Printer Warning Dialogbox

Hi all,

We are trying to develop a security product, where by certain documents
should not be printed by certain users. However instead of disabling the
printing functionality of the machine, what we want is, that if the user
tries to get a hard copy of a protected document, a custom message should
pop up to warn him of this deed.

I am new to printers, do I really need to write a driver for this ? Or is
there a better, cleaner, easier solution for the same?

I should mention here, that the documetns are procted using a FS Filter
driver, which tracks the OPEN, CLOSE, COPY etc operations on it.

–

• Developer

User will copy-paste the whole document and print the copy.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Developer
To: Windows System Software Devs Interest List
Sent: Monday, October 31, 2005 9:28 PM
Subject: [ntdev] Printer Warning Dialogbox

Hi all,

We are trying to develop a security product, where by certain documents should not be printed by certain users. However instead of disabling the printing functionality of the machine, what we want is, that if the user tries to get a hard copy of a protected document, a custom message should pop up to warn him of this deed.

I am new to printers, do I really need to write a driver for this ? Or is there a better, cleaner, easier solution for the same?

I should mention here, that the documetns are procted using a FS Filter driver, which tracks the OPEN, CLOSE, COPY etc operations on it.

–

• Developer — Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com

There was a thread something like this a few months ago where someone
wanted to prevent users from copying files to removable media, but they
could still look at them.

From a security class I took a short while ago,
-IF- a user can see data,
-THEN- there is nothing you can do to prevent them from taking / copying
/ etc. that data.

My favorite method which keeps the “information” and completely
sanitizes the source of that data, <print_screen>, “New Bitmap - edit”,
, .

Worst case, they use a pen and paper. Yes, pen and paper won’t work for
stealing 100GB databases, but it will work for stealing company
algorithms, customer lists, SSNs, etc.

Anyway, good luck!

Developer wrote:
> Hi all,
>
> We are trying to develop a security product, where by certain documents
> should not be printed by certain users. However instead of disabling the
> printing functionality of the machine, what we want is, that if the user
> tries to get a hard copy of a protected document, a custom message
> should pop up to warn him of this deed.
>
> I am new to printers, do I really need to write a driver for this ? Or
> is there a better, cleaner, easier solution for the same?
>
> I should mention here, that the documetns are procted using a FS Filter
> driver, which tracks the OPEN, CLOSE, COPY etc operations on it.
>
> –
>
> - Developer

–

We used filter drivers to block read/write access to
devices like USBs and floppy disks. You might be able to
do the same sort of thing with printers, or it might be
easier to API hook the Win32 printer functions.

