Results 1 to 6 of 6
  1. #1
    New Lounger
    Join Date
    May 2016
    Posts
    3
    Thanks
    1
    Thanked 0 Times in 0 Posts

    GPO for Desktop restricted access

    Hi,
    I manage a small domain network and i have a tricky question about the way my clients work. In my domain there are some desktops and some laptops. The documents used by the clients are important and some of them classified. Desktop PC users are not big of concern since they work only at their office. The problem is with laptop owners. They, sometimes wish to take their laptop at home and work. I thought of maybe finding a way to prevent the users from saving documents somewhere on Desktop (there are only 4 shortcuts on each user's Desktop that point to a server location), so they cannot put some confidential documents outside the server location and just retract them from laptop when going home. The only way to take some files from work at home so far is through me at work, where i transfer the files they need, after writing down the names of the files transferred. Is there any way to track the changes or audit files, after a laptop is disconnected from the domain, when it reconnects with it?
    Any help appreciated.

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,172
    Thanks
    47
    Thanked 981 Times in 911 Posts
    I don't know of a way to manage that in Windows, but that doesn't mean there isn't one.
    The issue is they can copy anything they have permission to view, so you can't easily stop file turning up on the laptop.
    If you are concerned about losing the files, encrypt the disk with BitLocker and enforce require password on resume from lock.
    If you have Previous Versions running on the server, when the laptop syncs you will get a copy of the file, but no log.

    cheers, Paul

  3. The Following User Says Thank You to Paul T For This Useful Post:

    antros48 (2016-05-25)

  4. #3
    New Lounger
    Join Date
    May 2016
    Posts
    3
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Thanks for the response. I haven't considered the encryption and it's a valid idea. Can this apply in a way that the folder unlocks when the user enter the domain and locks again when he leaves?

  5. #4
    4 Star Lounger
    Join Date
    Jan 2010
    Location
    Fort McMurray, Alberta, Canada
    Posts
    557
    Thanks
    51
    Thanked 68 Times in 66 Posts
    Can this apply in a way that the folder unlocks when the user enter the domain and locks again when he leaves?
    Well, the encryption itself cannot just "come and go". The files are either encrypted or they are not. There's no temporal or geographic or any other logical connection that way, and that includes domain membership.

    This is a crazy idea and I've no idea if it would work. Perhaps you could create a certificate key store on the domain? Perhaps based on Kerberos or something? While connected it would be available and the decrypted file contents would be available. When disconnected from the domain the key is unavailable and the files on the laptops are encrypted, even to otherwise authorized users.

    There's still a critical weakness though and that is Virtual Private Networks. If the users can connect in using a VPN, then they log on to the domain. The key store is then accessible to them just like a local connection. The file can be decrypted and the file contents are readable again.
    Last edited by BHarder; 2016-05-26 at 00:58. Reason: included -> includes

  6. #5
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,172
    Thanks
    47
    Thanked 981 Times in 911 Posts
    To defeat the "lock on leave" you only need to have the document open when you take the laptop away.

    cheers, Paul

  7. #6
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,172
    Thanks
    47
    Thanked 981 Times in 911 Posts
    To prevent the document leaving the laptop you need to lock down all external ports / CD and prevent email attachments - or email at all as you can copy / paste.
    Basically you have to trust your staff.

    cheers, Paul

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •