mailing list archives
Re: Deny access to copy files
From: Jon Kibler <Jon.Kibler () aset com>
Date: Mon, 02 Jun 2008 13:48:12 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Ahmed Khalid wrote:
I am working for a software house, they are developing a software product
and their requirement is to restrict programmers to take the code out of
office premises due to company policy. I am trying to configure a windows
based machine which denies access to copy files to external storage devices
connected to USB. There is an NTFS permission ?Read + Execute? I guess this
could do the work but is there any other way to do it?
They also don?t need programmers to take the code with them in their email.
I can restrict SMTP and POP ports but when it comes to web based emails I am
clueless, How can I restrict web based emails like hotmail, gmail, yahoo
there are so many of these and if I somehow manage to block all web based
email sites someone can write a script to send emails, if not a script HTTP
tunneling would bypass any checks and bounds defined by my proxy/gateway
machine. How can I block such thing?
Any help would be highly appreciated.
The following may not be easy to implement, but if you are SERIOUS about
source code security, this about all you can do:
1) All software development activities should be done on a dedicated,
isolated, secure network that is fully encrypted. Any system that
touches the software or source code must be on this network and this
network only. This network must be TOTALLY isolated: no Internet access,
no access to other company networks, etc. All systems must have static
IPs and all switches must be configured to bind a single MAC address to
a single port. Also, it must NOT be a wireless network, and no dual-NIC
systems that can cross over to other networks, including wireless.
2) All computers on the secure development network must have all forms
of removable media disabled in the BIOS. The BIOS must be protected by a
strong password. BIOS flashing must be disabled. Full system and file
access logging must be enabled, and a central logging server used to
detect attempts to bypass access restrictions. All exceptions logged
must be investigated. Systems should also have alarms that alert on
opening the case, and cases should be bolted to the floor, desk, or some
other large fixed object. Each system must have a different BIOS
password and a different local admin password, and every password across
the network must be unique. HDDs removed from a system must be
3) Systems should have multi-factor authentication, such as smart-cards
that double as physical access badges, and systems must lock immediately
upon becoming unmanned or idle.
4) Servers storing source code must be in a controlled area that
requires a minimum of two persons present for all access. All backups
must be fully encrypted, and keys must be stored separate from backups.
All access to backup storage areas requires a minimum of two persons
present for all access. Keys must not be accessible by the same persons
that have access to the backups.
5) Do rigorous background checks on everyone who has access to any
sensitive information, and do quarterly credit checks and annual
polygraph checks on anyone with access to the source code or software,
I could go on, but these are the basics. (These are they types of
practices implemented at secure government and defense facilities.)
Not good news, but I hope this helps.
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.