Scott

— Windows System Software Devs Interest List digest

$B$+$i$N%a%C%;!<%8!'(B
> NTDEV Digest for Tuesday, November 01, 2005.
>
> 1. RE: ntdev digest: Nov 01, 2005
> 2. NT4 driver programming model
> 3. Re: surprised vxd smartcard driver problem on
> windows98
> 4. Audio playback & capture synchronization
> 5. Re: Does xp64 require WDM drivers for parallel
> port devices?
> 6. BSOD debugging help needed
> 7. Re: Does xp64 require WDM drivers for parallel
> port devices?
> 8. Re: Printer Warning Dialogbox
> 9. Re: Audio playback & capture synchronization
> 10. Re: Does xp64 require WDM drivers for parallel
> port devices?
> 11. Re: NT4 driver programming model
> 12. Re: Re:NT4 driver programming model
>
>
----------------------------------------------------------------------
>
> Subject: RE: ntdev digest: Nov 01, 2005
> From: “gowtam karanth”
> Date: Tue, 1 Nov 2005 10:53:19 +0530
> X-Message-Number: 1
>
> Has any one installed filter driver in Windows PE
> OS?
> I am trying to do that, but no success, looks like
> Windows PE does not
> accept filter driver, Is there something that I need
> to do to get this
> working?
> Note:I have made the filter driver registry entries
> permanent i.e. changes
> in setupreg.hiv
> - Gowtam
>
>
>
>
>
----------------------------------------------------------------------
>
> Subject: NT4 driver programming model
> From: “poltrone”
> Date: Tue, 1 Nov 2005 09:54:33 +0100
> X-Message-Number: 2
>
> I am investigating a problem with an NT4 legacy
> driver running
> on XPSP2. While looking at the code, i began
> wondering what the
> correct way of handling DMA adapters was in that
> driver model.
>
> During DriverEntry the driver allocates two adapters
> per device
> by calling HalGetAdapter, since the device supports
> two DMA
> transfers simultaneously. As far as i know this is
> standard
> processing.
> But i could not find any information on what a
> driver is supposed
> to do with those adapters during Unload. How are the
> adapters to be
> freed? The driver i am analyzing does a
> ObDereferenceObject on the
> adapters. Is that OK???
>
> Kind regards,
> poltrone
>
>
>
>
----------------------------------------------------------------------
>
> Subject: Re: surprised vxd smartcard driver problem
> on windows98
> From:
> Date: Tue, 1 Nov 2005 17:22:40 +0800
> X-Message-Number: 3
>
> Thanks for your reply. The ATR content is “3B E9 00
> 00 81 31 B7 45 32 02 40
> 14 09 55 2D 02 0B B7”,and when I call scardconnect,
> it returns a successful
> reply. What can cause smclib for win98 to look for a
> different ATR? In
> addition, I have no VC++ 5.0, I use VC++ 6.0 to
> compile my ddk source code
> instead of VC++5.0(which is required by microsoft),
> is it the reason of
> current problem?
>
>
> Gary G. Little wrote in message
> news:xxxxx@ntdev…
> > I’ve only written readers for XP and Server 2003,
> but I would look at how
> > the ATR is being handled and the contents of the
> ATR. Perhaps the smclib
> for
> > 98 is looking for a different ATR content?
> >
> > –
> > The personal opinion of
> > Gary G. Little
> >
> > wrote in message
> news:xxxxx@ntdev…
> > > Hi,
> > > I encounter a surprised problem for my serial
> smartcard driver. I am not
> > > sure if it’s a bug of smclib in win98 or a
> mistake of mine.
> > > I have writed a wdm smart card reader driver for
> windows 2000&xp, and it
> > > works very well. For windows 98, I rewrite a vxd
> driver.I install the
> > > microsoft smart card base component and update
> the smclib to version
> 951.
> > > When I use the winscard dll to access the smart
> card reader. most of it
> > > works very well,but it seems SCardDisconnect
> dosen’t support parameter
> > > “SCARD_EJECT_CARD” and “SCARD_UNPOWER_CARD” on
> windows 98. After I call
> > > SCardDisconnect with “SCARD_EJECT_CARD”, I trace
> my driver and find the
> > > “IOCTL_SMARTCARD_EJECT” has never reached the
> lower driver ioctrl
> > > interface.
> > > I also try to intialize the reader extension
> MechProperties to
> > > “SCARD_READER_EJECTS | SCARD_READER_SWALLOWS”,
> and fill the callback
> > > functions “RDF_CARD_EJECT” and
> “RDF_READER_SWALLOW”, the
> > > RDF_READER_SWALLOW
> > > callback function can be called normally, but
> “RDF_CARD_EJECT” still can
> > > never be called. The SCardDisconnect called with
> parameter
> > > “SCARD_EJECT_CARD” always result as a power down
> and cold reset
> procedure
> > > following.In this case, the smart card will go
> back to power on state
> > > immediately. so my customers have to unplug the
> smart card with power
> on.
> > >
> > > Is this a smclib problem on windows 98 or a
> mistake of my driver? Can
> > > anyone
> > > help me? thank you!
> > >
> > >
> > >
> >
> >
> >
>
>
>
>
----------------------------------------------------------------------
>
> Subject: Audio playback & capture synchronization
> From: Chi Truc Dinh
> Date: Tue, 01 Nov 2005 08:21:39 -0500
> X-Message-Number: 4
>
> Hi,
>
> I’m developping a driver (developed from MSVAD) that
> passes audio data from a
> player application to a DirectSound application and
> I’m thinking about a way to
> synchronize the reads and writes operations
> performed by my driver. In addition
> to the playback and capture streams included in
> MSVAD, I have created a third
> buffer located in the miniport, called
> “pTransitBuffer”, which receives
> datafrom the player app and is read by the DS app.
> After implementing the R/W
> operations on that buffer, I noticed that the
> DirectSound app requests two
> times more data than the player app can feed in the
> driver.
>
> Since these two functions are called at
> DISPATCH_LEVEL, i can’t block their
> execution so what are the available mecanisms for
> matching the read speed and
> the write speed?
>
> Thanks!
>
>
=== message truncated ===

--------------------------------------
Yahoo! Mail - supported by 10million people
http://pr.mail.yahoo.co.jp/10m/

Dear Michael, Maxim, and Scott,

Thanks for the replies.

