RE: Laptop Encryption
From: Stephane Moulec (smoulec@cuisinesolutions.com)Date: 07/30/02
- Previous message: Dominick Baier: "AW: hfnetchk reporting"
- In reply to: sightblinder@ntlworld.com: "Laptop Encryption"
- Next in thread: Sebastien_Talha@NAI.com: "RE: Laptop Encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Stephane Moulec" <smoulec@cuisinesolutions.com> To: <focus-ms@securityfocus.com> Date: Tue, 30 Jul 2002 09:19:32 -0400
I can't really recommend a specific product (PGPDisk is my personal
choice for whatever it's worth) but give just a few recommendations
depending on the level of security you are after:
- If you are worried about data being lost or stolen if the laptop
itself is lost or stolen, I would look into a full disk encryption
product (maybe Safeboot or maybe just EFS). It is easy to use and
convenient (one password at boot time, done!)
- If you are worried that someone "takes a peek" while the user leaves
his PC unattended, it is another matter:
1) don't trust your execs to lock their laptop while they are
away. Maybe setup a screensaver with a short idle time and ask for
password when the user ends the screensaver.
2) if you use full disk encryption or EFS-like security, once
the user is logged on, it becomes useless. All data is readily
available. I would prefer a virtual disk that the user has to manually
mount and that unmounts automatically after x minutes of inactivity. You
always want to minimize the time when the data is at risk.
3) test your product to make sure that all temp files are either
created on the encrypted virtual hard disk or deleted (not a bad idea to
erase (or better wipe) all temp files directory when the PC shuts down.
Unfortunately, MS seems to multiply those locations C:\TEMP,
C:\WINDOWS\TEMP, C:\Documents and Settings\<username>\Local
Settings\Temp...).
4) run a "free space" disk wipe as a scheduled task once in a
while (timing depends on how "secure" you want to be; it can be daily,
weekly).
5) I personally choose a product that generates a key (vs using
password only) and I store the key in a removable media (compact card in
my case because my laptop has a reader). When I travel, I remove the
card from the laptop and keep it in my pocket. It just makes it harder
to break the encryption. Note: if you go for this method, keep a copy of
the keys handy because your execs WILL lose their card.
This solution is probably not perfect, but it is definitely better than
average.
Just my $.02.
-----Original Message-----
From: sightblinder@ntlworld.com [mailto:sightblinder@ntlworld.com]
Sent: Friday, July 26, 2002 10:14 AM
To:
Subject: Laptop Encryption
Well it depends on how secure you want to be. If its just a case of
securing it against opportunists then W2K and XP both provide an
encrypted file system natively. Check EFS / NTFS on the MS website.
IIRC its accessed via the file or directory properties for the items you
want to encrypt.
I have idea as to how strong the encryption is, but if you're only
worried about opportunist access or the laptop being stolen by a regular
thief as opposed to someone specifically after your company info then it
should do the job.
- Previous message: Dominick Baier: "AW: hfnetchk reporting"
- In reply to: sightblinder@ntlworld.com: "Laptop Encryption"
- Next in thread: Sebastien_Talha@NAI.com: "RE: Laptop Encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
