Win 7 Intrusion Security

[deustroop]

What is the preferred method of physically securing the OS ?
I know there is a password system but I assume that a half wit could circumvent it--likely with an app freely available--but am i correct ?

If so, what do pros do to ensure eg the lawyer for the ex cannot easily see what the actual expenses are ?

Or is a password sufficient ? Whose password and how difficult is it to bypass ?

How do I enable the best os security MS provides ?

Preciate any pointers here.

 

[lxskllr]

I'd say encrypting the whole disk using something like TrueCrypt. That's the only real way, and if setup properly it would be unbreakable.

 

[deustroop]

Ok-thx-have you used the application ? Are there any pitfalls ? The web description looks clear but the thing is free--I wonder if you get what you pay for ?

 

[lxskllr]

Ok-thx-have you used the application ? Are there any pitfalls ? The web description looks clear but the thing is free--I wonder if you get what you pay for ?

No, I haven't used it, but it's one of the best, if not the best application of it's type. The biggest pitfall would be forgetting your password. If that happened your data would be history. It's pretty much unrecoverable by any means. you /might/ get lucky brute forcing it, but then you might get lucky winning Lotto also :^D

 

[deustroop]

thx

 

[Gamingphreek]

Kind of a shady example, but I'll give you the benefit of the doubt and answer.

First and foremost it is important to keep in mind arguably the single greatest rule in IT Security: If someone has physical access to the system, they WILL be able to compromise it in someway.

Using Full Disk Encryption with Bit-Locker or Truecrypt will help if the machine is starting from a reboot; however, if you are logged in and the computer is locked, the drive is already decrypted.

Additionally, in line with very first point, outside of using AES-256 and a password with very good entropy, if someone (or a group of someones) wants in bad enough, they can get in.

-GP

 

[Zargon]

yeah

bitlocker/trucrypt do help in teh case of them stealing a machine and taking it offsite to try and break in

 

[lxskllr]

Using Full Disk Encryption with Bit-Locker or Truecrypt will help if the machine is starting from a reboot; however, if you are logged in and the computer is locked, the drive is already decrypted.

It's a fine point, but TrueCrypt decrypts/encrypts on the fly. Data is always encrypted. Your point still remains though. What I would do is enable locking on idle at a very short interval; ~1 minute or so. That isn't foolproof, and it can get irritating if you let it sit a lot, but that'll cut down the chances of someone getting your data.

 

[Gamingphreek]

It's a fine point, but TrueCrypt decrypts/encrypts on the fly. Data is always encrypted. Your point still remains though. What I would do is enable locking on idle at a very short interval; ~1 minute or so. That isn't foolproof, and it can get irritating if you let it sit a lot, but that'll cut down the chances of someone getting your data.

Good point - I completely forgot about that.

We are really getting into a lot of protection for a system though haha. 1 minute locking with full disk encryption is pretty hardcore (Though this doesn't defend against user error in the slightest ).

Entropy on the password might end up being sacrificed since it is locking so often

 

[JackMDS]

There are few levels to security. Ensuring the Data is one thing.

However if someone can boot with a Boot disk and sabotage the system, you will end up with Nothing to Decrypted.

As said above beside encryption, when security is an absolute must, you should configure the computer No to boot from Floppy/USB/DVD/CD/eSATA etc.

 

[Gamingphreek]

There are few levels to security. Ensuring the Data is one thing.

However if someone can boot with a Boot disk and sabotage the system, you will end up with Nothing to Decrypted.

As said above beside encryption, when security is an absolute must, you should configure the computer No to boot from Floppy/USB/DVD/CD/eSATA etc.

Excellent point. If you do that, make sure to password protect the BIOS too or otherwise they could just go in and change it

 

[gsaldivar]

Keep in mind that full disk encryption with any software scheme like BitLocker or TrueCrypt will degrade performance, as data must be encrypted and decrypted in real-time as your users read and write to the system drive.

This can be mitigated several ways: If you choose to use AES encryption and have a CPU capable of hardware acceleration (Intel Processors with "AES-NI") then this will speed the process up significantly. Also you can purchase a hard drive with an onboard chipset to handle encryption such as Seagate Momentus FDE, to reduce the load on your CPU.

Both methods are not foolproof, as the system can still be compromised while its running. Disk encryption helps mainly to ensure that the stored data is unusable in the event the computer is lost or stolen. Without the correct password or trusted hardware module, the encrypted data is completely scrambled and not readable.

 

[postmortemIA]

Excellent point. If you do that, make sure to password protect the BIOS too or otherwise they could just go in and change it

It works great if you have laptop. For desktop, CMOS reset will blank out the password ( I hope it doesn't, but not sure anymore).

The another idea is to save sensitive data on network that is physically hidden or offsite.

 

[Gamingphreek]

It works great if you have laptop. For desktop, CMOS reset will blank out the password ( I hope it doesn't, but not sure anymore).

The another idea is to save sensitive data on network that is physically hidden or offsite.

The jumper alone wont reset a BIOS password. You have to physically remove the CMOS battery and let all the capacitors discharge before it is gone. We are getting into physical security now, but this is why some chasis have "Chasis Intrusion Alarms" and whatnot.

It really brings back my very first point. If you have physical access to a system, you WILL (no "ifs" "ands" or "buts" about it) be able to compromise a system.

Good suggestion regarding the network-- especially with the increasing popularity of Cloud Computing there is an abundance of places to store data.

-GP

 

[deustroop]

Thx for all the effort here.
The security I need is to prevent data disclosure in the event of laptop theft or loss. From your comments, I think the best approach is the first one --disk encryption, suffering performance loss as noted.