Solved

Beyond CMOS Password Security?

Posted on 2006-06-13
13
503 Views
Last Modified: 2010-04-11
I'm looking for a more secure solution to protect selected workstations (primarily XP Pro) on a nework. I know about the CMOS password, but it is to easy to get around. I'm looking for something stronger then that or OS dependent passwords.  Any ideas?
0
Comment
Question by:mapalaska2003
13 Comments
 
LVL 17

Expert Comment

by:jburgaard
ID: 16898458
If you are to buy new hw. Fingerscanning may interest you.
0
 
LVL 17

Expert Comment

by:jburgaard
ID: 16898574
Encryption of the content of HD is discussed in:
http://www.experts-exchange.com/Security/Q_21769182.html
0
 
LVL 24

Accepted Solution

by:
SunBow earned 125 total points
ID: 16898827
How much money? OTPs are good, there are several ways to add boards or special hard drives to harden units.

An alternative being developed is having the security on a small device loaded with linux that'll plug into about any interface you have. These are getting additional SW for configuring and detecting of SW upgrades to ensure some modicum of compliance.

I am generally a foe of encryption, it being abused enough to be more support problem than protection.

Ever hear of diskless workstation? Since security breakdown is higher at points of physical access, you can also do things like set the system to boot off the network, add keylocks, remove drives, etc.

It is just that eventually we secure so much that about the only way to get anything done is to get out some paper and a good pencil.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 125 total points
ID: 16901448
For windows you can use the syskey boot password, currently I know of no tool to by-pass this. This only prevents someone from booting into windows from that HD, if the HD was removed it could be read with no other special steps.
If you want the data protected even if the HD is removed, then you need full disk encryption and the only reliable way to get that is to use a HD like the seagate offerings.
http://www.wavesys.com/news/press_archive/06/060213_Seagate.html not for sale yet, even though they are "notebook" or laptop drives, there are conversion cables that allow them to function as regular IDE/SATA drives for PC's.
I take that back, perhaps they are on sale...
http://www.newegg.com/Product/Product.asp?Item=N82E16822148073&ATT=22-148-073&CMP=OTC-d3alt1me
http://www.xbitlabs.com/articles/storage/display/seagate-momentus-54003.html

The syskey password to boot: typs "syskey" on the run line, in the options you'll see a place to put the password to boot
-rich
0
 
LVL 1

Expert Comment

by:Hyppy
ID: 16902165
We use hard drives that require a very complicated looking key to be inserted in order to function, as well as a password associated with only that key.  5 failed attempts, and the hard drive wipes itself.

No idea where this was purchased, ask Uncle Sam.
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 
LVL 15

Expert Comment

by:bpmurray
ID: 16903033
Just a point on HD password: if your HD allows password protection, it is very important to use it. There have been exploits where unencrypted HDs have had a password added by a trojan, and the password is then sold - a form or extortion.
0
 
LVL 7

Assisted Solution

by:Okigire
Okigire earned 125 total points
ID: 16913754
How are CMOS passwords easy to get around, exactly?  It would be true that it's simple if you have access to the computer/jumper... but why not just put a lock on the computer and physically lock them out?  Most computers have hinges/lock loop now.

Nonetheless, to answer your question there are somewhat two ways to encrypt/secure the hard drive - hardware and software.
 * Hardware: You can use a device with a unique encryption key that will handle the encryption/decryption process.  For example, take a look at "HDLock" from Authenex (http://www.authenex.com/).  Basically, you start up the computer, and you need this "key" plugged in, or else the data will be complete garbage to the system.
 * Software: You can get a program to encrypt part of your hard drive (either an entire drive, or a file on a drive, or a hidden file inside another file, etc) so that the data is encrypted as well.  TrueCrypt (http://www.truecrypt.org/) is a free and excellent piece of software that will do this... fire up the program, and all the encrypted/"junk" data will suddenly become useful data.

On top of this, you can combine this with any number additional security measures:
 - biometrics (fingerprint/retinal scanning/voice recognition)
 - two-factor authentication (external device that gives a second-password, such as SecurID)
 - user-level access rights/permissions to the filesystem

We have no idea what you're actually doing, so some of the suggestions provided by everybody here may work better in some situations than others.  I've heard of people having some sort of striped RAID array and removing some of the drives.  Without those drives, the system fails with missing data... it's a little weird and not recommended, but your imagination (and time and money) is the limit!
0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 125 total points
ID: 17067437
Just a remark: you can try http://www.securstar.com/products_drivecryptpp.php

DriveCrypt Plus Pack
Encrypts the whole operating system

- Full Disk Encryption (Encrypts parts or 100% of your HardDisk including the operating System)
- Pre-Boot authentication (BEFORE the machines boots, a password is requested to decrypt the disk and start your machine)
- Allows secure hiding of an entire operating system inside the free space of another operating system.
- Strong 256bit AES encryption
- USB-Token authentication at pre-boot level
0
 
LVL 7

Expert Comment

by:Okigire
ID: 17070493
It appears SunBow, Richcrumble, yourself (Tolomir), and my comment all appear to have a very good thought into the answer, providing reasons and resources for further research... all of these questions seemed to answer the original question as well.  I would suggest a point split here.
0
 

Author Comment

by:mapalaska2003
ID: 17132564
Thanks everyone for your suggestions.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now