Policy Guide › Protecting Files Being Copied › How Does CA DataMinder Protect Files in Network Folders?

How Does CA DataMinder Protect Files in Network Folders?

CA DataMinder can detect when a user tries to copy files to network locations such as shared folders.

Opening a file from a prohibited network location

(Optional) When the CFSA detects a user trying to open a file from a prohibited network folder, it displays an Access Denied message. This message typically warns users that they are barred from saving file changes. You configure the Access Denied message in the user policy.

Note: A prohibited source is any network location to which write access is denied. Write access may be denied by settings in the local machine policy or by Data In Motion triggers in the user's policy.

Copying a file to a network location

When CA DataMinder detects a user trying to save a file to a network location, it applies policy in the following sequence. The process is also summarized in the previous flow chart.

1. CFSA checks whether the user is using a trusted application.

   Settings in the machine policy identify 'trusted applications'. If the user is using:

   • A trusted application, the CFSA allows the user to copy or save the file. No further policy is applied.
   • Any other application, the CFSA checks the handling for the network location (see step 2).
2. CFSA checks the handling for the network location.

   Settings in the machine policy define the ‘handling’ for network locations. The available handling options are:

   Allow write access

   Users can always save files to this network location.

   Set to read only

   Users are blocked from saving files to this network location.

   Apply user policy

   The CFSA checks whether the user is using a policy-enabled application to copy the file (that is, Windows Explorer or DOS).

   You can also configure custom handling for ‘special locations’.

   Note: When you specify the network locations that you want to monitor, always enter the UNC path. For example:

   \\UX-FILESVR-01\New Project\Reports
   

   If a path contains spaces, do not enclose it in quotes.

3. CFSA checks whether the user is using a policy-enabled application.

   These are applications that the CFSA can integrate with to apply user policy. If a user copies a file using a policy-enabled application and the target handling is set to ‘Apply user policy’, the CFSA applies Data In Motion triggers to the file.

   If the application is not policy-enabled, the CFSA blocks the file. From the user's viewpoint, the target network folder is set to Read Only.

   Important! The only policy-enabled applications recognized by the CFSA in the current release are: Windows Explorer (including drag and drop copying); DOS commands such as copy and xcopy; Wordpad.exe; and Notepad.exe.

4. CFSA applies Data In Motion triggers.

   Data in Motion triggers can analyze the text content to detect key phrases or to check whether the file matches a particular document classification. They can use XML Attribute data lookup commands to detect file attributes such as size, date created, date last modified, and the file author.

   If a trigger fires, you can configure control actions to block or allow the file operation, or to categorize the file.

   If no control trigger fires, the user is allowed to copy the file.

   Note: The CFSA cannot encrypt files being copied to network locations. Do not use Encryption control actions to prevent unencrypted files being copied to shared locations on your network.

More information:

Local Drives Listed As Network Drives Over RDC