Video Screencast Help

How to monitor data going from file servers to systems without DLP agents?

Created: 10 Apr 2013 • Updated: 28 May 2013 | 4 comments
This issue has been solved. See solution.

If a user has a laptop that is not part of our domain and therefore has no DLP agent or is using an OS like Windows 8 on our domain that has no DLP agent support, what tool will create incidents against the user mapping a drive to the file server and then copying sensitive data?

The user will have a domain account so they can access the file share by mapping a drive, but since the user does not have a DLP agent installed on the computer they are using, there is no way for them to see any warning message about it.

Would an endpoint agent need to be installed on the file server?  Even if there were an agent on the file server, the user would not be able to see any DLP messages since they do not have an agent on their PC.

Operating Systems:

Comments 4 CommentsJump to latest comment

John_Gruhn's picture

Data Insight will help you determine whom is trying to get at what but it will not block them from copying the data. Its still worth doing since it sounds like at this point you are aware of the risk but not really able to quantify how much of a risk that is to your security.

In the first case you mentioned where you have domain users using non domain equipment the question you need to ask is why do they not have domained equipment? I can see guests to your network and subcontractors however this sounds more like a reason to use Sharepoint instead of shared folders if the risk is high enough for DLP but you cant add them to your domain. Under the Sharepoint scenario you could then use Web Prevent to block the data transfer if you put guests and systems without an agent on them into a seperate subnet that would have your proxy in between. This would probably be advisable anyway even without the DLP component becuase non domain implies unmanaged assets which in theory have a higher risk of non compliance with a security policy (AV, patching, etc).

For you second case of unsupported agents such as Windows 8 there isnt much you can do to stop things with shares. Using Sharepoint you could use Web Prevent assuming your proxies were in place as per above or you can wait it out until Win8 is supported.

SOLUTION
NetUser's picture

The computers for subcontractors cannot be joined to out domain because they already belong to other domains that they need to remain on.

If we required the subcontractors to install the DLP endpoint agent, would it even function on computers that are not joined to our domain?

The Windows 8 computers are computers we control and are joined to our domain, but the issue is the lack of Windows 8 support for the DLP agent, so all our Windows 8 computers have no DLP agents running.

John_Gruhn's picture

The agent would work on multiple domains assuming that the DNS names or IPs of the servers were addressable and the proper port was open in the firewall (8000 by default). The only potential issue would be lookups however if you had a service account in the other domain (or used a domain trust) you could implement AD lookups for them rather easily. Im assuming the info you would want to look up to make contact is in AD.