Not Allow Download from Windows Server Network Share

Question

I have a network share (SMB) on our file server (Windows 2012 R2) that will be holding sensitive data. I am trying to figure out how I can limit access to not allow anyone accessing the share to download the files/folders. Is this possible?

Answer 1

You can specify who has the rights to read and write files. But if you give users the right to read files, the can read the files. That is the point of allowing them read access. You can set the rights so nobody can read the files, but then why place them in a network share?

Answer 2

This is a problem that's generally solved with an administrative policy rather than via technical means. For example, you could force users to sign something saying that if they download the files off the network share onto any other device it's a termination-level offense before granting them permissions to access the share.

You might also want to turn on auditing on the share to see who's accessing which files, but I don't believe it'll alert you if they copy the files elsewhere. (Auditing would tell you that they accessed the file if they read or copy it. Writing the file to another device would require auditing on the other device for writes. Also, you would need to read the event viewer to see the audit information.) While you're at it, you probably want to disable USB devices, block access to cloud services on workstations used to access the files, etc., and none of that is a guarantee.

So, to answer your question, it's probably not possible to prevent it via technical means. This is why most people create an administrative policy instead.