Sign in with
Sign up | Sign in
Your question

Permissions Question: Allow Read but not Copy

Last response: in Windows 2000/NT
Share
Anonymous
January 14, 2005 12:15:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi, I’m new to this type of thing and I did a search and didn't find what I
needed so if this is the wrong place or a repeat please forgive me.

We are setting up a document folder for our users for standardized forms
that they are supposed to open, edit and email without changing the document,
i.e. no saves. However it took about 10 minutes for someone to figure out
they could copy the document to a different folder and edit it there.

I'm wondering if there is a way to set the permissions on the folder to
allow read but not copy, I'd like to avoid having to lock the individual
documents internally using Word or Excel protection.

Thanks
Anonymous
January 14, 2005 1:39:15 PM

Archived from groups: microsoft.public.win2000.security (More info?)

There is no way to do that with standard file system ACLs. When you read
a document from a share, a copy of that document now exists in the memory
of your computer. It is impossible for an ACL on a file server to know what
you are doing with the copy in your local computer's memory.

You should investigate Windows Rights Management Services. It can give you
this kind of control, because the document now asserts its own permissions
and the application obeys whatever restrictions the creator imposed. See
http://www.microsoft.com/rms for more information.

Steve Riley
steriley@microsoft.com



> Hi, I'm new to this type of thing and I did a search and didn't find
> what I needed so if this is the wrong place or a repeat please forgive
> me.
>
> We are setting up a document folder for our users for standardized
> forms that they are supposed to open, edit and email without changing
> the document, i.e. no saves. However it took about 10 minutes for
> someone to figure out they could copy the document to a different
> folder and edit it there.
>
> I'm wondering if there is a way to set the permissions on the folder
> to allow read but not copy, I'd like to avoid having to lock the
> individual documents internally using Word or Excel protection.
>
> Thanks
>
Anonymous
January 15, 2005 3:10:10 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Steve is quite right, and the relatively new products for digital
rights management are intended to address just these sorts of
requirements (which by the way is not just a Windows issue).

However, there is something I am not understanding in your post.

The people get the standard form, edit it, and then email it.
This seems to imply that they must save the editied version.
So is it that you want them to be able to save the filled in form,
but not one where the form is unedited and/or where the form
structure has changed ??
(I guess I am just curious what it matters if they save a copy
of the form. I virtually never send in a complete edocument
without keeping a copy of it.)

If this is the case, you might be able to cook up a solution for
your scenario based on either web forms presented in a browser
(where their input might also be then merged into the "full paper"
form file on the server-side for sending along), or, if you have
full-featured Exchange/Outlook in use you might find a solution
within its shared folders customizations.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Cory Blythe" <CoryBlythe@discussions.microsoft.com> wrote in message
news:C7389D95-0B6F-4C70-A127-F1F3DC2F46C4@microsoft.com...
> Hi, I'm new to this type of thing and I did a search and didn't find what
I
> needed so if this is the wrong place or a repeat please forgive me.
>
> We are setting up a document folder for our users for standardized forms
> that they are supposed to open, edit and email without changing the
document,
> i.e. no saves. However it took about 10 minutes for someone to figure out
> they could copy the document to a different folder and edit it there.
>
> I'm wondering if there is a way to set the permissions on the folder to
> allow read but not copy, I'd like to avoid having to lock the individual
> documents internally using Word or Excel protection.
>
> Thanks
>
Related resources
Anonymous
January 17, 2005 9:43:04 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thank you both for the responses, I had a feeling that was going to be the
case but before I launched into a full document control system I thought I'd
try.

Roger to explain a little further.
The documents they are emailing are merged forms from our database, at most
they will add a note to the form the email it directly to the client. Our
fear is that someone will copy one from our 'control folder' where changes
are made and we will have a version being sent out that shouldn't be.

Again thank you for the prompt responses.