Well here is what we intend to do to prevent protected docs from being
stolen…

1. The docs would be in a server, and only the secure client can access it
   and retrieve it.
2. Once the doc arrives to the client, we track operations on it using MS
   WinAPI hooking, and other techniques like filter drivers for the FS.
3. USB and other removable media are prevented from being used.
4. Print Screen and other screen capture disabled.
5. Email tracked.

Well for the printer I need a good method, I don’t know whether a filter
driver is necessary for it or not, that is the reason for asking for
suggestions. Is API hooking is good enough, or do we needa filter?

Ofcourse I know that nothing and nobody can prevent *A theif*. Yes, he can
write the damn doc down, he can take a picture of the doc using his camera,
he can open a word doc in another word reader and our MSAA code hooks will
break down (most probably), we are still in the design phase and are trying
to do a feasability study of the project.

Thanks,

Amitrajit

Bad idea from the beginning. If the user has admin rights - then he/she will throw your hookers away by registry tweaks and then reboot.

And, if he/she has no admin rights - you can limit them by putting ACLs on files and printers.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Developer
To: Windows System Software Devs Interest List
Sent: Thursday, November 03, 2005 8:51 AM
Subject: Re: [ntdev] Printer Warning Dialogbox

Dear Michael, Maxim, and Scott,

Thanks for the replies.

Well here is what we intend to do to prevent protected docs from being stolen…

1. The docs would be in a server, and only the secure client can access it and retrieve it.
2. Once the doc arrives to the client, we track operations on it using MS WinAPI hooking, and other techniques like filter drivers for the FS.
3. USB and other removable media are prevented from being used.
4. Print Screen and other screen capture disabled.
5. Email tracked.

Well for the printer I need a good method, I don’t know whether a filter driver is necessary for it or not, that is the reason for asking for suggestions. Is API hooking is good enough, or do we needa filter?

Ofcourse I know that nothing and nobody can prevent *A theif*. Yes, he can write the damn doc down, he can take a picture of the doc using his camera, he can open a word doc in another word reader and our MSAA code hooks will break down (most probably), we are still in the design phase and are trying to do a feasability study of the project.

Thanks,

Amitrajit
— Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com

>Bad idea from the beginning. If the user has admin rights - then he/she
will throw your hookers >away by registry tweaks and then reboot.

Well, that is what we are trying to achieve, transition of a bad idea into a
good one. But it is not quite that bad, Maxim, there will ofcourse be no
admin rights given to the users of a corporate domain.
> And, if he/she has no admin rights - you can limit them by putting ACLs
on files and printers.

Can I, through ACL, restrict the user from printing protected documents
through a printer, while the same device refuses the dommand if it is a
protected document? I don’t think so, but if you know of a way, please
enlighten me, makes my life easier.

>Can I, through ACL, restrict the user from printing protected documents
through

a printer, while the same device refuses the dommand if it is a protected
document? I don’t think so, but if you know of a way, please enlighten me,
makes

Oh, this one… I see. IIRC the recent versions of MS Office has some
architecture. This is surely the app’s thing and not the OS’s one.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

>the recent versions of MS Office has some

architecture. This is surely the app’s thing and not the OS’s one.

Can’t be sure that it is going to be *just* a word doc only, could be a
plain text file also, the app can mark any doc as protected, format doesn’t
matter.

also, it should be “office version” independent, so I think we need to go
deeper…

It’s hopeless. The only way you can achieve what you want is by: 1)
applying sledgehammers to the printers, 2) gouging out the eyes of the
employees. There will always be a way around this sort of protection.
Essentially, you’re asking for a way to allow people to know something, but
preventing them from using what they know. Humans don’t work that way.

– arlie

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Developer
Sent: Thursday, November 03, 2005 4:30 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Printer Warning Dialogbox

Bad idea from the beginning. If the user has admin rights - then he/she
will throw your hookers >away by registry tweaks and then reboot.

Well, that is what we are trying to achieve, transition of a bad idea into a
good one. But it is not quite that bad, Maxim, there will ofcourse be no
admin rights given to the users of a corporate domain.

And, if he/she has no admin rights - you can limit them by putting ACLs
on files and printers.

