• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Securing laptops with WinXP Pro.

I

InlineFive

Diamond Member
Hi all,

Lately I have become more and more concerned with the laptops that some of our staff take with them on trips and job related activities. One of my fears is that (even though they are competent people) that the laptops will be misplaced or stolen, along with the accompanying information.

So far the best I have done is assign passwords to all accounts, change the systemkey to a password that the users know, and use EFS on the user's directory.

Do you have any other "best practice" suggestions?

Thanks in advance for your time and experience.

I5
 
Are they joined to a domain? EFS is significantly stronger when joined to a domain. You may also want to investigate third party full volume encryption products, similar to Vista's BitLocker.
 
What you propose makes sense. I travel a lot, and much of it abroad. I have my laptop secured with a Sony FIU-800 (Puppy) fingerprint device. It must be inserted in a USB port and correctly responded to or it doesn't boot. If the travel is mainly in CONUS, then a Lojack chip might be another useful item to assist in recovery of a "lost" or stolen laptop.
 
Originally posted by: corkyg
What you propose makes sense. I travel a lot, and much of it abroad. I have my laptop secured with a Sony FIU-800 (Puppy) fingerprint device. It must be inserted in a USB port and correctly responded to or it doesn't boot. If the travel is mainly in CONUS, then a Lojack chip might be another useful item to assist in recovery of a "lost" or stolen laptop.
Click to expand...

So if it doesn't boot, what's to prevent someone from taking the hard drive out and accessing it on another machine?

Encryption is required.
 
Encryption really is needed - check out this product: http://www.winmagic.com/

The machine won't even boot without the correct hardware token/biometrics, and the drive is encrypted in case someone wants to just try it in another machine.

It really slows the system down but that is the price of mobile computing safely.
 
Originally posted by: xfile
TrueCrypt is great....been using it with 0 problems on my data.
Click to expand...

Wow, would you regard that as a business class product?

I was thinking about immediantly upgrading my laptops to Vista because of the better network management and BitLocker especially. Although at this point I'm not sure if that is premature.
 
Originally posted by: dclive
So if it doesn't boot, what's to prevent someone from taking the hard drive out and accessing it on another machine? Encryption is required.
Click to expand...

The fingerprint requirement is in the hard drive. It would do the same thing in another machine. I've tried it. I'm not saying that it is better than encryption. It is not. If the security of the data is very important, then by all means, encrypt. But . . . that can also have its own set of problems.

Always think of security in layers - defense in depth.

 
Fingerprint scanners are usually pretty easily spoofed. Myth Busters had an episode a few weeks ago where they spoofed an 'unbreakable' fingerprint lock.
 
Originally posted by: stash
Fingerprint scanners are usually pretty easily spoofed. Myth Busters had an episode a few weeks ago where they spoofed an 'unbreakable' fingerprint lock.
Click to expand...

That was a pretty cool episode; and now I would use either passwords or smart cards.
 
If you want to use smartcards, I would definitely wait for Vista. With Vista, you get BitLocker, but you also will get the ability to store EFS keys on a smartcard. No more need to remember to back up your key, and it is far more secure than any of the current methods, including syskey.

Bitlocker works with a compatibile TPM chip (TPM 1.2) or a USB key. If you use TPM, the boot up will be transparent, which may or may not be way you want (since anyone can boot up the machine when it is in the machine with the TPM). If you use the USB key, you need to insert the USB key everytime you boot.
 
Also remember that BitLocker and EFS are complementary technologies. Using one does not exclude the use of the other.
 
Originally posted by: stash
Fingerprint scanners are usually pretty easily spoofed. Myth Busters had an episode a few weeks ago where they spoofed an 'unbreakable' fingerprint lock.
Click to expand...

Can you provide a link to that? It's very interesting. I have found many that can be spoofed, but not the Sony. It doesn't use imagery - it uses capacitance and is very sensitive. Even the correct finger gets a "No" unless placed exactly at the proper angle. And, if it is cold (below about 60 F) it won't do a thing until the finger has warmed it up. 🙂

 
You must log in or register to reply here.

TRENDING THREADS

Back
Top