surveillance too :--/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: BLOCKING end-users from ATTACHING and EMAILING...
Alan makes some extremely good points... The one question I would ask, which many have already alluded to is this: Are you trying to prevent accidental data leak prevention or deliberate? The answer will necessarily affect your approach to solving this problem. *Sadly, the owners feel they cannot entirely rely on the loyalty of generously paid employees [with great benefits], company policies, and or legalese.* Then they are doomed. There are vary few organizations that can be successful in any way by deliberately hiring people they clearly don't trust on some level. This is not to suggest that owners and organizations should not care about intellectual property theft/loss/exposure, but that they are looking to address it in the wrong fashion, and at the wrong location. They're going to need to use a proper DLP solution with excellent auditing, combined with better HR practices, from candidate selection through onboarding through ongoing training. *ASB *(Professional Bio http://about.me/Andrew.S.Baker/bio) *Harnessing the Advantages of Technology for the SMB market... * On Thu, May 5, 2011 at 5:14 AM, Alan Davies adav...@cls-services.comwrote: You're using an entry level pretend DLP feature of an AV product to try and do enterprise style DLP. You get what you pay for. However, something like MIMEsweeper in your email flow would easily achieve what you desire and could sandbox for approval rather than forbid, which is a far better business enabler. If you want granular control over things like this and other actions with files, then you may want to look at the full DLP suites (deep breath for costs though!). a -- *From:* Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] *Sent:* 04 May 2011 21:47 *To:* NT System Admin Issues *Subject:* BLOCKING end-users from ATTACHING and EMAILING... We are searching for a method to BLOCK end-users from ATTACHING and EMAILING [sensitive] docs located on a SPECIFIC FOLDER of the share. *What we have accomplished thus far:* 1) Using Sophos we activated “*Device* Control” preventing end-user from coping to Storage, Network, or Short Range devices 2) Using Sophos we also activated “*Data* Control”… thus creating email alerts detailing the sender /recipient, time /date, and name /location of attachment 3) All documents are converted to PDF with security options that prevent copy /paste, and printing 4) End-users are NOT allowed Internet access Owners are left **totally** unsatisfied with all the above, as these measures are not preventative enough. Leaving any of the end-users without ability to email is NOT an option. Leaving a [public] workstation open, available with access to this SPECIFIC FOLDER, and then having no email /Internet is NOT an option. These end-users are all in the CAD design department. Given the nature of the business, suffice-it-to-say, one drawing in email could represent a significant loss. Sadly, the owners feel they cannot entirely rely on the loyalty of generously paid employees [with great benefits], company policies, and or legalese. Thanks in advance for any suggestions… comments. Cheers, -J *EMPLOYEE Supposition:* Surely in created the level of sophistication placed in Sophos with *Device Data* Control suggests that a greater need exists to protect the employer’s intellectual property. Along with these concepts, the end-users themselves have become more sophisticated and perhaps unfortunately [these days] more-willing to place their positions on the line. I guess if we’ve done our IT job… than the end-users ONLY option is to snap a photo using a cell-phone. What then will the employer do?? Add company policy to include NO CELL PHONES?? Imagine a world AT WORK without texting, tweeting, and the occasional personal call??? Ouch! *EMPLOYER Supposition [slave-master]:* Add video surveillance too :--/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: BLOCKING end-users from ATTACHING and EMAILING...
Here, computers with access to that type of data are in a seperate locked room, no network access, no working USB ports, no writeable optical disk... Not really sure if there is a rule against cameras in that room... On Wed, May 4, 2011 at 3:47 PM, Jeff S. Gottlieb jeff.s.gottl...@gmail.comwrote: We are searching for a method to BLOCK end-users from ATTACHING and EMAILING [sensitive] docs located on a SPECIFIC FOLDER of the share. *What we have accomplished thus far:* 1) Using Sophos we activated “*Device* Control” preventing end-user from coping to Storage, Network, or Short Range devices 2) Using Sophos we also activated “*Data* Control”… thus creating email alerts detailing the sender /recipient, time /date, and name /location of attachment 3) All documents are converted to PDF with security options that prevent copy /paste, and printing 4) End-users are NOT allowed Internet access Owners are left **totally** unsatisfied with all the above, as these measures are not preventative enough. Leaving any of the end-users without ability to email is NOT an option. Leaving a [public] workstation open, available with access to this SPECIFIC FOLDER, and then having no email /Internet is NOT an option. These end-users are all in the CAD design department. Given the nature of the business, suffice-it-to-say, one drawing in email could represent a significant loss. Sadly, the owners feel they cannot entirely rely on the loyalty of generously paid employees [with great benefits], company policies, and or legalese. Thanks in advance for any suggestions… comments. Cheers, -J *EMPLOYEE Supposition:* Surely in created the level of sophistication placed in Sophos with *Device Data* Control suggests that a greater need exists to protect the employer’s intellectual property. Along with these concepts, the end-users themselves have become more sophisticated and perhaps unfortunately [these days] more-willing to place their positions on the line. I guess if we’ve done our IT job… than the end-users ONLY option is to snap a photo using a cell-phone. What then will the employer do?? Add company policy to include NO CELL PHONES?? Imagine a world AT WORK without texting, tweeting, and the occasional personal call??? Ouch! *EMPLOYER Supposition [slave-master]:* Add video surveillance too :--/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Probable Contrarian ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: BLOCKING end-users from ATTACHING and EMAILING...
