Securing Windows Xp - 7 laptops data against theft / loss

Posted on 2012-09-08
Last Modified: 2012-09-17

Am in search of a comprehensive solution to protect company's laptops against accidental loss or deliberate theft. As most of the laptops have Windows 7 Ultimate / Enterprise version on them, Bitlocker and EFS deployment comes to mind but doesn't cut a very clean manageable picture. Queries are:

1. Most of the laptops have HDD protection built in these days which can be controlled via BIOS level password. Is this password mechanism subject to hacking via rainbow tables?
2. If I do not have HDD protection password configured, Bitlocker is not AD domain integrated. If the AD or local admin password is compromised, Bitlocker becomes a moot point.
3. Windows 7 EFS seems a bit promising. But is this adequate protection against loss especially is emails are lying in a pst file outside of the EFS protected folder?

Tracking of the lost / stolen laptop is not so much of an issue as to guard against pilferge of information on the disk.

Question by:fahim
    LVL 89

    Expert Comment

    by:John Hurst
    If your laptop has a Hard Drive password (in addition to a BIOS or power on password), then the hard drive is very well protected. Rainbow tables are useless against hard drive passwords. I use the hard drive password on my business thinkpad computer.

    .... Thinkpads_User
    LVL 17

    Accepted Solution

    PGP Whole disk encryption..

     With out a doubt I will, do and have put my life on it and it did not let me down....

    Crack time PGP Billions of years.   (at least it states that in the manual.)

    MY Real time attempts
    11 months @ 23 million passphrases / sec........

    LVL 27

    Expert Comment

    To keep administration cost low, hello support, I lost my password... you need some kind of managed service.

    apart from pgp you can give drivecypt plus enterprise edition a try.

    This solution gives you a centralized management console you can use to reset passwords or log access attempts.

    truecrypt is for free but you have to perform more manual tasks like saving the first 1 MB of the harddisk to recover passwords from each laptop.

    LVL 52

    Assisted Solution


    Bitlocker and EFS deployment comes to mind but doesn't cut a very clean manageable picture
    You need to clarify what management options you need. Of course bitlocker is somewhat manageable.
    You also wrote
    If the AD or local admin password is compromised, Bitlocker becomes a moot point.
    What does the local admin pw have to do with bitlocker? As long as you setup bitlocker to use preboot authentication (that's TPM + a PIN), having that password does not enable you to boot the pc.
    LVL 17

    Expert Comment

    If you really DO NOT WANT unauthorized access and are very serious about it.
    You can TRY what ever is thrown your way.

    Or you can cut the chase and just get it done using PGP.
    I give you my recommendation  from actual experience as do some others.

    Here is actual 11 month Forensic attempt on a CLOSED case to penetrate a certain unnamed owners hard-rive by an official GOV


    PGP Does it well and has no real noticeable  system resource issues.
    I have used it for a decade and it is the first thing I install after the OS.
    LVL 52

    Expert Comment

    Fahim, any feedback?

    Author Closing Comment

    In terms of manageability, I believe Bitlocker's dependency on local TPM chip for creating keys makes it a bit unmanageable in scenarios where establishments do not have SCCM otherwise there is a cool MMC snapin out there.

    PGP is a bit costly over the other contenders within MDM gartner's leaders quadrant.

    Though closing this question, but will relate to users on the way, I have chosen.

    LVL 52

    Expert Comment

    Bitlocker can be scripted and is not dependent on a TPM, you can also use startup keys from usb sticks or diskettes. But anyway, that's not applicable to xp.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now