Beyond CMOS Password Security?

I'm looking for a more secure solution to protect selected workstations (primarily XP Pro) on a nework. I know about the CMOS password, but it is to easy to get around. I'm looking for something stronger then that or OS dependent passwords.  Any ideas?
mapalaska2003Asked:
Who is Participating?
 
SunBowConnect With a Mentor Commented:
How much money? OTPs are good, there are several ways to add boards or special hard drives to harden units.

An alternative being developed is having the security on a small device loaded with linux that'll plug into about any interface you have. These are getting additional SW for configuring and detecting of SW upgrades to ensure some modicum of compliance.

I am generally a foe of encryption, it being abused enough to be more support problem than protection.

Ever hear of diskless workstation? Since security breakdown is higher at points of physical access, you can also do things like set the system to boot off the network, add keylocks, remove drives, etc.

It is just that eventually we secure so much that about the only way to get anything done is to get out some paper and a good pencil.
0
 
jburgaardCommented:
If you are to buy new hw. Fingerscanning may interest you.
0
 
jburgaardCommented:
Encryption of the content of HD is discussed in:
http://www.experts-exchange.com/Security/Q_21769182.html
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
For windows you can use the syskey boot password, currently I know of no tool to by-pass this. This only prevents someone from booting into windows from that HD, if the HD was removed it could be read with no other special steps.
If you want the data protected even if the HD is removed, then you need full disk encryption and the only reliable way to get that is to use a HD like the seagate offerings.
http://www.wavesys.com/news/press_archive/06/060213_Seagate.html not for sale yet, even though they are "notebook" or laptop drives, there are conversion cables that allow them to function as regular IDE/SATA drives for PC's.
I take that back, perhaps they are on sale...
http://www.newegg.com/Product/Product.asp?Item=N82E16822148073&ATT=22-148-073&CMP=OTC-d3alt1me
http://www.xbitlabs.com/articles/storage/display/seagate-momentus-54003.html

The syskey password to boot: typs "syskey" on the run line, in the options you'll see a place to put the password to boot
-rich
0
 
HyppyCommented:
We use hard drives that require a very complicated looking key to be inserted in order to function, as well as a password associated with only that key.  5 failed attempts, and the hard drive wipes itself.

No idea where this was purchased, ask Uncle Sam.
0
 
bpmurrayCommented:
Just a point on HD password: if your HD allows password protection, it is very important to use it. There have been exploits where unencrypted HDs have had a password added by a trojan, and the password is then sold - a form or extortion.
0
 
OkigireConnect With a Mentor Commented:
How are CMOS passwords easy to get around, exactly?  It would be true that it's simple if you have access to the computer/jumper... but why not just put a lock on the computer and physically lock them out?  Most computers have hinges/lock loop now.

Nonetheless, to answer your question there are somewhat two ways to encrypt/secure the hard drive - hardware and software.
 * Hardware: You can use a device with a unique encryption key that will handle the encryption/decryption process.  For example, take a look at "HDLock" from Authenex (http://www.authenex.com/).  Basically, you start up the computer, and you need this "key" plugged in, or else the data will be complete garbage to the system.
 * Software: You can get a program to encrypt part of your hard drive (either an entire drive, or a file on a drive, or a hidden file inside another file, etc) so that the data is encrypted as well.  TrueCrypt (http://www.truecrypt.org/) is a free and excellent piece of software that will do this... fire up the program, and all the encrypted/"junk" data will suddenly become useful data.

On top of this, you can combine this with any number additional security measures:
 - biometrics (fingerprint/retinal scanning/voice recognition)
 - two-factor authentication (external device that gives a second-password, such as SecurID)
 - user-level access rights/permissions to the filesystem

We have no idea what you're actually doing, so some of the suggestions provided by everybody here may work better in some situations than others.  I've heard of people having some sort of striped RAID array and removing some of the drives.  Without those drives, the system fails with missing data... it's a little weird and not recommended, but your imagination (and time and money) is the limit!
0
 
TolomirConnect With a Mentor AdministratorCommented:
Just a remark: you can try http://www.securstar.com/products_drivecryptpp.php

DriveCrypt Plus Pack
Encrypts the whole operating system

- Full Disk Encryption (Encrypts parts or 100% of your HardDisk including the operating System)
- Pre-Boot authentication (BEFORE the machines boots, a password is requested to decrypt the disk and start your machine)
- Allows secure hiding of an entire operating system inside the free space of another operating system.
- Strong 256bit AES encryption
- USB-Token authentication at pre-boot level
0
 
OkigireCommented:
It appears SunBow, Richcrumble, yourself (Tolomir), and my comment all appear to have a very good thought into the answer, providing reasons and resources for further research... all of these questions seemed to answer the original question as well.  I would suggest a point split here.
0
 
mapalaska2003Author Commented:
Thanks everyone for your suggestions.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.