?
Solved

Securing Windows Xp - 7 laptops data against theft / loss

Posted on 2012-09-08
8
Medium Priority
?
853 Views
Last Modified: 2012-09-17
Hi

Am in search of a comprehensive solution to protect company's laptops against accidental loss or deliberate theft. As most of the laptops have Windows 7 Ultimate / Enterprise version on them, Bitlocker and EFS deployment comes to mind but doesn't cut a very clean manageable picture. Queries are:

1. Most of the laptops have HDD protection built in these days which can be controlled via BIOS level password. Is this password mechanism subject to hacking via rainbow tables?
2. If I do not have HDD protection password configured, Bitlocker is not AD domain integrated. If the AD or local admin password is compromised, Bitlocker becomes a moot point.
3. Windows 7 EFS seems a bit promising. But is this adequate protection against loss especially is emails are lying in a pst file outside of the EFS protected folder?

Tracking of the lost / stolen laptop is not so much of an issue as to guard against pilferge of information on the disk.

Thanks.
0
Comment
Question by:fahim
8 Comments
 
LVL 99

Expert Comment

by:John Hurst
ID: 38379810
If your laptop has a Hard Drive password (in addition to a BIOS or power on password), then the hard drive is very well protected. Rainbow tables are useless against hard drive passwords. I use the hard drive password on my business thinkpad computer.

.... Thinkpads_User
0
 
LVL 17

Accepted Solution

by:
selvol earned 1200 total points
ID: 38379867
PGP Whole disk encryption..


 With out a doubt I will, do and have put my life on it and it did not let me down....

Crack time PGP Billions of years.   (at least it states that in the manual.)

MY Real time attempts
11 months @ 23 million passphrases / sec........


Selvol
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 38380482
To keep administration cost low, hello support, I lost my password... you need some kind of managed service.

apart from pgp you can give drivecypt plus enterprise edition a try.

http://www.securstar.com/products_drivecryptpp_MC.php

This solution gives you a centralized management console you can use to reset passwords or log access attempts.

--
truecrypt is for free but you have to perform more manual tasks like saving the first 1 MB of the harddisk to recover passwords from each laptop.

http://www.cgsecurity.org/wiki/Recover_a_TrueCrypt_Volume

Tolomir
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 800 total points
ID: 38381238
Hi.

Bitlocker and EFS deployment comes to mind but doesn't cut a very clean manageable picture
You need to clarify what management options you need. Of course bitlocker is somewhat manageable.
You also wrote
If the AD or local admin password is compromised, Bitlocker becomes a moot point.
What does the local admin pw have to do with bitlocker? As long as you setup bitlocker to use preboot authentication (that's TPM + a PIN), having that password does not enable you to boot the pc.
0
 
LVL 17

Expert Comment

by:selvol
ID: 38381450
If you really DO NOT WANT unauthorized access and are very serious about it.
You can TRY what ever is thrown your way.

Or you can cut the chase and just get it done using PGP.
I give you my recommendation  from actual experience as do some others.

Here is actual 11 month Forensic attempt on a CLOSED case to penetrate a certain unnamed owners hard-rive by an official GOV
agency.

PGP

PGP Does it well and has no real noticeable  system resource issues.
I have used it for a decade and it is the first thing I install after the OS.
Selvol
0
 
LVL 57

Expert Comment

by:McKnife
ID: 38393875
Fahim, any feedback?
0
 

Author Closing Comment

by:fahim
ID: 38394336
In terms of manageability, I believe Bitlocker's dependency on local TPM chip for creating keys makes it a bit unmanageable in scenarios where establishments do not have SCCM otherwise there is a cool MMC snapin out there.

PGP is a bit costly over the other contenders within MDM gartner's leaders quadrant.

Though closing this question, but will relate to users on the way, I have chosen.

Regards
0
 
LVL 57

Expert Comment

by:McKnife
ID: 38407584
Bitlocker can be scripted and is not dependent on a TPM, you can also use startup keys from usb sticks or diskettes. But anyway, that's not applicable to xp.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question