Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Beyond CMOS Password Security?

Posted on 2006-06-13
13
Medium Priority
?
546 Views
Last Modified: 2010-04-11
I'm looking for a more secure solution to protect selected workstations (primarily XP Pro) on a nework. I know about the CMOS password, but it is to easy to get around. I'm looking for something stronger then that or OS dependent passwords.  Any ideas?
0
Comment
Question by:mapalaska2003
13 Comments
 
LVL 17

Expert Comment

by:jburgaard
ID: 16898458
If you are to buy new hw. Fingerscanning may interest you.
0
 
LVL 17

Expert Comment

by:jburgaard
ID: 16898574
Encryption of the content of HD is discussed in:
http://www.experts-exchange.com/Security/Q_21769182.html
0
 
LVL 24

Accepted Solution

by:
SunBow earned 500 total points
ID: 16898827
How much money? OTPs are good, there are several ways to add boards or special hard drives to harden units.

An alternative being developed is having the security on a small device loaded with linux that'll plug into about any interface you have. These are getting additional SW for configuring and detecting of SW upgrades to ensure some modicum of compliance.

I am generally a foe of encryption, it being abused enough to be more support problem than protection.

Ever hear of diskless workstation? Since security breakdown is higher at points of physical access, you can also do things like set the system to boot off the network, add keylocks, remove drives, etc.

It is just that eventually we secure so much that about the only way to get anything done is to get out some paper and a good pencil.
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 500 total points
ID: 16901448
For windows you can use the syskey boot password, currently I know of no tool to by-pass this. This only prevents someone from booting into windows from that HD, if the HD was removed it could be read with no other special steps.
If you want the data protected even if the HD is removed, then you need full disk encryption and the only reliable way to get that is to use a HD like the seagate offerings.
http://www.wavesys.com/news/press_archive/06/060213_Seagate.html not for sale yet, even though they are "notebook" or laptop drives, there are conversion cables that allow them to function as regular IDE/SATA drives for PC's.
I take that back, perhaps they are on sale...
http://www.newegg.com/Product/Product.asp?Item=N82E16822148073&ATT=22-148-073&CMP=OTC-d3alt1me
http://www.xbitlabs.com/articles/storage/display/seagate-momentus-54003.html

The syskey password to boot: typs "syskey" on the run line, in the options you'll see a place to put the password to boot
-rich
0
 
LVL 1

Expert Comment

by:Hyppy
ID: 16902165
We use hard drives that require a very complicated looking key to be inserted in order to function, as well as a password associated with only that key.  5 failed attempts, and the hard drive wipes itself.

No idea where this was purchased, ask Uncle Sam.
0
 
LVL 15

Expert Comment

by:bpmurray
ID: 16903033
Just a point on HD password: if your HD allows password protection, it is very important to use it. There have been exploits where unencrypted HDs have had a password added by a trojan, and the password is then sold - a form or extortion.
0
 
LVL 7

Assisted Solution

by:Okigire
Okigire earned 500 total points
ID: 16913754
How are CMOS passwords easy to get around, exactly?  It would be true that it's simple if you have access to the computer/jumper... but why not just put a lock on the computer and physically lock them out?  Most computers have hinges/lock loop now.

Nonetheless, to answer your question there are somewhat two ways to encrypt/secure the hard drive - hardware and software.
 * Hardware: You can use a device with a unique encryption key that will handle the encryption/decryption process.  For example, take a look at "HDLock" from Authenex (http://www.authenex.com/).  Basically, you start up the computer, and you need this "key" plugged in, or else the data will be complete garbage to the system.
 * Software: You can get a program to encrypt part of your hard drive (either an entire drive, or a file on a drive, or a hidden file inside another file, etc) so that the data is encrypted as well.  TrueCrypt (http://www.truecrypt.org/) is a free and excellent piece of software that will do this... fire up the program, and all the encrypted/"junk" data will suddenly become useful data.

On top of this, you can combine this with any number additional security measures:
 - biometrics (fingerprint/retinal scanning/voice recognition)
 - two-factor authentication (external device that gives a second-password, such as SecurID)
 - user-level access rights/permissions to the filesystem

We have no idea what you're actually doing, so some of the suggestions provided by everybody here may work better in some situations than others.  I've heard of people having some sort of striped RAID array and removing some of the drives.  Without those drives, the system fails with missing data... it's a little weird and not recommended, but your imagination (and time and money) is the limit!
0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 500 total points
ID: 17067437
Just a remark: you can try http://www.securstar.com/products_drivecryptpp.php

DriveCrypt Plus Pack
Encrypts the whole operating system

- Full Disk Encryption (Encrypts parts or 100% of your HardDisk including the operating System)
- Pre-Boot authentication (BEFORE the machines boots, a password is requested to decrypt the disk and start your machine)
- Allows secure hiding of an entire operating system inside the free space of another operating system.
- Strong 256bit AES encryption
- USB-Token authentication at pre-boot level
0
 
LVL 7

Expert Comment

by:Okigire
ID: 17070493
It appears SunBow, Richcrumble, yourself (Tolomir), and my comment all appear to have a very good thought into the answer, providing reasons and resources for further research... all of these questions seemed to answer the original question as well.  I would suggest a point split here.
0
 

Author Comment

by:mapalaska2003
ID: 17132564
Thanks everyone for your suggestions.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question