• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 277
  • Last Modified:

Secure passwords on Windows 2003 domain?

I was wondering if there is a way to secure passwords on Windows XP clients? I have a number of laptop users that travelw ith their machines and in the event of a theft or loss I dont want someone to be able to overwrite the password. There are many utilities that can do that as I am sure you all know. Besides a hardware key for login, is there anything I can do to prevent these passwords from being removed by a removal utility to gain access to the machine? I have a win2k3 domain with XP Pro clients.

Thanks!
0
cbtech
Asked:
cbtech
  • 4
  • 3
  • 2
  • +4
1 Solution
 
tengageCommented:
No.  ERDCommander and hundreds of other utilities will still change the passwords.  It sounds like you may want to implement EFS (encrypted file system)
0
 
tengageCommented:
If you want to implement EFS, PLAN PLAN PLAN.  Using Group Policies, you can safely implement EFS.  A poorly planned EFS deployment will be your worst nightmare.  EFS renders data useless unless you have the keys to unencrypt it.  Losing a laptop that is not encrypted is like giving the thief CDs of all your data.

Here is a starting point
http://www.microsoft.com/technet/community/columns/5min/5min-202.mspx

If you want a good laugh, read this KBase article.  It falls under the "no SH!T catagory"
http://support.microsoft.com/default.aspx?scid=kb;en-us;818200
0
 
tengageCommented:
PS -

Even with SECURID or SMARTCARD, a thief could still piggy back a hard drive in another system, mount it and take ownership of the files to read them.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
shahrialCommented:
You may wish to consider using a hard-disk encryption software like  DRIVECRYPT.
http://www.securstar.com/products_drivecrypt.php

DRIVECRYPT allows both, the encryption of an entire Hard Disk partition, as well as the creation of a virtual container file that will store all the encrypted information.

Features:
- Strong cryptography - Disk partition and file volume encryption - Invisible containers -  Improved password security -
- Password sniffing protection -  No-evidence encryption - Administrator password control (keyfiles)
- Anti dictionary or brute force attack mechanism - Easy and fast hotkey control - Second user access
- Forgotten user password recovery - Eliminate the danger of unattended computers
- Secure disk deletion (disk wiping) - Encrypted volume resizing - External hardware support
- Works on any storage medium - Encrypted data is easily recovered
- Software works on any storage medium: HD, FDD, CD, DVD, Zip, Jazz, ....
- Easy to install, deploy & use - Maximize your security, minimize your risk
- No backdoors present

...;-)
0
 
shahrialCommented:
Another good disk encryption software.
WinMagic HardDisk Encryption - SecureDoc
http://www.winmagic.com/product_info/securedoc/prod_info.asp

An evaluation copy is available here:
http://www.winmagic.com/product_info/securedoc/downloads.asp

FYI...;-)
0
 
rindiCommented:
Set a password for the Harddisk. This can normaly be set in the PCs BIOS Setup routine. If the Harddisk is password protected you have to enter that password every time the PC is turned on. If you forget that PW, it won't help if move the disk to another PC or change the PCB on the disk. There are no backdoor Passwords provided by the disks Manufacturer. If you forget the PW, you have to send the disk to the Manufacturer, along with proof that it is your data on that disk, they can then reset the password, but they ask for a good pay when doing that (a lot more expensive than a new drive costs).
0
 
mrorangeCommented:
I would have to agree with tengange here EFS is the way to go.... no point in purchasig more software when you already have it... EFS is also transparent to the user, so no additional training required.

Summery of key strenghts and types:-
On Windows 2000 pre-SP2: 40bit DESX
Windows 200 SP2 or later 120bit DESX
Windows XP pre SP1 120bit DESX
Windows XP SP1 or later 256bit AES
Windows Server 2003 256bit AES

It is worth bearing in mind however that the encryption key is protected by the users password, so you need to ensure that you enforce strong password rules.
0
 
tengageCommented:
Bios passwords are set in bios, and stored in bios.  Not only can you reset the bios and wipe out the password, the drive has no idea it is password protected.  If you pull a drive and piggyback it, one can definately get to the files on it.

I am not opposed to 3rd party solutions and I would probably evaluate some if I needed EFS.  One example would be Quota software.  There are some things that MS doesn't do that 3rd party software does (quota's, backups, antivirus).  They are doing some things now that they didn't in the past like firewalls, remote desktops, encryption, cd burning.
0
 
rindiCommented:
tengage, the harddisk password is not a bios password and it isn't stored in the bios. In fact it is stored on the disk platters. The bios only acts as the interface to set this password. If you try to read a protected disk in another system you won't get to it. You can even change the pcb and not be able to reset the Password. I do agree that the other Passwords you can set from the bios are usually easily reset, thats why i didn't mention those.

The only problem with this password is that most people usually select a simple one with only a few characters, which makes it guessable by try and error, but this problem you will encounter with most passwords.
0
 
ZeropointNRGCommented:
There is a way to lock the hdd disk so no one can access it, on your computer, or anyone elses..not even if you open up the hdd, take out the disks, and use another drive...I'll be back to inform you how..I haven't done this in a while..

But grab this program..

http://www.pcworld.com/downloads/file_description/0,fid,8082,00.asp

And I'll figure out how to do the other procedure properly so it can''t be accessed on any computer.
0
 
mrorangeCommented:
Hi ZeropointNRG, disk encryption has been reccomended already.
0
 
ZeropointNRGCommented:
Yes, but I gave an alternate program, but that's not what I'm really trying to tell him. No one has told him it is possible, everyone has said it's not possible, "you can easily change computer and grab the info" this is what the guy needs, and what I'm trying to figure out, and I kow its possible to do, because I've done it years ago.

The program is only a alternate, like all the other alternates that are here....
0
 
GlennGilbertCommented:
Have a look at PGP's website http://www.pgp.com/products/index.html.  Their workgroup looks just what you need;  it encrypts the hard disc.


Glenn
0
 
Rich RumbleSecurity SamuraiCommented:
The best thing is an encrypted folder or partition. With physical access ala theft, there is no other viable option, imho.

 I do not recommend M$ EFS, I laugh with every recovery I do. If i can't recover with Elcomsoft's  aEFSdr http://www.elcomsoft.com/aefsdr.html then I recovery the .tmp file that is created when EFS is used to encrypt a doc or folder. The .tmp file has the plain-text version of the doc, or folder.
Ontrack has the best file recovery tools I've ever seen, and they make me lot's o money- I've used all the over-writter's out there, formatted using linux,be-os,unix, fa16,32,ntfs- i can still get the files back.
http://www.ontrack.com/

For more about the .tmp file read here:
http://www.securityfocus.com/archive/1/157262

Basically use someone elses encryption program if your extremely worried about theft and what they might get. M$ EFS is ok... but far from good enough for us.
-rich
0
 
shahrialCommented:
Excellent comment richrumble...(learnt something new, today). Thanks...:o)


0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 4
  • 3
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now