What are the best practices securing data on a laptop

This question does not include a perfect world

The people I'm concerned with use laptops with either XP Home or XP Professional, they do not belong to a Domain and their laptops are their file servers as well.

I've had them do the following, but I am still trying to figure out if this is the best I can do.

Ghost the machine daily
Strong password
compress files that contain sensitive data
encrypt files that contain sensitive data
Install software that find the laptop if it's been stolen

Is this the best I can do, trying to get them to upgrade from XP Home to Professional works in only a small number of cases

thanks for the help
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Turn off file sharing for starters, have a firewall, keep antivirus definitions up to date. Depending on what the value of the data is, encryption and a tracking service in case of theft are musts (most places, data isn't considered that valuable and therefore skip those two things).

Strong passwords are always a must. 8+ characters with complexity. You can also go through some of the steps for OS hardening like having a dummy Administrator account that's disabled and has no access to anything after you've renamed the real one.

If they have wireless cards, have a policy in place requiring that they take steps to use those networks securely. Either via encryption at home or using a secure proxy in a public hotspot.

Ghosting a laptop daily is not a feasible proposition.
Set a BIOS password (for both the administrator and user section of the BIOS.)  Configure laptops so boot order cannot be changed, and can't be booted from CD or floppy.  User boot password will be a requirement for starting up the PC.
BIOS password is not a good solution (but it helps), because you can
find on the internet how-tos and remove the password.
I've done it dozens of times..

Anyway, file encryption is a good start, also, I would recommend you
to use some utilities that physicaly erase the data on the hdd, because
you know, when you delete a file in Windows (or DOS, or etc.) you
don't actually delete the file data, but rather the flag saying that the
sectors occupied by the data of that file, are from now on, free.
So, anybody can get some data recovery software, and get all of the
data back easily.

One hint about the passwords.. The one REALLY good way to create
very strong passwords is this: find one song that you like, and if you
know the words of that song, take the first letters of the words from
the lyrics of that song. That way you can an easy to remember
password, that is about 20-30 characters long :))

for example: Like A Virgin, Touch For A Very First Time (LAVTFAVFT)
you get the point ;)

and also, when you compress/encrypt data, also compress the
filenames listed in that archive, so it wont display as a plain text
when first opened.
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

One very nice thing to do is to add hard disk lock passwords from within CMOS setup. Of course I'm not talking about normal CMOS passwords, but rather some technology called DriveLock on Compaq/HP laptops (don't know if it's called the same by other vendors). This feature comes with most relatively new laptops (probably 1 or 2 years old). The DriveLock technology causes a hard disk to deny all read/write requests sent to the hard disk unless the DriveLock password that you have specified is entered at startup (as in the case with CMOS passwords). Even if the hard disk is moved to another PC/laptop, it will still not work.
In other words, you cannot read/write/format a hard disk protected with DriveLock. You can only physically damage it (if it really makes a difference) :-)

As far as I know, there is no known method to read/remove/bypass the password without having to type the correct one. Even the hard disk manufacturer claims that he won't be able to help!!

If you are trying to protect your data against physical theft, then this is the perfect solution. A CMOS password can be easily cleared (or even read using some hardware), and encrypting the whole filesystem or just some of your files affects performance and is not secure enough (see the internet for different archieve password crackers). Just take care of the following (VERY IMPORTANT):

1. Use strong passwords (created by mixing uppercase and lowercase letters and digits).
2. NEVER use the same password for CMOS and DriveLock!!! CMOS passwords *can* be read using special hardware.


  Nayer Naguib
Too much of your system depends on the user to do these tasks. Also, laptops recieve the most abuse, consequently, their drives fail more often than other form factors of computers. Simple methodology for all of this is:

Determine if the data is important
Determine if the company can withstand data loss, or theft.
If not, don't worry about it. If the data is important, and you are responsible for the data integrity, I would find another job as you are being set up for failure and it is only a matter of time until something critical is lost or stolen.

