Permissions Question: Allow Read but not Copy

Archived from groups: microsoft.public.win2000.security (More info?)

Hi, I’m new to this type of thing and I did a search and didn't find what I
needed so if this is the wrong place or a repeat please forgive me.

We are setting up a document folder for our users for standardized forms
that they are supposed to open, edit and email without changing the document,
i.e. no saves. However it took about 10 minutes for someone to figure out
they could copy the document to a different folder and edit it there.

I'm wondering if there is a way to set the permissions on the folder to
allow read but not copy, I'd like to avoid having to lock the individual
documents internally using Word or Excel protection.

Thanks
4 answers Last reply
More about permissions question read copy
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    There is no way to do that with standard file system ACLs. When you read
    a document from a share, a copy of that document now exists in the memory
    of your computer. It is impossible for an ACL on a file server to know what
    you are doing with the copy in your local computer's memory.

    You should investigate Windows Rights Management Services. It can give you
    this kind of control, because the document now asserts its own permissions
    and the application obeys whatever restrictions the creator imposed. See
    http://www.microsoft.com/rms for more information.

    Steve Riley
    steriley@microsoft.com


    > Hi, I'm new to this type of thing and I did a search and didn't find
    > what I needed so if this is the wrong place or a repeat please forgive
    > me.
    >
    > We are setting up a document folder for our users for standardized
    > forms that they are supposed to open, edit and email without changing
    > the document, i.e. no saves. However it took about 10 minutes for
    > someone to figure out they could copy the document to a different
    > folder and edit it there.
    >
    > I'm wondering if there is a way to set the permissions on the folder
    > to allow read but not copy, I'd like to avoid having to lock the
    > individual documents internally using Word or Excel protection.
    >
    > Thanks
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Steve is quite right, and the relatively new products for digital
    rights management are intended to address just these sorts of
    requirements (which by the way is not just a Windows issue).

    However, there is something I am not understanding in your post.

    The people get the standard form, edit it, and then email it.
    This seems to imply that they must save the editied version.
    So is it that you want them to be able to save the filled in form,
    but not one where the form is unedited and/or where the form
    structure has changed ??
    (I guess I am just curious what it matters if they save a copy
    of the form. I virtually never send in a complete edocument
    without keeping a copy of it.)

    If this is the case, you might be able to cook up a solution for
    your scenario based on either web forms presented in a browser
    (where their input might also be then merged into the "full paper"
    form file on the server-side for sending along), or, if you have
    full-featured Exchange/Outlook in use you might find a solution
    within its shared folders customizations.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Cory Blythe" <CoryBlythe@discussions.microsoft.com> wrote in message
    news:C7389D95-0B6F-4C70-A127-F1F3DC2F46C4@microsoft.com...
    > Hi, I'm new to this type of thing and I did a search and didn't find what
    I
    > needed so if this is the wrong place or a repeat please forgive me.
    >
    > We are setting up a document folder for our users for standardized forms
    > that they are supposed to open, edit and email without changing the
    document,
    > i.e. no saves. However it took about 10 minutes for someone to figure out
    > they could copy the document to a different folder and edit it there.
    >
    > I'm wondering if there is a way to set the permissions on the folder to
    > allow read but not copy, I'd like to avoid having to lock the individual
    > documents internally using Word or Excel protection.
    >
    > Thanks
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Thank you both for the responses, I had a feeling that was going to be the
    case but before I launched into a full document control system I thought I'd
    try.

    Roger to explain a little further.
    The documents they are emailing are merged forms from our database, at most
    they will add a note to the form the email it directly to the client. Our
    fear is that someone will copy one from our 'control folder' where changes
    are made and we will have a version being sent out that shouldn't be.

    Again thank you for the prompt responses.


