How to secure Windows logon?

[webmal]

There's no encryption utility in XP Home edition. Anyway, encrypting certain files is not much help if you lose your PC because the Windows logon password is useless: http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20348448.html

The PC leaves too many trails e.g. images you have viewed, credit card and password information you have entered and files you used and are interested in. It would be nice if there's a way to secure the Windows logon. Any advice or tips appreciated.



------------------
Shuttle SB61G2
P4 3.4 GHz Northwood
1024 MB Corsair TwinX
MSI 5900XT
74 GB WD Raptor
Sony DRU-530A
Sony SDM-X73B
Windows XP Home

 

[n0cmonkey]

Use a good password. Use a password to "secure" your bios. Don't allow booting from anything but the hard drive. Use removable disks, keep them on you in a safe with a very tough (128 characters or more) combination that will self destruct if the combination entered is not correct.

 

[webmal]

Originally posted by: n0cmonkey
Use a good password. Use a password to "secure" your bios. Don't allow booting from anything but the hard drive. Use removable disks, keep them on you in a safe with a very tough (128 characters or more) combination that will self destruct if the combination entered is not correct.

FYI I can reset my BIOS (via jumper on mb) in less than 1 min that renders the BIOS password useless. I don't think I can lug around an external HD for too long



Shuttle SB61G2
P4 3.4 GHz Northwood
1024 MB Corsair TwinX
MSI 5900XT
74 GB WD Raptor
Sony DRU-530A
Sony SDM-X73B
Windows XP Home

 

[apriest]

Unplug the damn thing and never use it?!

 

[cyberphant0m]

I recently read an article (forgot exactly where) about "Quantum Cryptology." Theoretically, it uses 512-bit encryption, and if the password entered to decrypt the file is wrong, the encryption key is changed, in order to prevent brute-force hacking... Dunno exactly how effective it will be, it seems like whenever a new type of security method is used, some hacker comes along and cracks it...

 

[NogginBoink]

I would like to know what the solution is on this page so that I can address it. But I don't need any more spam so I don't want to sign up. Care to summarize for us?

 

[webmal]

For those of you who are unable to read the experts-exchange.com thread, please click here (then scroll down) to view Google's cache version. Hope this helps.



------------------
Shuttle SB61G2
P4 3.4 GHz Northwood
1024 MB Corsair TwinX
MSI 5900XT
74 GB WD Raptor
Sony DRU-530A
Sony SDM-X73B
Windows XP Home

 

[webmal]

What do you think of DriveCrypt Plus Pack ?

Some of its features:
- Full Disk Encryption (Encrypts parts or 100% of your HardDisk including the operating System)
- Pre-Boot authentication (BEFORE the machines boots, a password is requested to decrypt the disk and start your machine)
- Strong 256bit AES encryption
- USB-Token authentication at pre-boot level

 

[bsobel]

The PC leaves too many trails e.g. images you have viewed, credit card and password information you have entered and files you used and are interested in. It would be nice if there's a way to secure the Windows logon. Any advice or tips appreciated.

The Windows login is secure, your mixing attack modes and trying to secure a box against physical access. While that can be done, are you sure thats the attack your worried about?
Bill

 

[daniel1113]

What on earth do you guys need to protect with this level of encryption? The average user (aka, non-buisness user or hacker) needs little more than a good password, firewall, and anti-virus program. Calm down. Seriously.

 

[n0cmonkey]

Originally posted by: webmal

Originally posted by: n0cmonkey
Use a good password. Use a password to "secure" your bios. Don't allow booting from anything but the hard drive. Use removable disks, keep them on you in a safe with a very tough (128 characters or more) combination that will self destruct if the combination entered is not correct.

FYI I can reset my BIOS (via jumper on mb) in less than 1 min that renders the BIOS password useless. I don't think I can lug around an external HD for too long

LARGE gorillas trained to maul anyone but you approaching your computer!

 

[n0cmonkey]

Originally posted by: daniel1113
What on earth do you guys need to protect with this level of encryption? The average user (aka, non-buisness user or hacker) needs little more than a good password, firewall, and anti-virus program. Calm down. Seriously.

And your point is what?

 

[CQuinn]

I think the point is many of the same exploits he is complaining about having on Windows XP can
be applied to Linux, and most likely also Unix, Mac OSX, BeOS, etc... if you have physical access
to the system.

There are ways to secure data so even if someone else gets to the machine and changes the
admin password, that doesn''t let them at the data.