I have a pencil and paper. From: Justin Thomas [mailto:jat...@gmail.com] Sent: Wednesday, May 04, 2011 2:44 PM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... Here, computers with access to that type of data are in a seperate locked room, no network access, no working USB ports, no writeable optical disk... Not really sure if there is a rule against cameras in that room... On Wed, May 4, 2011 at 3:47 PM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: We are searching for a method to BLOCK end-users from ATTACHING and EMAILING [sensitive] docs located on a SPECIFIC FOLDER of the share. What we have accomplished thus far: 1) Using Sophos we activated Device Control preventing end-user from coping to Storage, Network, or Short Range devices 2) Using Sophos we also activated Data Control. thus creating email alerts detailing the sender /recipient, time /date, and name /location of attachment 3) All documents are converted to PDF with security options that prevent copy /paste, and printing 4) End-users are NOT allowed Internet access Owners are left *totally* unsatisfied with all the above, as these measures are not preventative enough. Leaving any of the end-users without ability to email is NOT an option. Leaving a [public] workstation open, available with access to this SPECIFIC FOLDER, and then having no email /Internet is NOT an option. These end-users are all in the CAD design department. Given the nature of the business, suffice-it-to-say, one drawing in email could represent a significant loss. Sadly, the owners feel they cannot entirely rely on the loyalty of generously paid employees [with great benefits], company policies, and or legalese. Thanks in advance for any suggestions. comments. Cheers, -J EMPLOYEE Supposition: Surely in created the level of sophistication placed in Sophos with Device Data Control suggests that a greater need exists to protect the employer's intellectual property. Along with these concepts, the end-users themselves have become more sophisticated and perhaps unfortunately [these days] more-willing to place their positions on the line. I guess if we've done our IT job. than the end-users ONLY option is to snap a photo using a cell-phone. What then will the employer do?? Add company policy to include NO CELL PHONES?? Imagine a world AT WORK without texting, tweeting, and the occasional personal call??? Ouch! EMPLOYER Supposition [slave-master]: Add video surveillance too :--/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Probable Contrarian ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: BLOCKING end-users from ATTACHING and EMAILING...
You could just put such a small attachment size restriction on them that nothing would go. Say 1K. From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: Wednesday, May 04, 2011 1:47 PM To: NT System Admin Issues Subject: BLOCKING end-users from ATTACHING and EMAILING... We are searching for a method to BLOCK end-users from ATTACHING and EMAILING [sensitive] docs located on a SPECIFIC FOLDER of the share. What we have accomplished thus far: 1) Using Sophos we activated Device Control preventing end-user from coping to Storage, Network, or Short Range devices 2) Using Sophos we also activated Data Control. thus creating email alerts detailing the sender /recipient, time /date, and name /location of attachment 3) All documents are converted to PDF with security options that prevent copy /paste, and printing 4) End-users are NOT allowed Internet access Owners are left *totally* unsatisfied with all the above, as these measures are not preventative enough. Leaving any of the end-users without ability to email is NOT an option. Leaving a [public] workstation open, available with access to this SPECIFIC FOLDER, and then having no email /Internet is NOT an option. These end-users are all in the CAD design department. Given the nature of the business, suffice-it-to-say, one drawing in email could represent a significant loss. Sadly, the owners feel they cannot entirely rely on the loyalty of generously paid employees [with great benefits], company policies, and or legalese. Thanks in advance for any suggestions. comments. Cheers, -J EMPLOYEE Supposition: Surely in created the level of sophistication placed in Sophos with Device Data Control suggests that a greater need exists to protect the employer's intellectual property. Along with these concepts, the end-users themselves have become more sophisticated and perhaps unfortunately [these days] more-willing to place their positions on the line. I guess if we've done our IT job. than the end-users ONLY option is to snap a photo using a cell-phone. What then will the employer do?? Add company policy to include NO CELL PHONES?? Imagine a world AT WORK without texting, tweeting, and the occasional personal call??? Ouch! EMPLOYER Supposition [slave-master]: Add video surveillance too :--/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: BLOCKING end-users from ATTACHING and EMAILING...
