Link to home
Start Free TrialLog in
Avatar of g8rcub
g8rcubFlag for United States of America

asked on

Best option for encryption, domain and remote computers

I have been asked to put encryption on all of our computers on the domain and other off-site laptops used by some of our partner agencies.  I wanted to see what the best options were.  BitLocker was my first choice since it is free, we run Windows 7 Enterprise here at out home office.  However, the other computers in the field are a mix of Vista, and other versions of Windows that do not include BitLocker so I'd have to include upgrading the licensing costs and the time associated with reloading these laptops.  

Another encryption method I looked into was Symantec PGP, which can be costly per license, but then I don't have to worry about upgrading the OS on the older laptops.

Ideally, I'd like to have something where I could manage everything from a web console, something like LogMeIn management interface; I just don't know if that exists.  It looks like BitLocker can be integrated with Active Directory here on my domain but that leaves me with a bunch of computers that are not on the domain to deal with.  I am trying to keep things as simple and reliable as possible.

One concern I have is the users in the field not being careful with their encryption "key"... I find sticky notes with their passwords stuck to the laptops pretty often when they come in for updates... so I can imagine the pass key for encryption would also be on that sticky note thus rendering the encryption useless if it was stolen.  There is the USB key encryption but again, I am pretty sure the USB stick would either be left in the computer or in the computer bag... rendering the encryption useless again if stolen.  I am also concerned with ease of recovery should someone lose their key.

Are there any encryption software options out there which offer web management and easy recovery options?

Thanks!
Avatar of Chuck Szymaszek
Chuck Szymaszek
Flag of United States of America image

We use Absolute LoJack to protect our laptops.. as it offers a web interface. ways of tracking, purging and locking down your devices that are out of the office. Here is the link: http://lojack.absolute.com/en

And cost is not that much the more you buy into the system.. they even get the police involved if the unit goes astray!
Avatar of Lee W, MVP
I'm not familiar with absolute lojack but it doesn't look like they encrypt anything.  Which means anyone who wants the data simply has to remove the hard drive and connect it to another device.  That's not real protection in my opinion.

TrueCrypt would have been an option but the developers ceased development.

Windows 8.1 Pro now alone now offers Bitlocker.  But if the devices don't have a TPM, then you I'm not sure I'd use bitlocker myself.

I would probably say it's time to start a migration to BUSINESS CLASS systems with TPMs (if you're not already using them) and consider upgrading everything to Win10 ASAP as bitlocker should be a feature of that.  That means getting rid of Vista hardware (which *IS* old and generally it's time to replace in my opinion).

At the end of the day, I don't know if you have 10 machines or 1000 machines... but I strongly suggest you try to standardize on things as much as possible, hardware, OS, etc - it will just make things easier.  And if necessary, replace inappropriate equipment.
ASKER CERTIFIED SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of g8rcub

ASKER

Thank you for the responses.  Bitlocker seems like the way to go even though there is no way to manage things remotely for the equipment that is not on the domain.  There are about 50 PC's on the domain and another 50-60 out in the field that I won't really see much but need to know that they are encrypted.

We are a nonprofit and don't always have the money for the newest and best so I have to make things last (which is why there are some vista computers out there still).  But most of the equipment I will need to encrypt now will not have TPM so I need to look at the other methods.  I feel it will become complicated when I have all those computers offsite that I will need to manage encryption keys/passwords for.  That is why I was hoping there was some sort of encryption that was able to use some sort of web management console but it doesn't appear that exists right now.
May I ask what is keeping you from joining all devices to the domain?
Avatar of g8rcub

ASKER

Well, many of the offsite computers are not technically my responsibility as far as support, purchasing, etc. goes.   I will never really see them aside from installing the encryption on them.  

The computers belong to other organizations that we work with and that are funded through my organization for certain data collection/entry projects.  Recently one was stolen from one of these partner organizations and the management wanted to know if the data on that laptop was protected and it was not... so this was handed to me since I am responsible for many of the computers in the group... they want to see what I come up with and make sure all the others out there are covered.
So when you see them to encrypt them, you will have physical access, so you can do whatever you like. You can script the encryption and creation of recovery keys which you can save to some secured place. For-non-tpm-devices, they will need a password (win8 and higher) or a USB-token (win7/vista) to start the device. If they should lose/forget these, they can phone you and you have the recovery passwords at hand, saved to files. A web management console will not make this any better.
Avatar of g8rcub

ASKER

I will estimate that over 80% of the computers will not have TPM so I would go with the password or USB method.  But now this was my concern initially since I am pretty sure the users will never remove the USB key from the computer or it will be in the bag with the computer if it were to be stolen.  And others will leave a sticky note on the keyboard with their passwords; happens quite a bit even when I urge people not to do this.

That is kind of the way I pictured this going down though; me just having an Excel doc matching up computers with encryption PW's/keys for the times when people do not remember.  It will just take some time to get everyone all set up.
Consider using some solution that offers single sign on. The symantec one does. That way, the users will be able to use their own windows password as encryption password and will also logon automatically afterwards. If they write down that password on a sticker attached to the computer however, well, then we can forget about security, I guess.
Avatar of g8rcub

ASKER

So the Symantec one just uses the local account password to unlock encryption and allow the user to logon?  That would be great to only worry about one PW like that.  There are a handful of these computers that have the same username and password which would keep it really easy.  But yes, if someone leaves the PW written out on a note, it all goes out the window.  I'm going to download a trial of the Symantec program and see how it works.  Thanks!
It was thorough coverage from McKnife that covered the issues.  The author thanked him for the info on single sign-on from Symantec.  It appears to me the points should go to McKnife as Best Solution.

The buttons in this thread for distributing points are not shown.  Since I couldn't find them, I tried deleting my first comment where I was allowed to click the "Object" button as required, but now the "Object" is gone also.  So now this just looks like a regular post on a regular thread.  Any help out there?