The obvious solution here is to invest in a domain, strong authentication and automated data backups. There are products out there that will back up the laptops if they are off the network, as long as they have a data connection. Put a policy in place whereby all data will be stored on encrypted disks and require biometric authentication to access the pc and data there in as it sounds like people travel w/ the laptops and physical security is a concern.
Rich RumbleSecurity SamuraiCommented:
Everthing, except the daily ghosting is very good... You may invite more trouble by having them reimage the PC daily, hopefully the re-image contains the updated doc's and files that they need, perhaps on a second partition...
Rather than ghosting daily, I assume to keep only approved software, and eliminate spyware etc... you may have a look at DeepFreeze, or Norton's GoBack utilities. Not as cheap as ghosting... but more of an enterprise solution.

Encryption is your best bet at securing the data your users need to keep secret, naturally a strong pass is necessary also. I'd avoid M$ EFS at all costs, use a product like TrueCrypt, PGP or Steganos Security Suite. You can set hard-drive pass's and bios passwords until your blue in the face if you wish, security envoloves trade off's, typically money and ease-of-use. In this case you can basically make it easy to use, and not spend much if any money in the process. I vote for using just the encryption (compression and encryption can often be mutually exclusive).

Datawiping is important, if you use a data wiping utility, I'd suggest one that impliments the Guttmann method (steganos does this) http://en.wikipedia.org/wiki/Gutmann_method
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html (get out your electron microscope)

With physical access to the laptop, such as in the case of it being stolen... "fake admin" accounts, bios passwords, and "hard-drive" locks are all very by-passable. Encryption is a much harder hurdle, AES, BlowFish, SHA-2 with 128-256 bit should be fine, even if you rented a SUN cluster for a few days http://www.sun.com/service/grid/

Also abondon hope for "dial-home" laptop devices, their sucess is few and far in-between, your laptops won't be able to tell you where they are, and if they did, they won't be there any longer when the authorities do arrive.
Other best-practices also apply. Firewall, Backups, KISS, Security isn't a Program it's a Process... etc... http://xinn.org/win_bestpractices.html http://www.schneier.com/blog/archives/2004/12/safe_personal_c.html
Without "U" there is no SECURITY!!

Is one of the many slogans I have heard and truely without the aid of security minded users, all of your security plans may be laid to waste.  If you have users that are using unsecured, unauthorized hardware and software you are inviting problems at an extreme but plausiable case.  You do not know what virus, spyware, trojans may be unwittingly unleashed upon your network if there is no controls on how the equipment interacts.  If you are serious about security you have to get those "rogue" users to play by either your rules or the security officer's rules.  Then of course, make sure you have seriously considered rules for them to follow.  Also make sure you have HR impacting resolutions if the security protocol is breached.

After that, it will be an issue of how to layer your security.  Most of the ideas above seems pretty decent or novel. Key fob security seems especially interest.

But FYI all of the financials I've worked for only didn't have anything that was considered "NATIONAL SECURITY" or anything like that.  Evevryone used bank authorized equipment, so everyone had a standard PC or laptop with a standard build (anti-virus and passwords were the most in security) any important docs were required to be stored on network drives.  Any data on the laptops were the responsibility of the user.  I've had broken laptops, but never stolen ones.
If you need to control information going out of your company, it will definitely be a massive effort.

download a trial beta copy of Vista.  You will find the ONE strong point of the new OS is built in data security and encryption.  Most of what you say here is great, but will be eclipsed by VISTA features.  Check it out NOW, so you are ahead of the game, and ready to institute strategy when it becomes public in 6 months.
Vista? Is that EVER going to come out? :-)
openbsd rules :)
Any system where the encrypted files and encryption keys or key data is stored locally is foolish, store users' encryption keys in a usb drive. If someone steals the laptop they will need massive computing power to break anything, but if you have the keys right on there you may as well as not encrypt anything.

For god's sake DON'T use an unsupported, beta version of an operating system! There will be many bugs on it that will make it much LESS secure.

