Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Beyond CMOS Password Security?

Posted on 2006-06-13
13
517 Views
Last Modified: 2010-04-11
I'm looking for a more secure solution to protect selected workstations (primarily XP Pro) on a nework. I know about the CMOS password, but it is to easy to get around. I'm looking for something stronger then that or OS dependent passwords.  Any ideas?
0
Comment
Question by:mapalaska2003
13 Comments
 
LVL 17

Expert Comment

by:jburgaard
ID: 16898458
If you are to buy new hw. Fingerscanning may interest you.
0
 
LVL 17

Expert Comment

by:jburgaard
ID: 16898574
Encryption of the content of HD is discussed in:
http://www.experts-exchange.com/Security/Q_21769182.html
0
 
LVL 24

Accepted Solution

by:
SunBow earned 125 total points
ID: 16898827
How much money? OTPs are good, there are several ways to add boards or special hard drives to harden units.

An alternative being developed is having the security on a small device loaded with linux that'll plug into about any interface you have. These are getting additional SW for configuring and detecting of SW upgrades to ensure some modicum of compliance.

I am generally a foe of encryption, it being abused enough to be more support problem than protection.

Ever hear of diskless workstation? Since security breakdown is higher at points of physical access, you can also do things like set the system to boot off the network, add keylocks, remove drives, etc.

It is just that eventually we secure so much that about the only way to get anything done is to get out some paper and a good pencil.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 125 total points
ID: 16901448
For windows you can use the syskey boot password, currently I know of no tool to by-pass this. This only prevents someone from booting into windows from that HD, if the HD was removed it could be read with no other special steps.
If you want the data protected even if the HD is removed, then you need full disk encryption and the only reliable way to get that is to use a HD like the seagate offerings.
http://www.wavesys.com/news/press_archive/06/060213_Seagate.html not for sale yet, even though they are "notebook" or laptop drives, there are conversion cables that allow them to function as regular IDE/SATA drives for PC's.
I take that back, perhaps they are on sale...
http://www.newegg.com/Product/Product.asp?Item=N82E16822148073&ATT=22-148-073&CMP=OTC-d3alt1me
http://www.xbitlabs.com/articles/storage/display/seagate-momentus-54003.html

The syskey password to boot: typs "syskey" on the run line, in the options you'll see a place to put the password to boot
-rich
0
 
LVL 1

Expert Comment

by:Hyppy
ID: 16902165
We use hard drives that require a very complicated looking key to be inserted in order to function, as well as a password associated with only that key.  5 failed attempts, and the hard drive wipes itself.

No idea where this was purchased, ask Uncle Sam.
0
 
LVL 15

Expert Comment

by:bpmurray
ID: 16903033
Just a point on HD password: if your HD allows password protection, it is very important to use it. There have been exploits where unencrypted HDs have had a password added by a trojan, and the password is then sold - a form or extortion.
0
 
LVL 7

Assisted Solution

by:Okigire
Okigire earned 125 total points
ID: 16913754
How are CMOS passwords easy to get around, exactly?  It would be true that it's simple if you have access to the computer/jumper... but why not just put a lock on the computer and physically lock them out?  Most computers have hinges/lock loop now.

Nonetheless, to answer your question there are somewhat two ways to encrypt/secure the hard drive - hardware and software.
 * Hardware: You can use a device with a unique encryption key that will handle the encryption/decryption process.  For example, take a look at "HDLock" from Authenex (http://www.authenex.com/).  Basically, you start up the computer, and you need this "key" plugged in, or else the data will be complete garbage to the system.
 * Software: You can get a program to encrypt part of your hard drive (either an entire drive, or a file on a drive, or a hidden file inside another file, etc) so that the data is encrypted as well.  TrueCrypt (http://www.truecrypt.org/) is a free and excellent piece of software that will do this... fire up the program, and all the encrypted/"junk" data will suddenly become useful data.

On top of this, you can combine this with any number additional security measures:
 - biometrics (fingerprint/retinal scanning/voice recognition)
 - two-factor authentication (external device that gives a second-password, such as SecurID)
 - user-level access rights/permissions to the filesystem

We have no idea what you're actually doing, so some of the suggestions provided by everybody here may work better in some situations than others.  I've heard of people having some sort of striped RAID array and removing some of the drives.  Without those drives, the system fails with missing data... it's a little weird and not recommended, but your imagination (and time and money) is the limit!
0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 125 total points
ID: 17067437
Just a remark: you can try http://www.securstar.com/products_drivecryptpp.php

DriveCrypt Plus Pack
Encrypts the whole operating system

- Full Disk Encryption (Encrypts parts or 100% of your HardDisk including the operating System)
- Pre-Boot authentication (BEFORE the machines boots, a password is requested to decrypt the disk and start your machine)
- Allows secure hiding of an entire operating system inside the free space of another operating system.
- Strong 256bit AES encryption
- USB-Token authentication at pre-boot level
0
 
LVL 7

Expert Comment

by:Okigire
ID: 17070493
It appears SunBow, Richcrumble, yourself (Tolomir), and my comment all appear to have a very good thought into the answer, providing reasons and resources for further research... all of these questions seemed to answer the original question as well.  I would suggest a point split here.
0
 

Author Comment

by:mapalaska2003
ID: 17132564
Thanks everyone for your suggestions.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question