Can I, through ACL, restrict the user from printing protected documents
through a printer, while the same device refuses the dommand if it is a
protected document? I don’t think so, but if you know of a way, please
enlighten me, makes my life easier.

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 You are currently subscribed to
ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email
to xxxxx@lists.osr.com

Systems that implement information labeling and mandatory security can
provide such functionality. However, that requires a rather different
architecture than Windows provides. In addition, such systems are
extremely complicated to design, implement and verify and there are very
few customers willing to pay for this level of security.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Arlie Davis
Sent: Thursday, November 03, 2005 11:15 AM
To: ntdev redirect
Subject: RE: [ntdev] Printer Warning Dialogbox

It’s hopeless. The only way you can achieve what you want is by: 1)
applying sledgehammers to the printers, 2) gouging out the eyes of the
employees. There will always be a way around this sort of protection.
Essentially, you’re asking for a way to allow people to know something,
but
preventing them from using what they know. Humans don’t work that way.

– arlie

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Developer
Sent: Thursday, November 03, 2005 4:30 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Printer Warning Dialogbox

Bad idea from the beginning. If the user has admin rights - then he/she
will throw your hookers >away by registry tweaks and then reboot.

Well, that is what we are trying to achieve, transition of a bad idea
into a
good one. But it is not quite that bad, Maxim, there will ofcourse be
no
admin rights given to the users of a corporate domain.

And, if he/she has no admin rights - you can limit them by putting
ACLs
on files and printers.

Can I, through ACL, restrict the user from printing protected documents
through a printer, while the same device refuses the dommand if it is a
protected document? I don’t think so, but if you know of a way, please
enlighten me, makes my life easier.

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 You are currently subscribed
to
ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank
email
to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

i respect all of you experts here, your opinion and experience is
irreplaceable.

but…

there is also a factor called client demands, they just want us to try and
give the best possible, these people know that “there is no lock in this
universe that cannot be picked, no system that cannot be hacked and no man
who cannot be broken”…but what matter is the time here, all we want to do
is make the thieves life more difficult.

Okay, here is what I think of as a solution, experts and gurus, please beat
this design black and blue (if you have time, and if you think it is even
worth commenting on)…

We are implementing an FS filter driver to track the file while it is on the
client side ( apart from API hooking and MSAA ). This filter can be used to
communicate with the printer as well ( I don’t know about printer drivers at
all, whether they can be filtered, etc. this is just a thought ), if it is a
protected file, can’t we then block it’s printing, or any other thing we
want, like signalling the admin, or the security department etc, writing a
log, blah blah blah?

Please, I know there are other ways of bypassing security and getting the
damn document out of office, after all what can I do if hte guy has a
photographic memory

Just tell me whether the design I gave stands a chance or not, and whether I
acutally need to make the developers life this difficult jsut to achieve a
small thing?

Thanks in advance,

Amitrajit

Tony, just read this mail of yours, after answering arlie.

Systems that implement information labeling and mandatory security can
provide such functionality. However, that requires a rather different
architecture than Windows provides. In addition, such systems are
extremely complicated to design, implement and verify and there are very
few customers willing to pay for this level of security.

Is there a place whee I can find more information about the same?

amitrajit

These concepts are generally part of any consideration of a “secure”
operating system. I could point to the (now obsolete) Rainbow series
(the “orange book” is the reference source for the A/B/C/D security
ratings for systems that were traditionally used.) A quick Google
search found a nice NIST article on information labels (and talks about
combining them with MAC labels):

http://csrc.nist.gov/publications/nistpubs/800-7/node38.html

The basic concept is that one can apply an information label to the
information; when you try to print (for example) the printer path must
examine that label and ensure that it is consistent with the security
settings of the printer. In a multi-level domain, you might have
printers that are capable of accepting information with very high
sensitivity ratings (kept in secure locations) and other printers
capable of printing only the most non-sensitive documents. That is (in
essence) what you are describing.

The NIST article points to POSIX.6 (security) and you might want to
investigate it from that angle as well. While conceptually simple, the
implementation of a system like this to ensure it is secure is a
substantial project.

Hopefully the NIST and POSIX pointers will get you going in the right
direction to categorize the problem.

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com

Looking forward to seeing you at the next OSR File Systems class in Los
Angeles, CA October 24-27, 2005.

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Developer
Sent: Thursday, November 03, 2005 12:16 PM
To: ntdev redirect
Subject: Re: [ntdev] Printer Warning Dialogbox

Tony, just read this mail of yours, after answering arlie.