On 4 May 2011 at 13:47, Jeff S. Gottlieb wrote: We are searching for a method to BLOCK end-users from ATTACHING and EMAILING [sensitive] docs located on a SPECIFIC FOLDER of the share. No personal experience with this but this *_might_* have what you need: Secured eControl Key Features http://www.cryptzone.com/products/econtrol/keyfeatures.aspx Document Classification Easily restrict access to sensitive business documents by setting document classifications. The classification controls the distribution of documents by email and will alert you to the potentially sensitive nature of the document you are attempting to email and can prevent documents from being emailed to specific internal or external users. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: BLOCKING end-users from ATTACHING and EMAILING...
I bet you got a cell phone with a camera too. From: Martin Blackstone [mblackst...@gmail.com] Sent: Wednesday, May 04, 2011 5:49 PM To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... I have a pencil and paper. From: Justin Thomas [mailto:jat...@gmail.com] Sent: Wednesday, May 04, 2011 2:44 PM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... Here, computers with access to that type of data are in a seperate locked room, no network access, no working USB ports, no writeable optical disk... Not really sure if there is a rule against cameras in that room... On Wed, May 4, 2011 at 3:47 PM, Jeff S. Gottlieb jeff.s.gottl...@gmail.commailto:jeff.s.gottl...@gmail.com wrote: We are searching for a method to BLOCK end-users from ATTACHING and EMAILING [sensitive] docs located on a SPECIFIC FOLDER of the share. What we have accomplished thus far: 1) Using Sophos we activated “Device Control” preventing end-user from coping to Storage, Network, or Short Range devices 2) Using Sophos we also activated “Data Control”… thus creating email alerts detailing the sender /recipient, time /date, and name /location of attachment 3) All documents are converted to PDF with security options that prevent copy /paste, and printing 4) End-users are NOT allowed Internet access Owners are left *totally* unsatisfied with all the above, as these measures are not preventative enough. Leaving any of the end-users without ability to email is NOT an option. Leaving a [public] workstation open, available with access to this SPECIFIC FOLDER, and then having no email /Internet is NOT an option. These end-users are all in the CAD design department. Given the nature of the business, suffice-it-to-say, one drawing in email could represent a significant loss. Sadly, the owners feel they cannot entirely rely on the loyalty of generously paid employees [with great benefits], company policies, and or legalese. Thanks in advance for any suggestions… comments. Cheers, -J EMPLOYEE Supposition: Surely in created the level of sophistication placed in Sophos with Device Data Control suggests that a greater need exists to protect the employer’s intellectual property. Along with these concepts, the end-users themselves have become more sophisticated and perhaps unfortunately [these days] more-willing to place their positions on the line. I guess if we’ve done our IT job… than the end-users ONLY option is to snap a photo using a cell-phone. What then will the employer do?? Add company policy to include NO CELL PHONES?? Imagine a world AT WORK without texting, tweeting, and the occasional personal call??? Ouch! EMPLOYER Supposition [slave-master]: Add video surveillance too :--/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Probable Contrarian ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: BLOCKING end-users from ATTACHING and EMAILING...
Can the CAD operators print? Seriously, if the owners need to protect their intellectually property at that level, have the engineers upload the docs to a directory for review and approval and let a 3rd party review them prior to sending them to an external destination. -Jeff Steward On Wed, May 4, 2011 at 7:49 PM, Jeff S. Gottlieb jeff.s.gottl...@gmail.comwrote: Thanks Martin We too were thinking that might be a viable option. If seems NOT good for two reasons. 1) That is a Global setting, whereby the entire company would be effected by the one Exchange server 2) This department needs to transfer large files MOSTLY internally, but on rare occasions outside Sorry I forgot to mention this in our original post. –J *From:* Martin Blackstone [mailto:mblackst...@gmail.com] *Sent:* Wednesday, May 04, 2011 2:50 PM *To:* NT System Admin Issues *Subject:* RE: BLOCKING end-users from ATTACHING and EMAILING... You could just put such a small attachment size restriction on them that nothing would go. Say 1K. *From:* Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] *Sent:* Wednesday, May 04, 2011 1:47 PM *To:* NT System Admin Issues *Subject:* BLOCKING end-users from ATTACHING and EMAILING... We are searching for a method to BLOCK end-users from ATTACHING and EMAILING [sensitive] docs located on a SPECIFIC FOLDER of the share. *What we have accomplished thus far:* 1) Using Sophos we activated “*Device* Control” preventing end-user from coping to Storage, Network, or Short Range devices 2) Using Sophos we also activated “*Data* Control”… thus creating email alerts detailing the sender /recipient, time /date, and name /location of attachment 3) All documents are converted to PDF with security options that prevent copy /paste, and printing 4) End-users are NOT allowed Internet access Owners are left **totally** unsatisfied with all the above, as these measures are not preventative enough. Leaving any of the end-users without ability to email is NOT an option. Leaving a [public] workstation open, available with access to this SPECIFIC FOLDER, and then having no email /Internet is NOT an option. These end-users are all in the CAD design department. Given the nature of the business, suffice-it-to-say, one drawing in email could represent a significant loss. Sadly, the owners feel they cannot entirely rely on the loyalty of generously paid employees [with great benefits], company policies, and or legalese. Thanks in advance for any suggestions… comments. Cheers, -J *EMPLOYEE Supposition:* Surely in created the level of sophistication placed in Sophos with *Device Data* Control suggests that a greater need exists to protect the employer’s intellectual property. Along with these concepts, the end-users themselves have become more sophisticated and perhaps unfortunately [these days] more-willing to place their positions on the line. I guess if we’ve done our IT job… than the end-users ONLY option is to snap a photo using a cell-phone. What then will the employer do?? Add company policy to include NO CELL PHONES?? Imagine a world AT WORK without texting, tweeting, and the occasional personal call??? Ouch! *EMPLOYER Supposition [slave-master]:* Add video surveillance too :--/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: BLOCKING end-users from ATTACHING and EMAILING...