The way webmal seems to be approaching this makes me wonder who is after him, that he would
be so concerned about securing the system.

 

[n0cmonkey]

Originally posted by: CQuinn
I think the point is many of the same exploits he is complaining about having on Windows XP can

be applied to Linux, and most likely also Unix, Mac OSX, BeOS, etc... if you have physical access

to the system.



There are ways to secure data so even if someone else gets to the machine and changes the

admin password, that doesn''t let them at the data.



The way webmal seems to be approaching this makes me wonder who is after him, that he would

be so concerned about securing the system.

Exploits? I don't think I'm aware of any exploits that can only happen if you are physically at the machine. Especially if you have gorillas.

I also posted in the cross-post about a couple of encryption packages that will help protect data from unwanted eyes.

 

[drag]

Bah.

If anybody has physical access to your computer, you lose by default. Encrypting drives isn't worth the hassle.

IMHO the only software/hardware based security worth paying attention to is protection from network attacks, that will keep anybody more then occupied for life.

For physical access I prefer to do the same thing that serious gun collectors do. (if I worried about it, which I don't).

Pick a nice smallish room in the basement. Tear out the inside walls of the room, put weilded/bolted steel plate in there instead of drywall. Maybe reinforce that with concrete.

Don't forget the ceiling and the floors. Don't want to spend all that time and effort and have somebody go in thru the kitchen floor or your bosses office with a crowbar, do you?

Put a safe door in place. Several inches thick steel. something like this

Make it so mind boggling difficult to break into that nobody will even want to try. That's the goal.

If you need to access your restricted data from a remote location do it thru the internet or lan. That's what it's there for.

Keep your final server inside the reinforced room, keep the logon server in their too. With the firewall.

Have the internet go in, go thru a firewall and into the logon server. The only way to access the information is to establish a encrypted tunnel thru the firewall and into the logon server. Logon thru that and establish a second tunnel into your secure data server. Make it so a hacker would have to break your firewall, your logon server and then your final secure server in order to gain access to it. Print out a copy of your logs to hardcopy so that they can't be altered after the fact.

And whala, your data is secure and nobody will ever find your gay nun porno stash.

The main advantage this has over encrypted files is that if (when) your computer F-s up, then you still have access to your data. If you have encrypted harddrive then your data can be gone forever, which is most of the time worse then getting a copy stolen.

There is a reason that Windows/Linux/OS X/etc etc allow you to reset passwords and stuff. It's not because of a flaw in design, it is out of nessecity.

Ever see what happens to a high end server that is built on 100% secure hardware defenses.

Forget our mistype your root password in a password change-over and you can kiss you high dollar server goodbye. It's happened to more then a few people, and it's very costly to have a guy come out a resolder a new chip to reset it into your motherboard.

 

[n0cmonkey]

Originally posted by: drag
Bah.



If anybody has physical access to your computer, you lose by default. Encrypting drives isn't worth the hassle.

It isn't much of a hassle really. OpenBSD has the necessary tools built in, and it takes about 2 minutes.

Pick a nice smallish room in the basement. Tear out the inside walls of the room, put weilded/bolted steel plate in there instead of drywall. Maybe reinforce that with concrete.

Don't forget the ceiling and the floors. Don't want to spend all that time and effort and have somebody go in thru the kitchen floor or your bosses office with a crowbar, do you?

Put a safe door in place. Several inches thick steel.

Make it so mind boggling difficult to break into that nobody will even want to try. That's the goal.

Or just rely on really big trained gorillas.

And whala, your data is secure and nobody will ever find your gay nun porno stash.

The main advantage this has over encrypted files is that if (when) your computer F-s up, then you still have access to your data.

If you are smart about things, you will have access to your data after you've screwed up your computer. Exporting keys and keeping them in a safe place is an easy step.

If you have encrypted harddrive then your data can be gone forever, which is most of the time worse then getting a copy stolen.

Tell that to the tens of thousands of people that have gotten their credit card numbers stolen because a database was compromised. Or to the British government, whose special agents have a habit of losing laptops. Or to Los Alamos National Laboritories who have trouble keeping track of hard drives.

Most people don't need it, but what does it hurt? If you're smart about things, the risks are minimal, the extra work is minimal, and the benefits are amazing.

 

[drag]

Originally posted by: n0cmonkey

Originally posted by: drag

If you have encrypted harddrive then your data can be gone forever, which is most of the time worse then getting a copy stolen.