    "Roger Abell" wrote:

    > Steve is quite right, and the relatively new products for digital
    > rights management are intended to address just these sorts of
    > requirements (which by the way is not just a Windows issue).
    >
    > However, there is something I am not understanding in your post.
    >
    > The people get the standard form, edit it, and then email it.
    > This seems to imply that they must save the editied version.
    > So is it that you want them to be able to save the filled in form,
    > but not one where the form is unedited and/or where the form
    > structure has changed ??
    > (I guess I am just curious what it matters if they save a copy
    > of the form. I virtually never send in a complete edocument
    > without keeping a copy of it.)
    >
    > If this is the case, you might be able to cook up a solution for
    > your scenario based on either web forms presented in a browser
    > (where their input might also be then merged into the "full paper"
    > form file on the server-side for sending along), or, if you have
    > full-featured Exchange/Outlook in use you might find a solution
    > within its shared folders customizations.
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "Cory Blythe" <CoryBlythe@discussions.microsoft.com> wrote in message
    > news:C7389D95-0B6F-4C70-A127-F1F3DC2F46C4@microsoft.com...
    > > Hi, I'm new to this type of thing and I did a search and didn't find what
    > I
    > > needed so if this is the wrong place or a repeat please forgive me.
    > >
    > > We are setting up a document folder for our users for standardized forms
    > > that they are supposed to open, edit and email without changing the
    > document,
    > > i.e. no saves. However it took about 10 minutes for someone to figure out
    > > they could copy the document to a different folder and edit it there.
    > >
    > > I'm wondering if there is a way to set the permissions on the folder to
    > > allow read but not copy, I'd like to avoid having to lock the individual
    > > documents internally using Word or Excel protection.
    > >
    > > Thanks
    > >
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Perhaps you could look into alt NTFS ACLing so that it is
    impossible for someone to read a copy that someone else
    has already tacked notes upon. Granted, this would not
    stop the same person from making the mistake, but it would
    minimize your exposure to this sort of error.

    --
    Roger
    "Cory Blythe" <CoryBlythe@discussions.microsoft.com> wrote in message
    news:7AF342FE-94A3-46D7-8216-44585C705EDB@microsoft.com...
    > Thank you both for the responses, I had a feeling that was going to be the
    > case but before I launched into a full document control system I thought
    I'd
    > try.
    >
    > Roger to explain a little further.
    > The documents they are emailing are merged forms from our database, at
    most
    > they will add a note to the form the email it directly to the client. Our
    > fear is that someone will copy one from our 'control folder' where changes
    > are made and we will have a version being sent out that shouldn't be.
    >
    > Again thank you for the prompt responses.
    >
    >
    >
    > "Roger Abell" wrote:
    >
    > > Steve is quite right, and the relatively new products for digital
    > > rights management are intended to address just these sorts of
    > > requirements (which by the way is not just a Windows issue).
    > >
    > > However, there is something I am not understanding in your post.
    > >
    > > The people get the standard form, edit it, and then email it.
    > > This seems to imply that they must save the editied version.
    > > So is it that you want them to be able to save the filled in form,
    > > but not one where the form is unedited and/or where the form
    > > structure has changed ??
    > > (I guess I am just curious what it matters if they save a copy
    > > of the form. I virtually never send in a complete edocument
    > > without keeping a copy of it.)
    > >
    > > If this is the case, you might be able to cook up a solution for
    > > your scenario based on either web forms presented in a browser
    > > (where their input might also be then merged into the "full paper"
    > > form file on the server-side for sending along), or, if you have
    > > full-featured Exchange/Outlook in use you might find a solution
    > > within its shared folders customizations.
    > >
    > > --
    > > Roger Abell
    > > Microsoft MVP (Windows Security)
    > > MCSE (W2k3,W2k,Nt4) MCDBA
    > > "Cory Blythe" <CoryBlythe@discussions.microsoft.com> wrote in message
    > > news:C7389D95-0B6F-4C70-A127-F1F3DC2F46C4@microsoft.com...
    > > > Hi, I'm new to this type of thing and I did a search and didn't find
    what
    > > I
    > > > needed so if this is the wrong place or a repeat please forgive me.
    > > >
    > > > We are setting up a document folder for our users for standardized
    forms
    > > > that they are supposed to open, edit and email without changing the
    > > document,
    > > > i.e. no saves. However it took about 10 minutes for someone to figure
    out
    > > > they could copy the document to a different folder and edit it there.
    > > >
    > > > I'm wondering if there is a way to set the permissions on the folder
    to
    > > > allow read but not copy, I'd like to avoid having to lock the
    individual
    > > > documents internally using Word or Excel protection.
    > > >
    > > > Thanks
    > > >
    > >
    > >
    > >
Ask a new question

Read More

Document Permissions Windows