Monday, April 20, 2009

How to prevent file copying, deletion and renaming?

On a computer with multiple users some kind of access restriction and sharing permission is essential. The nature of the security permission can vary depending upon who has access to the computer and their experience level. Generally, system administrators or owners like to implement any of the 3 kinds of security restrictions – file copying, deletion and modification. The latter two types of protection is easy to enforce in NTFS formatted drives, but preventing copying can be a little tricky.

Hundreds of articles has been written on NTFS permissions and many of you readers might already know it, but for the sake of completeness I will have to include the basics.

Preventing file reading or execution, modification and deletion

Update: Detailed instructions are available herehttp://www.instantfundas.com/2010/12/how-to-protect-files-from-deletion-in.html

These permissions can be set on NTFS formatted drives. Open Windows explorer and go to Tools >Folder Options, click on the View tab and uncheck the box “Use simple file sharing (Recommended)”.

ntfs-file-permissions

Right click on the folders or files you want to set restrictions to and click on Properties. Under the Security tab you can now set Allow or Deny permissions on a number of files operations like:

  • Full Control: Users can modify, add, move, and delete files, as well as their associated properties and directories. In addition, users can change permissions settings for all files and subdirectories.
  • Modify: Users can view and modify files and file properties, including deleting and adding files to a directory or file properties to a file.
  • Read & Execute: Users can run executable files, including scripts.
  • Read: Users can view files and file properties.
  • Write: Users can write to a file.

More permissions are available under the Advanced tab.

Preventing file copying

Preventing copying of files is a bit difficult. The most effective way to prevent unauthorized copying of files from your computer is disabling access to takeaway devices, in other words removable drives. Locking optical drives and disabling USB ports or preventing write access to USB devices is the most fool proof way to restrict file copying, provided the user cannot connect to the Internet. Otherwise they can simply upload files to a remote server and download it later from their own computers. Another way to prevent file copying is to use anti-file copy software. We will look at both methods.

1. Preventing file copying by disabling access to optical drives and USB ports

Optical Drives:
Windows does not provide an easy way to disable access to optical drives. The only way to do it is disabling them in the BIOS and then locking the BIOS with a password. Of course you wouldn’t be able to access them either, so it isn’t the most smartest thing to do. The alternative approach is to use an optical drive locker such as the CD/DVD Drive Locker. It lets you disable selected optical drives so that they become unresponsive to the open/close button. CD/DVD Drive Locker is actually intended to prevent kids from playing with the drive tray and provides very feeble protection as it can be easily overridden.

cd-dvd-locker

USB ports:
USB ports can be disabled quite easily using the registry editor. There are two kinds of restrictions you can put on a USB port – a) disable write privileges to USB port or b) completely disable USB ports

A. Disabling write access to USB ports: Open Windows registry editor and navigate to the following key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\StorageDevicePolicies

Create a new DWORD, name it WriteProtect and put the value as 0. To allow write access change the value to 1.

B. Disabling access to USB ports: Open Windows registry editor and navigate to the following key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\UsbStor

Double click on the entry Start on the right pane and set it’s value to 4 (Hexadecimal). To enable USB ports again change the value back to 3.

2. Preventing file copying using anti-file copy software

There are a few anti-file copy software in the market, most of them are commercial. I managed to find one freeware among the lot - M File Anti-Copy

M File Anti-Copy prevents copying of files by disabling the Windows clipboard. With the clipboard disabled, you cannot copy and paste files not only to removable drives but even within partitions and folders. And because the clipboard is disabled you cannot even copy text. The protection feature can be activated or deactivated only by providing the correct password.

mfile-anti-copy

When the application is active you are allowed to copy and move files via the built-in file-copier. The software also protects against file deletion and renaming, but this is in a separate section and you have to apply this setting to individual files and folders, which isn’t very helpful.

The program however suffers from a serious flaw – it can’t prevent copying using drag and drop. This is because M File Anti-Copy prevents file copy by disabling the clipboard. Since drag and drop does not use the clipboard, the program fails. You can still use it and just hope the users don’t discover the loophole.

M File Anti-Copy also provides some additional protection like disabling the Task Manager and regedit.

Prevent file copying is never fool proof, there always be some workaround. The best kind of protection will be to disable all removable drives through either the BIOS or the registry editor, and disconnect the computer from the network to prevent file transfer. Or simply deny physical access to the computer when you are not around.

14 comments:

  1. Thanks for your tutorial, and I have a question: How to prevent user to copying from folders that I do not allow. User can read only and can not copy files into another folder. Using NTFS permission, please guide me.

    ReplyDelete
  2. That is not possible using only NTFS permission. Only possible solutions are discussed in this article.

    ReplyDelete
  3. Is it possible to prevent somebody from downloading/copying material from a website. Can we allow material only to be read and not copied? Thanks.

    ReplyDelete
  4. If it's on the web, it can be copied. No way to prevent it.

    ReplyDelete
  5. it is very intresting NOT!!!!!!!!!!!!!

    ReplyDelete
  6. lolololololol ROFL i'll still steal your files and copyright.

    ReplyDelete
  7. i want my user can create file folders and rename it but can't delete what should i do .. not getting help to rename access..please help me my email id is vikasmymail@gmail.com

    ReplyDelete
  8. imogen major is cool :)

    ReplyDelete
  9. how do companies prevent unauthorised transfer or copying?

    ReplyDelete
  10. i agree lol all fail

    ReplyDelete
  11. This is now outdated. My Vista system does not have a "Security" Tab available for modification.

    ReplyDelete
  12. I should have said the "View" tab does have a selection “Use simple file sharing (Recommended)”. It has "Use Sharing Wizard (Recommended)".

    ReplyDelete
  13. wonder ful software...it's working...thanks...admin

    ReplyDelete