[Question] How to limit the file access to certain applications?

[oklafut]

Hi,

Is there any way that I can limit file access to certain applications?
We've got some sensitive documents on our server that users can view through remote connection. However, in order to prevent the documents from being copied, we shut down the FTP service. The loss of FTP service is quite a pain. I think if we can prevent the documents from being accessed by unauthorized applications, we should be able to restore the FTP service. Does anyone know how to do that?

[Rubberman]

We've got some sensitive documents on our server that users can view through remote connection. However, in order to prevent the documents from being copied, we shut down the FTP service. The loss of FTP service is quite a pain. I think if we can prevent the documents from being accessed by unauthorized applications, we should be able to restore the FTP service. Does anyone know how to do that?

This is not so easy. After all, users that are intent upon "sharing" this data can, at worst, capture their screens easily enough, or mark/paste text with a simple swipe of their mouse. In many cases, what you want to accomplish can only be done with some sort of deep packet inspection on the edge of your network so that all data leaving your LAN to the WAN or Internet will be scanned and verified as "sharable" outside the network. This means that all such documents are "fingerprinted" so the DPI appliance can determine if the data it sees is on the prohibited list.

That said, what you want to do wrt. some means of disallowing access to certain files by anything other than approved applications may be possible. Have you investigated SELinux (extensions to Linux to make a secure OS) to see it has some of that capability? It certainly supports ACLs (Access Control Lists) which limits what people can do with a file, or files on the system. I'm not personally familiar with it enough to say that what you want is possible, but it's someplace to start.

[rituraj.goswami]

well exactly i'm a bit puzzeled by your question. you can put the ftp server on with a login accout and make it accessable to only some of the ip's you choose. well i would be glad to help if you could detail me on the question in a more detailway please.

[oklafut]

well exactly i'm a bit puzzeled by your question. you can put the ftp server on with a login accout and make it accessable to only some of the ip's you choose. well i would be glad to help if you could detail me on the question in a more detailway please.

Hi rituraji,

If I lock by IP, then people from the IP can still take the files away. I'm wondering if I can authorize by application so that the protected documents are only accessible to the viewer and hidden from any other applications like FTP daemon.

Thanks for all your gracious help!