RE: Deny access to copy files

["Yahsodhan Deshpande" <yahsodhan.deshpande () nevisnetworks com>]

Hi Ahmed,
   How about creating a virtual machine (which is hardened enough), and
then allow the access to the code only via the virtual machine.

   Hardening the VM would be a task in itself, but it would solve much
of the issues related to USB and mass storage devices.

Regards,
Yashodhan


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Adam Pal
Sent: Monday, June 02, 2008 1:15 PM
To: Ahmed Khalid
Cc: focus-ms () securityfocus com; security-basics () lists securityfocus com
Subject: Re: Deny access to copy files

Hello Ahmed,

Sounds more like you try washing your hands without getting wet :)
I can hardly imagine, that the programmers should be able to read but
not to copy, so if they need to programm they need access to the code.
I think its more frustrating for programmers to know that they have to
work with "handcuffs".
I think the problem lies much deeper :
do you trust your programmers?
If not, hire another, if yes, no such measurements needed, or better
say not more than written agreements about security policy.
About blocking web access:
As i can remember that one of the core problems of security is that
you cannot protect your data efficiently from attackers within the
company.
I can remember about agreements which contain things like:
-not connecting mobile storage devices to the workstation (this can be
monitored)
-not connecting mobile devices to the internal network (this can also
be monitored)
-not taking parts of code out of the company (which can also be
monitored)

Of course, bad-intentioned people will be able to bypass such
agreements but i preffer to assume that in your staff are good people
only.
One more - what about using interfaces for programming? Doing so,
every one holds only a small, unusable piece of the "puzzle".


-- 
Best regards,
 Adam Pal   

Sunday, June 1, 2008, 8:20:25 PM, you wrote:

<==============Original message text===============
AK> I am working for a software house, they are developing a software
product
AK> and their requirement is to restrict programmers to take the code
out of
AK> office premises due to company policy. I am trying to configure a
windows
AK> based machine which denies access to copy files to external storage
devices
AK> connected to USB. There is an NTFS permission "Read + Execute" I
guess this
AK> could do the work but is there any other way to do it? 

AK> They also don't need programmers to take the code with them in their
email.
AK> I can restrict SMTP and POP ports but when it comes to web based
emails I am
AK> clueless,  How can I restrict web based emails like hotmail, gmail,
yahoo
AK> there are so many of these and if I somehow manage to block all web
based
AK> email sites someone can write a script to send emails, if not a
script HTTP
AK> tunneling would bypass any checks and bounds defined by my
proxy/gateway
AK> machine. How can I block such thing?

AK> Any help would be highly appreciated.

AK> Regards,
AK> Ahmed Khalid 

<===========End of original message text===========