Share via


Why am I able to capture the Screenshot of a Right Protected document when opening it through a browser ?

 

So it all started as a discussion with one of my colleague who had an issue, where we were able to take screenshot’s of Right Protected Word Document when opening it through Word Online. The rights are being applied by uploading the document to SharePoint online. To get an actual answer, we have to first understand in depth on how a Screen Capture does work. And how does Windows stop the Screen Capture when it does. Normally when opening it through a Thick office client.

I came across this wonderful explanation by Raymond Chen. Would advise you to go through it before continuing as this holds all the answer’s we need.

Windows Confidential: What You See Is What You See

Windows Confidential The Case of the Disappearing Cursor

The purpose of this feature is not to protect information from an attacker who can run code on the system. It's to defend against users who take a screen shot without realizing that the confidential budget data is visible in the background.

Reference: https://blogs.msdn.com/b/oldnewthing/archive/2013/06/03/10422964.aspx

When using screen capture tools like Snipping Tool or PrintScn function, the pixel arrays for the protected content window are inaccessible so it is blacked out in the capture. The segment of the screen that has the Rights Protected Document opened on blacks out, as we can see in the figure below.

clip_image001[6]

An advanced application like OneNote will automatically detect that a Right Protected Document is open and would let you know that. We will not go in how it does that.

So, to recap:

1. Client application opens IRM protected content.

2. Client application reads the ‘Do Not Print’ permission attached to the document(if any).

3. Client calls the Desktop Window Manager service (ensure that the service is running) to enforce this right.

4. The pixels of the window overlay are marked as protected/inaccessible to PrintScn function calls.

User could easily get around this by “viewing the document via a Web site (for example, put it on your Exchange mailbox and use Outlook Web Access) and PrtSc the Web page. The Web browser certainly doesn’t know which pixels are IRM-protected or not”.

So far, I have not come across on how we can control this behaviour through a web browser. At the time of writing this post, the best way around this is to force the User to use the thick client, which is installed on your machine.

In case of SharePoint Online, we can choose the right combination of Permission and force the user to open the document using the Office application that is installed on the machine. Here’s how we can implement this.

1) Create a new Group and under the section “Give Group Permission to this Site”, checked the option “Read - Can view pages and list items and download documents”.

https://support.office.com/en-us/article/Manage-permissions-for-a-list-library-folder-document-or-list-item-9d13e7df-a770-4646-91ab-e3c117fcef45

2) Add the member’s to this group according to my scenario, in general we would follow the company policy.

3) I am assuming we have the IRM already configured, if not please visit the following link.

https://support.office.com/en-us/article/Set-up-Information-Rights-Management-IRM-in-SharePoint-admin-center-239ce6eb-4e81-42db-bf86-a01362fed65c

4) Now only pointing out the option which will force the Word Document to open using the Desktop Client.

Check the option “Prevent opening documents in the browser for this Document Library

After steps 1-4, I was able to get the Document open through Word 2013(in my case) and verified that I was not able to take a Screen Capture.

Hope this post has been informative and helps address Print scenarios while dealing with confidential data

Note: This weblog does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my opinion.