5

I have a software development machine that will be accessed remotely via RDP, it is a virtual machine running as a guest in Hyper-V.

A hardware firewall is in place to prevent internet access or files to be transferred off the subnet.

Is it possible to restrict the file transfer and other mechanisms of copying data?

I'm running Windows 2008 R2 enterprise and open to all ideas including 3rd party software.

morleyc
  • 1,150
  • 13
  • 47
  • 89
  • 3
    If the machine can be "accessed" then data can be copied off. It may require an obtuse method (taking screenshots, for example) but it can be transferred. – Evan Anderson Jul 18 '12 at 20:26
  • To add to what Evan's said, that applies to the type of access and type of data transfer as well. If it can be accessed remotely, the data can be transferred to a remote location, remotely. It may mean doing screen captures of one sort or another on the remote terminal window, but there's no way around that. Because ultimately, "accessing" data is the same as transferring it. It's being transferred from your server into the brain of the person accessing it. And once it's out of your control (such as by being in someone's brain), it's out of your control. – HopelessN00b Jul 18 '12 at 20:35
  • Agree, can't prevent people taking pictures with their phone or unable to erase their memory MIB style, might have found a solution along the lines of my reply to chopper3's answer which meets my needs without interfering too much with usability – morleyc Jul 19 '12 at 22:01

3 Answers3

4

You can block port 3389 and/or go into group policy editor choose computer configuration then administrative templates, windows components, terminal services, then client-server data redirection and set 'do not allow drive redirection' to enabled.

Chopper3
  • 101,299
  • 9
  • 108
  • 239
  • Don't forget the clipboard too... – HopelessN00b Jul 18 '12 at 20:29
  • Can you cut'n'paste files that way? if so then I've learnt something new today? – Chopper3 Jul 18 '12 at 20:37
  • No, no cut'n'paste of files. But there's nothing stopping someone from opening a file in a text editor, for example, and cut/pasting the content. Unless you disable clipboard redirection, that is. Preventing data leakage is really a losing fight once you give someone access to the data, but there is some value in making unauthorized data transfers non-trivial. I guess. – HopelessN00b Jul 18 '12 at 20:43
  • 1
    I used remote desktop gateway and disabled all redirection there. Gateway sits inside a restricted subnet along with the workstation and servers whose attempts to route data off are blocked by the hardware firewall. RDS GW controls all traffic, yes not 100% secure but good/secure enough for my requirements – morleyc Jul 19 '12 at 21:55
  • @HopelessN00b copy and paste of binary data is a standard feature of RDP. You have to explicitly disable it. – omni Mar 17 '19 at 12:09
  • @masi It is now. 7 years ago, RDP clients were less mature and the situation was more complicated. – HopelessN00b Mar 17 '19 at 19:30
0

I'm not sure to got what you want to do but if you want to prevent users to move your documents and open them in other systems so you can restrict your files by Microsoft RMS. So they could not open these files anywhere else of your domain.

Dave M
  • 4,514
  • 22
  • 31
  • 30
Mahdi Shurideh Yazdi
  • 1
0

For the record, you can actually copy and paste actual files to and from the terminal session and in between terminal sessions on this server version.

Turducken
  • 1
  • 1