"Roger Abell" wrote:

> Steve is quite right, and the relatively new products for digital
> rights management are intended to address just these sorts of
> requirements (which by the way is not just a Windows issue).
>
> However, there is something I am not understanding in your post.
>
> The people get the standard form, edit it, and then email it.
> This seems to imply that they must save the editied version.
> So is it that you want them to be able to save the filled in form,
> but not one where the form is unedited and/or where the form
> structure has changed ??
> (I guess I am just curious what it matters if they save a copy
> of the form. I virtually never send in a complete edocument
> without keeping a copy of it.)
>
> If this is the case, you might be able to cook up a solution for
> your scenario based on either web forms presented in a browser
> (where their input might also be then merged into the "full paper"
> form file on the server-side for sending along), or, if you have
> full-featured Exchange/Outlook in use you might find a solution
> within its shared folders customizations.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Cory Blythe" <CoryBlythe@discussions.microsoft.com> wrote in message
> news:C7389D95-0B6F-4C70-A127-F1F3DC2F46C4@microsoft.com...
> > Hi, I'm new to this type of thing and I did a search and didn't find what
> I
> > needed so if this is the wrong place or a repeat please forgive me.
> >
> > We are setting up a document folder for our users for standardized forms
> > that they are supposed to open, edit and email without changing the
> document,
> > i.e. no saves. However it took about 10 minutes for someone to figure out
> > they could copy the document to a different folder and edit it there.
> >
> > I'm wondering if there is a way to set the permissions on the folder to
> > allow read but not copy, I'd like to avoid having to lock the individual
> > documents internally using Word or Excel protection.
> >
> > Thanks
> >
>
>
>
Anonymous
January 17, 2005 4:13:32 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Perhaps you could look into alt NTFS ACLing so that it is
impossible for someone to read a copy that someone else
has already tacked notes upon. Granted, this would not
stop the same person from making the mistake, but it would
minimize your exposure to this sort of error.

--
Roger
"Cory Blythe" <CoryBlythe@discussions.microsoft.com> wrote in message
news:7AF342FE-94A3-46D7-8216-44585C705EDB@microsoft.com...
> Thank you both for the responses, I had a feeling that was going to be the
> case but before I launched into a full document control system I thought
I'd
> try.
>
> Roger to explain a little further.
> The documents they are emailing are merged forms from our database, at
most
> they will add a note to the form the email it directly to the client. Our
> fear is that someone will copy one from our 'control folder' where changes
> are made and we will have a version being sent out that shouldn't be.
>
> Again thank you for the prompt responses.
>
>
>
> "Roger Abell" wrote:
>
> > Steve is quite right, and the relatively new products for digital
> > rights management are intended to address just these sorts of
> > requirements (which by the way is not just a Windows issue).
> >
> > However, there is something I am not understanding in your post.
> >
> > The people get the standard form, edit it, and then email it.
> > This seems to imply that they must save the editied version.
> > So is it that you want them to be able to save the filled in form,
> > but not one where the form is unedited and/or where the form
> > structure has changed ??
> > (I guess I am just curious what it matters if they save a copy
> > of the form. I virtually never send in a complete edocument
> > without keeping a copy of it.)
> >
> > If this is the case, you might be able to cook up a solution for
> > your scenario based on either web forms presented in a browser
> > (where their input might also be then merged into the "full paper"
> > form file on the server-side for sending along), or, if you have
> > full-featured Exchange/Outlook in use you might find a solution
> > within its shared folders customizations.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Cory Blythe" <CoryBlythe@discussions.microsoft.com> wrote in message
> > news:C7389D95-0B6F-4C70-A127-F1F3DC2F46C4@microsoft.com...
> > > Hi, I'm new to this type of thing and I did a search and didn't find
what
> > I
> > > needed so if this is the wrong place or a repeat please forgive me.
> > >
> > > We are setting up a document folder for our users for standardized
forms
> > > that they are supposed to open, edit and email without changing the
> > document,
> > > i.e. no saves. However it took about 10 minutes for someone to figure
out
> > > they could copy the document to a different folder and edit it there.
> > >
> > > I'm wondering if there is a way to set the permissions on the folder
to
> > > allow read but not copy, I'd like to avoid having to lock the
individual
> > > documents internally using Word or Excel protection.
> > >
> > > Thanks
> > >
> >
> >
> >
!