Transparent DRM
April 17, 2012 10:33 AM   Subscribe

I'd like to make certain documents at work (mostly PDFs) only openable to logged-in domain members based on group membership. Watermarking with account credentials would be a plus.

I'm looking for the cheapest option that will prevent accidental leakage of some docs (e.g. Reply-All bombs), PDFs for the most part. I know we could accomplish this with PDF passwords, but they will be a pain to maintain in the long run. Ideally this would be integrated with Active Directory so group membership would determine accessibility. Commercial options from a brief google are LockLizard, FileOpen, and a few other plugin vendors, many of which are overbuilt for DRM ebook distribution, not a SMB situation. We've got a mixed WinXP/7 domain with 2008 DCs. Watermarking with accountname etc. is a nice-to-have. Is there anything built into Adobe or Windows that will do this? This only has to work at a single site.

Please no lectures on how DRM doesn't work. I know it's impossible to fully control documents. We're only trying to deter casual/accidental leakage.
posted by benzenedream to Computers & Internet (5 answers total) 1 user marked this as a favorite
Since the users are logged in, can't you just share PDFs as links to shares (which you can easily set permissions on) instead of attaching files?
posted by wongcorgi at 11:05 AM on April 17, 2012

Or link to a internal web site that checks for appropriate permissions using NTLM and displays the PDF in browser window?
posted by wongcorgi at 11:06 AM on April 17, 2012

Best answer: I'd hide the PDFs on a server and allow access through a web viewer that checks permissions.

If you use a web viewer that rasterizes on the host, you're never shipping the actual PDF to the clients. Memail me and I can offer you some options (and I'd rather avoid pimping my company).
posted by plinth at 11:46 AM on April 17, 2012

Response by poster: And to make it even more complicated, you are likely to need these services to be cached locally for network-disconnected clients

As I noted, this is for a single site. Remote viewing isn't required (no field people). Unlocking on the fly is not required, a single admin user with unlock rights is ok.

Since the users are logged in, can't you just share PDFs as links to shares

Yes, but this doesn't prevent saving to other locations, which is what the encryption would be for.

This is kinda what SharePoint is for.

I know Sharepoint will do the tracking, ACL, and logging bit out of the box. Sharepoint IRM seems to be dependent on MS Right Management Service (RMS) and Client Access Licenses (CALs) which doesn't look cheap, and would require a PDF RMS wrapper.

If you use a web viewer that rasterizes on the host, you're never shipping the actual PDF to the clients.

These may be rather voluminous docs that are semi-randomly accessed, so slow page rendering when scrolling would be moderately painful. I've used hosted solutions before with rendering that caused grumbling when dealing with 1000 page docs, but that could just have been a bad implementation.
posted by benzenedream at 1:56 PM on April 17, 2012

You have Active Directory, and the files will be accessed by people who are logging in with appropriate domain credentials?

How about this. If you have a NAS box, create appropriately named folders on it, and in the security settings, only the appropriate AD group gets any access (whether that's modify rights or just read & execute).

For example

\\server\share\folder 1
The folder 1 group within AD gets modify rights, nobody else (except for domain admins, of course) gets any access.

Repeat as necessary:
\\server\share\folder 2
\\server\share\folder 3
posted by AMSBoethius at 3:12 PM on April 17, 2012

« Older Finding a crinoline in DC on short notice   |   Buying a furnished home Newer »
This thread is closed to new comments.