Thank you Jeff. The CAD operators cannot print the items of sensitivity [again we need to prevent the possibility to email only]. Many of these items [documents] represent Standards or dimensions which the engineers use for all projects, and are located in one folder. These docs are large, including roughly 130 pages each, and would easily allow other manufacturing firms to replicate the same exact pieces. This is VERY Similar to the secret recipes for the odors of Crayola crayons, or Papa John's Pizza garlic sauce, etc., etc. Ps. The latter is something I would LOVE getting my hands on. I would make a HUGE batch for home use to dip the crust of *any* pizza!! From: Jeff Steward [mailto:jstew...@gmail.com] Sent: Wednesday, May 04, 2011 8:14 PM To: NT System Admin Issues Subject: Re: BLOCKING end-users from ATTACHING and EMAILING... Can the CAD operators print? Seriously, if the owners need to protect their intellectually property at that level, have the engineers upload the docs to a directory for review and approval and let a 3rd party review them prior to sending them to an external destination. -Jeff Steward On Wed, May 4, 2011 at 7:49 PM, Jeff S. Gottlieb jeff.s.gottl...@gmail.com wrote: Thanks Martin We too were thinking that might be a viable option. If seems NOT good for two reasons. 1) That is a Global setting, whereby the entire company would be effected by the one Exchange server 2) This department needs to transfer large files MOSTLY internally, but on rare occasions outside Sorry I forgot to mention this in our original post. -J From: Martin Blackstone [mailto:mblackst...@gmail.com] Sent: Wednesday, May 04, 2011 2:50 PM To: NT System Admin Issues Subject: RE: BLOCKING end-users from ATTACHING and EMAILING... You could just put such a small attachment size restriction on them that nothing would go. Say 1K. From: Jeff S. Gottlieb [mailto:jeff.s.gottl...@gmail.com] Sent: Wednesday, May 04, 2011 1:47 PM To: NT System Admin Issues Subject: BLOCKING end-users from ATTACHING and EMAILING... We are searching for a method to BLOCK end-users from ATTACHING and EMAILING [sensitive] docs located on a SPECIFIC FOLDER of the share. What we have accomplished thus far: 1) Using Sophos we activated Device Control preventing end-user from coping to Storage, Network, or Short Range devices 2) Using Sophos we also activated Data Control. thus creating email alerts detailing the sender /recipient, time /date, and name /location of attachment 3) All documents are converted to PDF with security options that prevent copy /paste, and printing 4) End-users are NOT allowed Internet access Owners are left *totally* unsatisfied with all the above, as these measures are not preventative enough. Leaving any of the end-users without ability to email is NOT an option. Leaving a [public] workstation open, available with access to this SPECIFIC FOLDER, and then having no email /Internet is NOT an option. These end-users are all in the CAD design department. Given the nature of the business, suffice-it-to-say, one drawing in email could represent a significant loss. Sadly, the owners feel they cannot entirely rely on the loyalty of generously paid employees [with great benefits], company policies, and or legalese. Thanks in advance for any suggestions. comments. Cheers, -J EMPLOYEE Supposition: Surely in created the level of sophistication placed in Sophos with Device Data Control suggests that a greater need exists to protect the employer's intellectual property. Along with these concepts, the end-users themselves have become more sophisticated and perhaps unfortunately [these days] more-willing to place their positions on the line. I guess if we've done our IT job. than the end-users ONLY option is to snap a photo using a cell-phone. What then will the employer do?? Add company policy to include NO CELL PHONES?? Imagine a world AT WORK without texting, tweeting, and the occasional personal call??? Ouch! EMPLOYER Supposition [slave-master]: Add video surveillance too :--/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt