How to protect your computer?

I have three machines that I have on 24x7.  I log into these machines using Remote Connection.  

I am concerned about security of files and the fact that at present anyone who restarts the machine has full access to everything.

Can anyone suggest a good method of security?  I cannot have anything on boot up as these machines are restarted remotely.  In a sense I am looking for the best Server Security plan.

Who is Participating?
Rich RumbleSecurity SamuraiCommented:
There are quite a few different approches one can take to secure their data, encryption being the main one. As your aware, with physical access, most methods of protection can be twarted with realitve ease. Encryption is a great form of protection and depending on which application you use, your data may be more secure than with another application. With current hardware encryption isn't much of a strain on the CPU and or memory. M$ EFS for example is decent at protecting data, but there are a few holes in it's design that make recovery moderatly easy, such as if someone reset the local admin password they are very likely to be able to recover, as well as the fact that EFS creates a Plain-Text version of files/folders when encrypting, then deletes this temp file/folder- but that plain-text version is easily recovered using even the free "undelete" utilities available. M$'s EFS is also "transparent" encryption/decryption, there is no prompt for a password, it's using a user account (not the password of the account) as the credintials for encryption/decryption- this is why I said that with a password reset of the local admin pass the data is likely to be recoverable. You can export your encryption keys to floppy or cd etc... but there are still tools that can recover them.

PGP is probably one of the strongest choices for data encryption, it encrypt's in memory and never writes data in plain-text to the HD as M$ EFS does, as well as using some of the strongest crypto around. Recovery is near impossible, even in an unrealistic time frame. There are also plenty of free and pay encryption utilities that do not suffer the same flaws as M$'s EFS that can work, and most are also very difficult to recover the data with, as there are not automated tools to help with the recovery for most.

Again, with modern hardware, encryption isn't much of a preformance hit, at least not a noticable one in my experience. I also recommend Steganos Security Suite, it's cheap, like 40-50 bucks, and offers a varity of encryption options, and the preformance of your machine will not suffer.

The protable safe feature may be of interest to you, you can encrypt data on USB drives/memory CD or DVD.
If your looking to protect data, I'd advise you to back it up encrypted regularly. While the self-destruct method you've devised would work for the most part, the data is still there, trust me, it's just been "deleted" from the File Allocation Table, and the sectors that contained the data are still there with the data, there are just no convient pointers to the data. A free undelete util, or even better a pay version of say OnTrack's programs, would find and recover the data in no time. Enctrypted data is much safer, and even if "undelted" would still have to be cracked, and that would take far too much effort for even the NSA. So again, encrypt the valuable data, and back it up if possible. Lot's of people are taking advantage of the free space the hotmail and Gmail are providing for free to back up data. Gmail is now 2gig's of space and will accept an attachment of 20megs. There is also a program called 7Zip that has great compression and encryption protection, so you can get more files in an attachment by compressing it, and even encrypting it a second time.

Rich RumbleSecurity SamuraiCommented:
A firewall is by far the best first step. XP's firewall is very good at blocking new traffic- if not using xp then you can DL the free version of ZoneAlarm, however you can't make many exceptions, rather there aren't many ports you can open on the free version. Sometimes DSL and Cable provider's modem's have firewall settings also that you can use and they are also effective at blocking traffic.

If your unable/unwilling to use a firewall, then you may consider turning off certain services and portocols to secure your pc's. If your PC's do not need to access network shares, printers, or other PC's then you can turn off the "Server" service on them. This will keep anyone from connecting to the typical M$ port's of 135/139/445 and gaining possible access to the pc's HD and or registry. You should also turn off the "Remote Registry" service. To keep the services off, set them to Disable in the Services control panel in computer managment. RemoteDesktop will still function with these services turned off. You can also turn off the "Client for microsoft windows" protocol in the NIC properties, as well as the file and print sharing protocol IF your pc's do not connect to shared printers, or a windows lan, or other windows pc's. FTP and HTTP etc... will all work, but you will not be able to connect to other windows boxen, or shared printers. Directly connected printers (via usb or serial port) will still function but cannot be shared with others.
amacfarlAuthor Commented:
Hi Rich,

Thanks for your thorough answer - it is much appreciated.

Concerning my issue re security, I think I was not clear enough in my question.  I have no issue with protecting the system from online attacks and so forth.  My main concern is around protecting the machine via physical attacks.  For example, if the machine is stolen?

Now, I am aware that if a machine is stolen any person with half a brain cell can overcome screensaver, boot up, power on, windows passwords etc.. through plugging a HD drive into another machine.  Hence I am looking for a better way to protect the data.

The issue I see is concerning encryption.  If I encrpty everything on my server HD, it will have an impact on performance, but be open door if machine is stolen (and visa-versa) - Catch 22 really.

I have even thought of leaving the server unlocked and writing a program that deletes all files if the user does not enter in a password within 2 minutes of boot up. The issue is that it only takes one person to forget and you  have lost a whole pile of data!!!

amacfarlAuthor Commented:

Wow - What extremely thorough and complete answer.  I cant thank you enough.

Awarding you 500 points seems small token of thanks.  More is diserved

Rich RumbleSecurity SamuraiCommented:
Np, thank you and GL!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.