Tell that to the tens of thousands of people that have gotten their credit card numbers stolen because a database was compromised. Or to the British government, whose special agents have a habit of losing laptops. Or to Los Alamos National Laboritories who have trouble keeping track of hard drives.

Most people don't need it, but what does it hurt? If you're smart about things, the risks are minimal, the extra work is minimal, and the benefits are amazing.

Well that's why you don't keep anything important on Laptops. And you don't let people get ahold of harddrives. You keep that someplace were you have control over it. (and harddrive encryption isn't going to stop a database compromised, unless it was a physical breakin, of course)

It just depends how important your stuff is. People do build rooms to protect 10-20 thousand dollars of collectables or guns or whatever. How important is your information to you?

To me, it's not a big deal. If I need something I just SSH into my home computer and get it. The bigest physical defense I have is a pane of window glass (a chain is only as strong as the weakest link), but I don't do financial crap on my laptop or keep anything important on it. Then if I loose it or it gets stolen, all I have to worry about is the laptop. (or any gorillas)

 

[n0cmonkey]

Originally posted by: dragWell that's why you don't keep anything important on Laptops. And you don't let people get ahold of harddrives. You keep that someplace were you have control over it. (and harddrive encryption isn't going to stop a database compromised, unless it was a physical breakin, of course)

The hard drive was supposedly kept in a safe place. And I know my database point was a little off. But for some people, keeping important data off the laptops is near impossible.

And just because a story I'm working on isn't really critical data, I don't want people reading it if I lose my laptop (RIP ). Hence, encrypted drive.

It just depends how important your stuff is. People do build rooms to protect 10-20 thousand dollars of collectables or guns or whatever. How important is your information to you?

To me, it's not a big deal. If I need something I just SSH into my home computer and get it. The bigest physical defense I have is a pane of window glass (a chain is only as strong as the weakest link), but I don't do financial crap on my laptop or keep anything important on it. Then if I loose it or it gets stolen, all I have to worry about is the laptop. (or any gorillas)

I don't have access to SSH from everywhere.

 

[drag]

Originally posted by: n0cmonkey

Originally posted by: dragWell that's why you don't keep anything important on Laptops. And you don't let people get ahold of harddrives. You keep that someplace were you have control over it. (and harddrive encryption isn't going to stop a database compromised, unless it was a physical breakin, of course)

The hard drive was supposedly kept in a safe place. And I know my database point was a little off. But for some people, keeping important data off the laptops is near impossible.

Maybe, but is that mostly because of nessicity or laziness? If it's from nessicity then I can definately see the benifits, but it's nothing that I would want to do unless I realy had to.

I don't have access to SSH from everywhere.

What? You got something better? Or is it you just can't get to the internet.. cell phone modems are pretty cheap things to set up nowadays.

 

[n0cmonkey]

Originally posted by: drag

Originally posted by: n0cmonkey

Originally posted by: dragWell that's why you don't keep anything important on Laptops. And you don't let people get ahold of harddrives. You keep that someplace were you have control over it. (and harddrive encryption isn't going to stop a database compromised, unless it was a physical breakin, of course)

The hard drive was supposedly kept in a safe place. And I know my database point was a little off. But for some people, keeping important data off the laptops is near impossible.

Maybe, but is that mostly because of nessicity or laziness? If it's from nessicity then I can definately see the benifits, but it's nothing that I would want to do unless I realy had to.

In my case, it's mostly laziness. I like to work in wierd places. Every where from coffee shops and book stores to dirty diners or the park.

I don't have access to SSH from everywhere.[/q ]

What? You got something better? Or is it you just can't get to the internet.. cell phone modems are pretty cheap things to set up nowadays.

SSH is blocked at work. And so are cell phone signals

EDIT: Screwy err quoting.

 

[drag]

Originally posted by: n0cmonkey
SSH is blocked at work. And so are cell phone signals

That sucks. At my work they have putty installed on my machine for me.


Are they paranoid about people downloading stuff from remote servers or something?

 

[n0cmonkey]

Originally posted by: drag

Originally posted by: n0cmonkey

SSH is blocked at work. And so are cell phone signals

That sucks. At my work they have putty installed on my machine for me.

I've got putty installed on mine too. But it can't get outside of our network.

Are they paranoid about people downloading stuff from remote servers or something?

We're just paranoid.

It's part of the job description, I think. At my orientation (filling out reams of paper work) I got a calculator, a pen, a calendar, and a tin foil hat.