12

Is it possible to prevent regular users from accessing the C drive via Windows Explorer? they should be allowed to execute certain programs. This is to ensure that employees cannot steal or copy out proprietary software even though they should be able to execute it.

One way would be to change the option in windows Group Policy and set the "shell" to something other than "explorer.exe". I'm looking for a similar windows setting that just hides the C drive or otherwise prevents trivial access.

AviD
  • 72,138
  • 22
  • 136
  • 218
Robin Rodricks
  • 379
  • 1
  • 4
  • 10
  • 2
    What about restricting their account? Could you not reduce the privileges on their login account to not let them install certain applications? Disabling CD/DVD Write and USB Write would also help. – Casey Jan 05 '11 at 15:46
  • 1
    You can't give someone Execute permissions without giving them Read permissions, and if they have Read permissions then they can read the file and save it elsewhere. – Matthew Read Jan 05 '11 at 18:43
  • @Casey, why not post that comment as an answer? – AviD Jan 05 '11 at 22:10
  • @Matthew, that's correct, but you CAN remove "Traverse Directory" permission - not totally blocking access, but it *kinda* helps trivial copying... – AviD Jan 05 '11 at 22:11
  • 1
    @Avid True enough. But often annoying-but-bypassable blocks like that just make people try harder to get around them (and thus waste more time on the company's dollar). – Matthew Read Jan 05 '11 at 22:13
  • @Matthew also true. See @Rory's answer, about how you cant really stop them once they have the information anyway - all you can do is put up roadblocks. – AviD Jan 05 '11 at 22:16

3 Answers3

12

It's possible to use Group Policies to hide specific drives in My computer, windows explorer and similar file browsing mechanisms (Microsoft article on it here).

It's been a while since I've seen this implemented, but back then there was usually a way around the restriction, so this kind of control would prevent casual access, but wouldn't stop a determined attacker.

Ultimately it's pretty difficult to stop someone who has legitimate access to execute a file from being able to read it, especially if they have access to the hardware that's executing the file.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
9

A solution, which may be outwith scope here but could be useful if the code is that valuable, is to only allow the user a thin client (I'm thinking Citrix or similar) so they never actually run the code locally, only see screen views and output.

It has a range of other useful benefits as well, not just limiting the movement of sensitive information, but allowing strong control over access, patching, capacity management etc.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
6

I agree with the Rorys. It's very difficult to allow someone to execute or read data without at the same time giving them the ability (either inherently or through user-implemented means) to copy it out. Physical access especially breaks most security measures short of at-rest encryption.

That said, the suggestions of using Group Policies and/or Thin Clients are both good ideas - especially the latter. In any case, you should not seek to lock down a whole drive - especially one so critical as C:\ - if it is only certain data on that drive that needs protection. Locking down the C:\ drive as a whole will likely cause more problems and headaches than it will solve.

If you do prefer to lock an entire drive, create a separate partition specifically for the proprietary software and install it there. Then, you can lock the second partition down as much as you want without interfering with the user's access to critical OS or non-sensitive program files.

Iszi
  • 26,997
  • 18
  • 98
  • 163