Security Basics: Re: Re: Deny access to copy files

["Breno BF" <breno () lagosnet com br>]

Hi,
    I recommend webalizer[1]. IMHO that's a good log file analysis 
tool. Available for IIS, Apache, et cetera.

1. http://www.mrunix.net/webalizer/

Regards,
    Breno BF
----- Original Message ----- 
From: <cgmicro () gmail com>
To: <security-basics () securityfocus com>
Sent: Monday, June 02, 2008 4:38 PM
Subject: Re: Re: Deny access to copy files


| These are definitely legitimate concerns, and every problem does 
have a solution.
|
| First, my goal wouldn't be to cover 100% of all bases on this, 
whether it's possible or not, it's just not feasible.  I'd go with 
best effort on this one and try to cover as much as possible.  IT 
folks are always going to try to circumvent policy, but if they go to 
extraordinary lengths to do so, it's a whole lot easier to prosecute.
|
| You could use group policy to limit external storage, but that's a 
little restrictive and not very flexible.  There are some packages out 
there that will limit what types of external storage are permitted. 
So, if you issue external USB drives, USB sticks, etc, you can exempt 
them.  I can't recall any of the manufacturers off the top of my head, 
but they're out there.  They can get as granular as a 256Mb USB drive 
in a particular model, block iPods, allow digital cameras, etc.
|
| On the webmail issue, just about every content filtering solution 
will allow you to block major webmail hosts via a central database 
that's updated routinely.  Depends on your budget, but well worth it 
in my opinion.  Websense, Sentian, Surf Control, to name a few.  If 
you're low on budget, look at iPrism from St. Bernard software, a 
pretty cool little inexpensive solution in comparison.  The drawback 
to these is that they're only as good as the database of sites. 
They'll block the hotmails and yahoos of the world, but they won't 
block the mail server in my basement.
|
| ____________________________________
| Greg Gammino
| CISSP, CCNA, CCDA, MCSE, CHA