Systems that implement information labeling and mandatory security can
provide such functionality. However, that requires a rather different
architecture than Windows provides. In addition, such systems are
extremely complicated to design, implement and verify and there are
very
few customers willing to pay for this level of security.

Is there a place whee I can find more information about the same?

amitrajit
— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 You are currently subscribed
to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a
blank email to xxxxx@lists.osr.com

Thanks tony.

You cannot associate the document file with a print job. At all. This is all in the hands of the app, which can do all kinds of weird things.

Printing subsystem in Windows knows nothing about the document files. It only knows on jobs, and the job name - though usually derived from the document file name - can be any.

Your best luck is to add hooks to all apps like Word and, for instance, disable the File/Print menu items or dialog boxes.

In mid-90ies there was a product called PC DOCS (now it is Hummingbird IIRC) which was a database to keep the documents. They applied hooks to lots of apps (from MS Office to Corel and Autocad) to replace the File/Open and File/Save As boxes to their database-related stuff. So, this is doable.

But the security will be weak anyway. How many email clients are there in the world? Lots of. So, the guy will just add the document as email attachment and send the email out. And so on. You can also, say, ZIP the sensitive documents and carry away the ZIP file. And so on.

As Tony said, Windows is not designed for this. In Windows, you can only limit whether the document is accessible for the user, but you cannot limit what kinds of access the user can do with it.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: Developer
To: Windows System Software Devs Interest List
Sent: Thursday, November 03, 2005 8:13 PM
Subject: Re: [ntdev] Printer Warning Dialogbox

i respect all of you experts here, your opinion and experience is irreplaceable.

but…

there is also a factor called client demands, they just want us to try and give the best possible, these people know that “there is no lock in this universe that cannot be picked, no system that cannot be hacked and no man who cannot be broken”…but what matter is the time here, all we want to do is make the thieves life more difficult.

Okay, here is what I think of as a solution, experts and gurus, please beat this design black and blue (if you have time, and if you think it is even worth commenting on)…

We are implementing an FS filter driver to track the file while it is on the client side ( apart from API hooking and MSAA ). This filter can be used to communicate with the printer as well ( I don’t know about printer drivers at all, whether they can be filtered, etc. this is just a thought ), if it is a protected file, can’t we then block it’s printing, or any other thing we want, like signalling the admin, or the security department etc, writing a log, blah blah blah?

Please, I know there are other ways of bypassing security and getting the damn document out of office, after all what can I do if hte guy has a photographic memory

Just tell me whether the design I gave stands a chance or not, and whether I acutally need to make the developers life this difficult jsut to achieve a small thing?

Thanks in advance,

Amitrajit

— Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com

Maxim,

Thnaks a ton for taking out time to write such a long explanation.

You cannot associate the document file with a print job. At all. This is
all in the hands of the app, >which can do all kinds of weird things.
> Printing subsystem in Windows knows nothing about the document files. It
only knows on >jobs, and the job name - though usually derived from the
document file name - can be any.
> Your best luck is to add hooks to all apps like Word and, for instance,
disable the File/Print >menu items or dialog boxes.

I admit, hooking is an ugly way of doing things, and is never ever fail
safe. After all, what can I do if some one is using a different word reader
to read MS-WORD files, well, I think, at that level we need to have an admin
level domain policy regarding software installation, with users not being
able to install things at their will and not having admin rights at all, god
might just be kind enough.
> In mid-90ies there was a product called PC DOCS (now it is Hummingbird
IIRC) which was a >database to keep the documents. They applied hooks to
lots of apps (from MS Office to Corel >and Autocad) to replace the File/Open
and File/Save As boxes to their database-related stuff. >So, this is doable.
> But the security will be weak anyway. How many email clients are there in
the world? Lots of. >So, the guy will just add the document as email
attachment and send the email out. And so on.

Yes, I did know of this threat, and as I told you, administrative policies
might help the system. It is for large corporate domains, and these places
usually have certain policies running.

You can also, say, ZIP the sensitive documents and carry away the ZIP
file. And so on.
I thought of this also, and and trying to find a solution to it as well.
Maybe a virus like scanner might help, better could be that when eever
winzip/winrar etc. requests for a protected document ( i belive I can
retrieve this info, after all filemon can tell us which app has generated
the IRP ), simply deny the request. As with all other third party fancy
ziup/arc viewers, just block them from getting installed.

