Mark
Mon Nov 07 18:38:23 CST 2005
Your problem is unavoidable;
As suggested you can put a middle-man interface in, probably an ASP based
interface so they can only access restricted parts - but there would be
nothing to stop them just using those restricted queries to get every piece
of information associated with it. So if you have a restricted query that
brings back one user details, you simply run that query for every user and
copy the results.
Even for Access and IRM there is nothing to stop taking a screenshot and
using OCR to rip the data back, or even to copy it into a notepad or
unsecured medium. Secondly, there would be little to stop them from putting
in a external disk and copying it over, hell if they wanted to they could
fire up VBA and change its extension and send it out - You need to consider
that if they are deliberatly trying to steal the database that they have
access to - you have no way of particually stopping them..
- Keep your database back end seperate from the access portion of it.
- Ensure employees sign a NDA
- Educate the management that absolute digtal protection is not going to
happen
The last is probably the best thing.
--
- Mark Randall
http://zetech.swehli.com
"Those people that think they know everything are a great annoyance to those
of us who do"
Isaac Asimov
"Peter Hesselager" <PeterHesselager@discussions.microsoft.com> wrote in
message news:E05E0DD3-9241-461F-89E8-AB66564A5CDB@microsoft.com...
> Hi again
> First thank you for giving attention to the problem.
> Oh yes, I did get the idea - but I need to solve my problem.
> There was a management take over - and now not everybody is believed to
> stay
> in the company - but "they" ( the new management) certainly don't want to
> chase them out by means of suspicion -on the other hand if they ... you
> know !
> --------
> well
> If it was an EXCELL, we could indeed use Information Rigts Management,
> which
> would let users acces the spreadsheet, but restricting their use ( i.e
> printing, copying, mailing, and more).
> Unfortunately IRM - to my knowledge - does not apply to ACCESS databases.
> The databse is the heart of production planning - and so does not have to
> leave the plant ( The road warriors).
> All Foremen / mid range leaders have Laptops to access company mail from
> home / out in the world ( Software VPN-clients).
> In the company they connect to the domain as regular PC's.
> These Laptops are the problem, as they could copy to their local harddisk,
> and then later burn a copy
>
> If they were to use Terminal Services even when working on the plant, I as
> the domain-administrator, could easily prevent users from copying to your
> local computer.
>
>
> So I figured - I'm not hardcore at all into Group Policy - but wouldn' it
> be
> possible to set up som Policy, that rejects some specific filenames from
> being copied onto their local discs ??
> Yes, we don't want to make the Laptops "read only" !
>
> Regarding your last statement - I believe, that I can control their disc
> in
> this respect.
> Don't I ??
>
>
> Peter Hesselager
>
>
> "Alun Jones" wrote:
>
>> Peter Hesselager wrote:
>> > Hi Roger
>> > I agree - but I was wondering, if I in some way could apply a GPO, as
>> > all
>> > users are logged onto the domain, and the Access-base is way too big
>> > for
>> > them to mail ?
>>
>> I'm not sure you really got the idea.
>>
>> If they can read the database, they can copy it. It's rather like
>> someone
>> saying "I'd like to protect this book, so that people can read it as much
>> as
>> they like, but can't write down any information that is in it." The
>> difference between the two tasks is only the _writing_ part, which means
>> that the only place you could possibly apply such a protection is on the
>> _writing_ media - and I doubt that you're willing to turn the laptops
>> into
>> read-only devices.
>>
>> > Terminal Server could be a possibility - but there are to many users,
>> > and
>> > it would create to much "noise" among the users.
>>
>> Obviously you need to increase the depth of the description, so that the
>> problem becomes tractable.
>>
>> I'd suggest creating a web-based application that allows your users to do
>> restricted queries against the database, and ensure that the database
>> remains entirely at your main site. Of course, that's going to cause
>> problems if your users are mobile warriors and are separated from
>> Internet
>> access at the sites where they need the information, in which case you
>> will
>> simply have to decide how much information you will trust to send with
>> them,
>> and how much you will hold back.
>>
>> At the end of the day, you may find that this problem is best solved by
>> the
>> human touch - hire people you can trust.
>>
>> Always remember that the difference between "reading" and "copying" is in
>> the "writing", and so to prevent copying, the only answer is to prevent
>> all
>> reading, or to prevent writing. The former is generally not what's
>> wanted,
>> and the latter is generally not possible (especially if you are talking
>> about copying to media you do not control).
>>
>> Alun.
>> ~~~~
>> [Please don't email posters, if a Usenet response is appropriate.]
>> --
>> Texas Imperial Software | Find us at
http://www.wftpd.com or email
>> 23921 57th Ave SE | alun@wftpd.com.
>> Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
>> Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
>>
>>
>>