How to allow a user to view a file over a network share, but at the same time stop him from copying this file?
Recently we had a strange support request that had never occurred to me before:
“Is there any combination of NTFS and share permissions that would allow a user to view a video file over a network share, but at the same time stop this user from copying this video?”
Research and experimentation and research showed that there is no built-in Windows functionality to get the desired result.
When a client wants to copy a file from a server share, there are access checks made at two different levels:
1. Share permission
2. NTFS permission (provided that the content is located on an NTFS formatted partition). So anyone with Read Share permission, and Read NTFS permission will be able to copy the file to his/her own machine.
In summary, it looks like the desired result could only be achieved by using content management software.
For example:
1. Windows Rights Management Software or similar solutions might be able to prevent this:
a. What this kind of software does differently is that the content (the videos) is kept in encrypted format on the file shares.
b. So even if a user is able to copy the file via Read permissions, he wouldn't be able to open the content without using the RMS enabled client software and without adding him in the allowed viewers list.
Windows Rights Management Services
http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx
2. There are also some 3rd party content management software tools that can help, like GigaTrust, who is a Gold Certified Partner of Microsoft:
GigaTrust Dynamic File Folders
http://www.gigatrust.com/dynamic-file-folders.shtml
To summarize:
- There is no builtin Windows functionality to prevent users from copying a file, on which they have Read access.
- You will need to setup a Windows RMS infrastructure or use similar software.