Installing software that will find the laptop is a waste of time. If a laptop gets stolen it's either going to get wiped anyway, or it won't be put on the internet where the "finder" can see it.

Some ways to protect them:
- don't allow access to unencrypted wireless networks
- make it manditory to have a good antivirus program
- install all security patches for all software
- don't allow filesharing or connecting to IRC channels

Teach users good sense. You'd think that intelligent and educated people wouldn't open unsollicited email, fall for phishing scams, or IM to anyone who wants to talk to them, but they do routinely. Training, training, training.
Apart from all excellent practices mentioned above?

I store all customer related data on my laptop using http://www.truecrypt.org. Yes - it's a dot-org domain. Free download, people.

It does on-the-fly hard drive encryption using very strong crypto-algorythms (AES-256, Blowfish (448-bit key), CAST5, Serpent, Triple DES, Twofish, and many CASCADING combinations of those), completely transparent to the operating system. Do you know another free tool that does that?

Basically, when the filesystem is not mounted (using a password, program nags if the password is < 12 characters) then all raw data, the ENTIRE partition, including file system tables, is encrypted. Just a bunch of random data, you couldn't even tell what file system it is.

It even handles situations where somebody uses violence to force you to mount the volume: it has "plausible deniability" and it mounts a file system with "interesting looking files". Read all about that in the documentation. All of that for free.

It supports both partition-based and file-based containers: meaning you can also create a, say, 200 MB file and use that as an encrypted hard drive (you can even scandisk and defrag it).

I love it. Did I mention it is free?
Rich RumbleSecurity SamuraiCommented:
c7c4c7Author Commented:
When I originally asked this question I didn't include firewall or anti virus in the list but all machines have both installed

I do like thie idea of using the CMOS password, I understand that there is software that will break them, but I wonder about the intelligence of the folks that are stealing the laptops.  Also the software to break user password is also readily available on the internet so even secure passwords are really a waste of time.  

Combining the 2 as well as encrypting the hard drives just makes it very difficult to use the machine if it is stolen and makes it very hard for the preson to make use of the data stored on the hard drive

I've been using encryption provided by the OS rather than finding a 3rd party program.  What is the performance impact of using things like Truecrypt?
Rich RumbleSecurity SamuraiCommented:
Not much with modern hardware. M$ EFS however has several recovery vectors, number one is it writting a plain-text temp file and "deleting" it, and number two, as pointed out above, storing the private key and public key on the HD makes recovery very easy (elcomsoft AEFSDR), resetting the admin password also gives you the ability to recover the files, on non-domain pc's.

Again, the cmos is simple, remove the battery, short this pin to that pin, bios is reset, no more password. You can take a PC to a local repair man, or best-buy and they will reset them. It's also easy to get replacement motherboards, and cheap too...(nowadays)

http://support.microsoft.com/kb/315672 (excerpt)
If you create files in plain text and then encrypt them, Encrypting File System (EFS) makes a backup copy of the file so that, if an error occurs during the encryption process, the data is not lost. After the encryption is complete, the backup copy is deleted. As with other deleted files, the data is not completely removed until it has been overwritten. The new version of the Cipher utility is designed to prevent unauthorized recovery of such data.

With physical access, your best bet is encryption, that you can't brute-force or hack in a reasonable amount of time. TrueCrypt uses AES-256 by default, which is plenty of protection, never say never, but if the password is sufficient the data will remain secured for a long time. keylogger's make BF null, however if the LT is stolen, and you've got AV and a firewall on it you shouldn't have to worry too much about keyloggers.
Well, when I was talking about setting a password from the CMOS setup, I was talking about a DriveLock password, which has nothing to do with CMOS contents. Removing the battery means nothing here! Actually, if you foget this password, the hard disk becomes ***useless***.

The only method I can think of for accessing data on the hard disk is brute force attack. And here's where strong passwords come in handy. Check this out:

Being able to use uppercase/lowercase/numeric characters for the password gives you 26+26+10=62 possibilities for each character.
Having 8 characters to type gives 62^8=218,340,105,584,896 possibilities for different passwords (over 200 trillion possibilities)!!!!

