Securing a windows 7 laptop when out of the office. It's part of an SBS 2011 domain

What are the options for the way to 'secure' the data on a laptop in case it gets stolen?

I was thinking there's the drive bootup password in the bios of the laptop (Dell Latitude).  I guess I could take the drive out to see for myself, but does that actually keep the drive locked up even if removed from the laptop and connected to another PC?

We're not talking state secrets here.  So if the answer to the hard drive password lock is that they can swap out the board on the drive and get in, that's not a concern.

We're more concerned with keeping people from getting to the data going so far as taking the drive out of the laptop and putting in another PC using a USB to SATA cable or similar.

The OS is Windows 7 Pro and the server for the domain is SBS 2011.

Any recommendations?
BeGentleWithMe-INeedHelpAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
Pune TechCommented:
Right now your laptop data is unsafe any one can copy by connecting to usb but there are steps you can take to reduce the risk. Here are 10 simple things you can do to help keep your laptop secure when you are on the go

Check following article for details,

http://www.in.techradar.com/news/mobile-computing/laptops/10-steps-you-can-take-to-secure-a-laptop/articleshow/38835410.cms
0
 
McKnifeCommented:
What the bios "hard drive password" actually does depends on the model of laptop and model of drive. You can use self encrypting drives and if the bios supports it, you will really be using encryption and this (given we use a password that is not easy to brute force) is secure.
Other hard drive locking mechanisms are not that secure. To give you an idea: data recovery online services offer to unlock your drive for less than 100 US$ (but you'll have to send them the drive).

So look into the drive models and see if SED (self encrypting drives) is a feature and if the dell bios supports to use that on all models that you have.
0
 
skullnobrainsCommented:
the hard drive password most likely does not do encryption if the word crypt is not present somewhere in the bios. usually, you'd get both on separate lines, but there are exceptions. best way to know try it. it should work internally or as an usb external drive.

assuming the hardware does not support it, windows can work on completely encrypted drives but i would not recommend that approach : pain to setup, you'll have to reinstall or clone, and it is uselessly slow.

i'd recommend you create a separate partition. you can resize existing ones in computer management, and create new ones. i'm unsure about resizing the system partition while it is running. if you need to do that and windows won't, any bootable cd with gparted will let you do that easily.

once you're done, you can use the ms bitlocker tool ( should be under system in control panel ) to encrypt the drive

then format the partition and make sure any sensitive data is stored there. you can stick the user profile or his documents folders on the encrypted partition to make it easier. if you move the whole profile, try a dummy profile first. moving the profile is somehow better because most temp files would be stored there. ( and a few with the system but most apps that work on user data will use the profile's temp dirs )

this should be quite easy to setup without breaking the existing system, and won't encrypt the system itself which would slow down the system uselessly ( imagine the swapfile is encrypted and you swap even a little ... )

---

another way could be to use an encrypted usb key but you won't be able to set the user's profile on a removable drive afaik so your user would need to be educated. and temp files would be a problem.
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
McKnifeCommented:
There's no bitlocker on win7 pro.
0
 
skullnobrainsCommented:
oops

many freeware equivalent such as this truecrypt successor https://veracrypt.codeplex.com/ or truecrypt itself

whichever you pick, you need one that prompts for passwords rather than use a self-contained password ( rather useless ) or a removable drive ( that will likely be stolen with the laptop ) and you probably should prefer something that encrypts the whole drive rather than individual files ( though there might be some out-of-the-shelf tools that can watch a directory and encrypt/decrypt files on the fly )
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
skullnobrainsCommented:
another way could also be to provide remote access through rdp, vnc, or whatever equivalent and leave the data at the office but that would require permanent internet access
0
 
Rob KnightConsultantCommented:
Hi,

Dell latitudes are business grade devices and thus have a TPM (trusted Platform Module) - this can be enabled in the BIOS (usually enabled by default) and since you have Windows 7 Pro, you can encrypt the in-built disk using BitLocker.

Several options are available for how the drive is unlocked - suggest a complex password of 8 characters and AES 128 (default) or AES 256 for the encryption.

During drive encryption, you will be asked to create a BitLocker recovery key - important that you keep this safe.

Hopefully this will help:

https://technet.microsoft.com/en-us/library/dd835565(v=ws.10).aspx
0
 
McKnifeCommented:
7 pro has no bitlocker. We talked about that before, please read the other comments.
0
 
Rob KnightConsultantCommented:
Quite correct, it was introduced in Windows 8.0 Pro.

You could upgrade to Windows 8.1 Pro, via Windows 8.0 as it's cheaper (i.e. £45.00 in the UK) or 10 Pro or 7 Ultimate to get BitLocker.

Alternatively, if you or the user needs adaptions for some form of accessibility, then it'st still possible to upgrade to Windows 10 Pro for free:

https://www.microsoft.com/en-gb/accessibility/windows10upgrade - no proof is needed that assistive technology is used so there is no paperwork.

It might be difficult to trust OpenSource encryption solutions especially since the TrueCrypt issue and many won't leverage the TPM which will protect part of the keychain used to decrypt the drive.
0
 
skullnobrainsCommented:
It might be difficult to trust OpenSource encryption solutions

hmm... i'd never consider using any encryption software that's not opensource.
if you can't audit your solution, it's probably not as failsafe as the vendor claims.
0
 
BeGentleWithMe-INeedHelpAuthor Commented:
Re:  https://www.microsoft.com/en-gb/accessibility/windows10upgrade - no proof is needed that assistive technology is used so there is no paperwork.

I've been meaning to ask this question.  Feel free to check / comment on this page:

https://www.experts-exchange.com/questions/28985942/How-do-you-know-you-are-properly-activated-on-Windows-10-upgrades.html
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.