Solved

Beyond CMOS Password Security?

Posted on 2006-06-13
13
514 Views
Last Modified: 2010-04-11
I'm looking for a more secure solution to protect selected workstations (primarily XP Pro) on a nework. I know about the CMOS password, but it is to easy to get around. I'm looking for something stronger then that or OS dependent passwords.  Any ideas?
0
Comment
Question by:mapalaska2003
13 Comments
 
LVL 17

Expert Comment

by:jburgaard
ID: 16898458
If you are to buy new hw. Fingerscanning may interest you.
0
 
LVL 17

Expert Comment

by:jburgaard
ID: 16898574
Encryption of the content of HD is discussed in:
http://www.experts-exchange.com/Security/Q_21769182.html
0
 
LVL 24

Accepted Solution

by:
SunBow earned 125 total points
ID: 16898827
How much money? OTPs are good, there are several ways to add boards or special hard drives to harden units.

An alternative being developed is having the security on a small device loaded with linux that'll plug into about any interface you have. These are getting additional SW for configuring and detecting of SW upgrades to ensure some modicum of compliance.

I am generally a foe of encryption, it being abused enough to be more support problem than protection.

Ever hear of diskless workstation? Since security breakdown is higher at points of physical access, you can also do things like set the system to boot off the network, add keylocks, remove drives, etc.

It is just that eventually we secure so much that about the only way to get anything done is to get out some paper and a good pencil.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 125 total points
ID: 16901448
For windows you can use the syskey boot password, currently I know of no tool to by-pass this. This only prevents someone from booting into windows from that HD, if the HD was removed it could be read with no other special steps.
If you want the data protected even if the HD is removed, then you need full disk encryption and the only reliable way to get that is to use a HD like the seagate offerings.
http://www.wavesys.com/news/press_archive/06/060213_Seagate.html not for sale yet, even though they are "notebook" or laptop drives, there are conversion cables that allow them to function as regular IDE/SATA drives for PC's.
I take that back, perhaps they are on sale...
http://www.newegg.com/Product/Product.asp?Item=N82E16822148073&ATT=22-148-073&CMP=OTC-d3alt1me
http://www.xbitlabs.com/articles/storage/display/seagate-momentus-54003.html

The syskey password to boot: typs "syskey" on the run line, in the options you'll see a place to put the password to boot
-rich
0
 
LVL 1

Expert Comment

by:Hyppy
ID: 16902165
We use hard drives that require a very complicated looking key to be inserted in order to function, as well as a password associated with only that key.  5 failed attempts, and the hard drive wipes itself.

No idea where this was purchased, ask Uncle Sam.
0
 
LVL 15

Expert Comment

by:bpmurray
ID: 16903033
Just a point on HD password: if your HD allows password protection, it is very important to use it. There have been exploits where unencrypted HDs have had a password added by a trojan, and the password is then sold - a form or extortion.
0
 
LVL 7

Assisted Solution

by:Okigire
Okigire earned 125 total points
ID: 16913754
How are CMOS passwords easy to get around, exactly?  It would be true that it's simple if you have access to the computer/jumper... but why not just put a lock on the computer and physically lock them out?  Most computers have hinges/lock loop now.

Nonetheless, to answer your question there are somewhat two ways to encrypt/secure the hard drive - hardware and software.
 * Hardware: You can use a device with a unique encryption key that will handle the encryption/decryption process.  For example, take a look at "HDLock" from Authenex (http://www.authenex.com/).  Basically, you start up the computer, and you need this "key" plugged in, or else the data will be complete garbage to the system.
 * Software: You can get a program to encrypt part of your hard drive (either an entire drive, or a file on a drive, or a hidden file inside another file, etc) so that the data is encrypted as well.  TrueCrypt (http://www.truecrypt.org/) is a free and excellent piece of software that will do this... fire up the program, and all the encrypted/"junk" data will suddenly become useful data.

On top of this, you can combine this with any number additional security measures:
 - biometrics (fingerprint/retinal scanning/voice recognition)
 - two-factor authentication (external device that gives a second-password, such as SecurID)
 - user-level access rights/permissions to the filesystem

We have no idea what you're actually doing, so some of the suggestions provided by everybody here may work better in some situations than others.  I've heard of people having some sort of striped RAID array and removing some of the drives.  Without those drives, the system fails with missing data... it's a little weird and not recommended, but your imagination (and time and money) is the limit!
0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 125 total points
ID: 17067437
Just a remark: you can try http://www.securstar.com/products_drivecryptpp.php

DriveCrypt Plus Pack
Encrypts the whole operating system

- Full Disk Encryption (Encrypts parts or 100% of your HardDisk including the operating System)
- Pre-Boot authentication (BEFORE the machines boots, a password is requested to decrypt the disk and start your machine)
- Allows secure hiding of an entire operating system inside the free space of another operating system.
- Strong 256bit AES encryption
- USB-Token authentication at pre-boot level
0
 
LVL 7

Expert Comment

by:Okigire
ID: 17070493
It appears SunBow, Richcrumble, yourself (Tolomir), and my comment all appear to have a very good thought into the answer, providing reasons and resources for further research... all of these questions seemed to answer the original question as well.  I would suggest a point split here.
0
 

Author Comment

by:mapalaska2003
ID: 17132564
Thanks everyone for your suggestions.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now