secure our data

Ish · 19 Mar 2009 at 18:09

Hi

We are based in quite a unique market sector so our database of contacts is VERY improtant to us.

We have started using Sage ACT for all our contact management.

We have a person who will carry out an admin role which will include importing data in to ACT.

We have all the security settings turned on in ACT.

Apart from the following ideas is there any other steps we could take to protect our data from being taken offsite by the admin person:-

1) Unable to install ANY software

2) Unable to add printers and only have access to the ones we choose

3) Unable to use a memory stick or any USB removable storage device

4) Unable to print to 'PDF' printers

We are using SBS 2003

Thanks

Ev0 · 19 Mar 2009 at 18:46

*edited as just realised you said anything else as well as these things

*

I'd implement software restriction policies from within group policy, and make sure their user account is sufficiently locked down

Make sure you block or at least control access to removable media, you can buy software for this (not too cheap though) or fudge it yourself

oddjob62 · 19 Mar 2009 at 19:16

Ev0 said:
Make sure you block or at least control access to removable media, you can buy software for this (not too cheap though) or fudge it yourself

An easy way would be to disable the USB in the BIOS and set a BIOS password.

atomiser · 19 Mar 2009 at 20:14

i'm sure you probably already have this base covered, but in addition to the technical aspects of this, do you also have a non-disclosure agreement in this persons contract?

PCDave · 19 Mar 2009 at 20:26

oddjob62 said:
An easy way would be to disable the USB in the BIOS and set a BIOS password.

only if there are no other peripherals using usb though other than mouse/keyboard which can easily be converted

why not look into encrypting the data as well. this will give you an extra level of protection. e.g. if disgruntled employee X finds a way to copy the data then he will find it useless as its encrypted.

disable email attachments sent or make a policy to which email attachments have to be authorised first?

obviously you will have logs on who does what and when i assume.

secure password protection on all critical files maybe even biometric?

sorry if some of these may be unrealistic due to budgets etc but im just brain storming

oddjob62 · 19 Mar 2009 at 22:47

PCDave said:
only if there are no other peripherals using usb though other than mouse/keyboard which can easily be converted

Don't think the admin guy needs more than a KB+M, and i'm pretty sure there's non USB ways of attaching these

Little_Crow · 19 Mar 2009 at 22:49

As has previously been said, GPO's will cover most of these.

The only one that can't easily be done is the memory stick blocking, but there are plenty of 3rd party applications that will do it.

There is GFI EndPointSecurity, which we use and sounds like it will be fine for your situation.

However, the best product I've seen is Sanctuary. We have an audit company that uses it, and it is very, very powerful.

It will allow you to do the standard stuff like blacklisting and whitelisting devices, but can also go so far as to automatically take a copy of any files put to a USB device. So if people do have a trusted device, you can still keep an eye on what they are taking away.
Quis custodiet ipsos custodes, and all that.

Or there's the old standby, the hot glue gun!

It honestly depends upon how much value your company places on the data, and how many people you need to protect against.

As an aside, this is probably my favourite article on USB security, and just shows how insecure systems can be.

Ev0 · 19 Mar 2009 at 23:55

Little_Crow said:
However, the best product I've seen is Sanctuary. We have an audit company that uses it, and it is very, very powerful.

This is what I use, works well.

slylittlefox · 20 Mar 2009 at 01:06

As has been mentioned, having an audit trail is the way to go. The old addage "physical access is root access" still rings true, in most cases. So always remember that when planning. The question is how valuable is the data, and as a result, what lengths would the person be prepared to go to to circumvent your measures. There is no 'uncrackable' method of security.

Encrypt the drives with BitLocker, enforce strict Group Policies (software restrictions, no taskbar or any other apps allowed to be opened (i.e. kiosk mode, with just his one app open)) and there's plenty of free tools for disabling USB/Removable Drives. In addition to that, enforce an account schedule, ensure only his account can login at that PC. Enforce firewall rules, on or off the box, to be as tight as they possibly can.

Disable:
- Desktop
- Taskbar/Start Menu
- Keyboard Shortcuts
- Task Manager
- Access to any drive other than C:\
- Any access to any folder outside of C:\Windows
- Any permissions to run any file, of any extension, other than the program you want him to use

Enforce
- IE zones so that no website can be viewed
- Firewall rules so nothing other than the app in question can talk in or out on the box
- Turn logging on to full, so there's always an audit trail

All of the above can be enforced by group policy (and maybe a little tweaking with other apps to make it easier).

To take it to ultra-paranoid levels, don't give him the password. Log in to his account for him, this with the account schedule to match your work hours would be pretty tight.

Take it even further, install a remote viewer on his PC, and have whatever he is doing displayed on a monitor next to yours throughout the day.

Hundred and one different ways, just depends on how valuable the data is.

Ish · 20 Mar 2009 at 08:45

Thanks for all the ideas

With a combination of these ideas I think our data will be pretty safe.