As Tony said, Windows is not designed for this. In Windows, you can only
limit whether the >document is accessible for the user, but you cannot limit
what kinds of access the user can >do with it.

Sir, can you tell me of an OS that has such a great miultitier security
functionality ( I still haven’t gone through Tony’s link, please excuse me,
if the answer lies in that page itself )

Regards and lots of appreciation for the invaluable advices

Amitrajit

IBM OS/390 supports RACF
(http://www-03.ibm.com/servers/eserver/zseries/zos/racf) which provides
very good security, with a long track record of usage (a good thing when
it comes to security.)

Also, you might wish to check out the NSA extensions to Linux
(http://www.nsa.gov/selinux/info/docs.cfm) to enhance security on that
platform.

The documents to which I pointed talk about security, but do not provide
implementations of such (since I don’t know of such hardening components
available for Windows.) Since I thought you were interested in Windows,
I didn’t bother to point to alternative OS platforms.

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Developer
Sent: Thursday, November 03, 2005 2:21 PM
To: ntdev redirect
Subject: Re: [ntdev] Printer Warning Dialogbox

Maxim,

Thnaks a ton for taking out time to write such a long explanation.

You cannot associate the document file with a print job. At all. This
is all in the hands of the app, >which can do all kinds of weird things.

Printing subsystem in Windows knows nothing about the document
files. It only knows on >jobs, and the job name - though usually derived
from the document file name - can be any.

Your best luck is to add hooks to all apps like Word and, for
instance, disable the File/Print >menu items or dialog boxes.

I admit, hooking is an ugly way of doing things, and is never ever fail
safe. After all, what can I do if some one is using a different word
reader to read MS-WORD files, well, I think, at that level we need to
have an admin level domain policy regarding software installation, with
users not being able to install things at their will and not having
admin rights at all, god might just be kind enough.

In mid-90ies there was a product called PC DOCS (now it is
Hummingbird IIRC) which was a >database to keep the documents. They
applied hooks to lots of apps (from MS Office to Corel >and Autocad) to
replace the File/Open and File/Save As boxes to their database-related
stuff. >So, this is doable.

But the security will be weak anyway. How many email clients are
there in the world? Lots of. >So, the guy will just add the document as
email attachment and send the email out. And so on.

Yes, I did know of this threat, and as I told you, administrative
policies might help the system. It is for large corporate domains, and
these places usually have certain policies running.

You can also, say, ZIP the sensitive documents and carry away the ZIP
file. And so on.
I thought of this also, and and trying to find a solution to it as well.
Maybe a virus like scanner might help, better could be that when eever
winzip/winrar etc. requests for a protected document ( i belive I can
retrieve this info, after all filemon can tell us which app has
generated the IRP ), simply deny the request. As with all other third
party fancy ziup/arc viewers, just block them from getting installed.

As Tony said, Windows is not designed for this. In Windows, you can
only limit whether the >document is accessible for the user, but you
cannot limit what kinds of access the user can >do with it.

Sir, can you tell me of an OS that has such a great miultitier security
functionality ( I still haven’t gone through Tony’s link, please excuse
me, if the answer lies in that page itself )

Regards and lots of appreciation for the invaluable advices

Amitrajit

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 You are currently subscribed
to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a
blank email to xxxxx@lists.osr.com

Tony,

thanks again for the pointers.

No, you were correct, I am only interested in windows implementation, but I
would like to evaluate those other platforms (if possible) to see how things
are done.

Thanks a ton,

amitrajit

Developer wrote:

> As Tony said, Windows is not designed for this. In Windows, you
can only limit whether the >document is accessible for the user, but
you cannot limit what kinds of access the user can >do with it.

Sir, can you tell me of an OS that has such a great miultitier
security functionality ( I still haven’t gone through Tony’s link,
please excuse me, if the answer lies in that page itself )

SELinux (“security-enhanced Linux”) is a version of the Linux kernel,
modified by the US National Security Agency, which implements and
enforces the same kind of role-based security that was described in the
“rainbow books” mentioned earlier in this thread. You are only allowed
to perform the specific functions that are allowed to people in your
role. The concept of superuser goes away. Each role can have
“administrators” who assign the permissions for the users and documents
in their role.

The NSA is the butt of a lot of jokes, but they have a host of very
smart people who have thought about these kinds of issues for a long
time. It may not solve your problem, but it’s worth a look.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.