I'd be more than happy if you can tell me how to crack such a password in a couple of years (or decades??) ;-)

By the way, you type this password before booting into *anything*. So your password will **never** be logged by any kind of software. Attaching hardware keyloggers to laptops is not an easy thing to do. :-)

One more thing: since accessing data on hard disk becomes quite a "difficult" task (afterall, nothing is impossible!), I can see no reason for encrypting the whole filesystem! It just adds some overhead to read/write operations, and I think this overhead *is* significant.

Finally, take a look at this "war":


This question has been receiving posts for about 2.5 years!!! The accepted answer was "Ponts refunded" :-)


  Nayer Naguib
On the other hand, having some software encrypt your file system *implies* that some software should run first when you start your computer and ask about your password. This, in turn, means that this software can be patched by some malicious software. If you pay me enough to write this malicious software (joking), I'll just write a couple of lines that will modify the keyboard interrupt handler so that each key typed gets logged somewhere on the hard disk (not in the form of a file under the encrypted file system, of course!!).


  Nayer Naguib
Saw it mentioned briefly, but to elaborate, you need to check what's being shared.  Go to Command Prompt and type Net Share.  If they have a $ after the file name, they are hidden. If your user has some files in their "My documents" section or elsewhere and they are shared by default , you will want to remove the share or at least hide it.  To remove file and print sharing go to the control panel, network connections, select file and print sharing and uninstall it.
Rich RumbleSecurity SamuraiCommented:
If someone was really determined enough, typically replacing the PCB board on the bottom (as the manufaturer will do when you need the hd unlocked) of the HD... not many will go to that length. If you have a nice LT stolen, and the HD is encrypted, or locked, the effort/time/money aren't worth it. Most likely the HD would be removed and replaced, or if they don't seem to know what to do the LT may just be a loss, still the data remains. TrueCrypt is free, secure and easy to use, very little training needs to be done (does everyone know how to right-click?) The locking HD, will likely be just as good at protecting the data from being retrieved for a "casual theif". SeaGate was the first I've seen to actually have the HD encrypted, where replacing the PCB board (controller) on the bottom does no good, as the actual data is encrypted. Prior to that, most harddrive "locks" simply disabled the read/write heads on the HD until the proper pass was supplied.

And to be sure, Security ist a Process, not a Product. It's also a balancing act between money/useablity and risk of exposure. If key-loggers and root-kit's don't seem like likely vectors for your users, then why not use TrueCrypt, Steganos Security Suite etc... if they do, purchase yourself some new HD's for the LT's so the HD can be encrypted/locked
c7c4c7Author Commented:
First off thanks for all of the response I've learned a lot.

Originally I said that my current practices were
Ghost the machine daily
Strong password
compress files that contain sensitive data
encrypt files that contain sensitive data
Install software that find the laptop if it's been stolen
I did not mention that a firewall and Anti Virus were also automatically installed on all machines.

After following all of the posts it seems that I am all ready doing everything that everyone would suggest that I do other than applying a CMOS password or loading something like DRIVELOCK.  These suggestions are open for debate as to whether they are worth the time to implement.

Did i miss anything here?

Rich RumbleSecurity SamuraiCommented:
Yes I think your current practices are sufficent as well. I'm looking forward to the release of the SeaGate FDE drives later this year,
I don't see any glaring issues with your approach. Big thing is what value you're applying to the data vs. the amount you're spending to secure that same data.
Rich RumbleSecurity SamuraiCommented:
no problem
Given that the DriveLock feature takes about 1 minute to activate on each computer, and that the password cannot be logged (using Trojans, key-loggers, etc...), and that replacing a circuit board of a drive is not fun at all (first you need to find an identical unlocked board, and then you will most probably destroy both drives) :-), I think it *is* worth spending some time to protect computers with DriveLock.


  Nayer Naguib
Closed, 500 points refunded.
The Experts Exchange
Community Support Moderator of all Ages

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.