• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 858
  • Last Modified:

Securing Windows Xp - 7 laptops data against theft / loss

Hi

Am in search of a comprehensive solution to protect company's laptops against accidental loss or deliberate theft. As most of the laptops have Windows 7 Ultimate / Enterprise version on them, Bitlocker and EFS deployment comes to mind but doesn't cut a very clean manageable picture. Queries are:

1. Most of the laptops have HDD protection built in these days which can be controlled via BIOS level password. Is this password mechanism subject to hacking via rainbow tables?
2. If I do not have HDD protection password configured, Bitlocker is not AD domain integrated. If the AD or local admin password is compromised, Bitlocker becomes a moot point.
3. Windows 7 EFS seems a bit promising. But is this adequate protection against loss especially is emails are lying in a pst file outside of the EFS protected folder?

Tracking of the lost / stolen laptop is not so much of an issue as to guard against pilferge of information on the disk.

Thanks.
0
fahim
Asked:
fahim
2 Solutions
 
JohnBusiness Consultant (Owner)Commented:
If your laptop has a Hard Drive password (in addition to a BIOS or power on password), then the hard drive is very well protected. Rainbow tables are useless against hard drive passwords. I use the hard drive password on my business thinkpad computer.

.... Thinkpads_User
0
 
selvolCommented:
PGP Whole disk encryption..


 With out a doubt I will, do and have put my life on it and it did not let me down....

Crack time PGP Billions of years.   (at least it states that in the manual.)

MY Real time attempts
11 months @ 23 million passphrases / sec........


Selvol
0
 
TolomirAdministratorCommented:
To keep administration cost low, hello support, I lost my password... you need some kind of managed service.

apart from pgp you can give drivecypt plus enterprise edition a try.

http://www.securstar.com/products_drivecryptpp_MC.php

This solution gives you a centralized management console you can use to reset passwords or log access attempts.

--
truecrypt is for free but you have to perform more manual tasks like saving the first 1 MB of the harddisk to recover passwords from each laptop.

http://www.cgsecurity.org/wiki/Recover_a_TrueCrypt_Volume

Tolomir
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
McKnifeCommented:
Hi.

Bitlocker and EFS deployment comes to mind but doesn't cut a very clean manageable picture
You need to clarify what management options you need. Of course bitlocker is somewhat manageable.
You also wrote
If the AD or local admin password is compromised, Bitlocker becomes a moot point.
What does the local admin pw have to do with bitlocker? As long as you setup bitlocker to use preboot authentication (that's TPM + a PIN), having that password does not enable you to boot the pc.
0
 
selvolCommented:
If you really DO NOT WANT unauthorized access and are very serious about it.
You can TRY what ever is thrown your way.

Or you can cut the chase and just get it done using PGP.
I give you my recommendation  from actual experience as do some others.

Here is actual 11 month Forensic attempt on a CLOSED case to penetrate a certain unnamed owners hard-rive by an official GOV
agency.

PGP

PGP Does it well and has no real noticeable  system resource issues.
I have used it for a decade and it is the first thing I install after the OS.
Selvol
0
 
McKnifeCommented:
Fahim, any feedback?
0
 
fahimAuthor Commented:
In terms of manageability, I believe Bitlocker's dependency on local TPM chip for creating keys makes it a bit unmanageable in scenarios where establishments do not have SCCM otherwise there is a cool MMC snapin out there.

PGP is a bit costly over the other contenders within MDM gartner's leaders quadrant.

Though closing this question, but will relate to users on the way, I have chosen.

Regards
0
 
McKnifeCommented:
Bitlocker can be scripted and is not dependent on a TPM, you can also use startup keys from usb sticks or diskettes. But anyway, that's not applicable to xp.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now