Laptop Security

[tech]

Hi Guys

I carry alot of important private files on my laptop, what can I do to prevent people accessing it, I have a windows password and also a BIOs boot up password

Is there more I can do to prevent this

Thanks

[Sonic]

What's version of your Windows XP ? Home ? Pro ?

[tech]

Win XP Pro

Thanks

[Sonic]

You can set NTFS rights to prevent accessing data from network.

You can crypt data using EFS (right click on folder, property , advanced attributes and check Crypt) if you don't login with the user which was crypted dat you can't read data.

Keep same user profile & password to keep data safe.

[FrankE9999]

To secure your files you need to use some type of encryption as it is just to easy to get around passwords if you have physical access.

You can encrypt your files using TrueCrypt. Vista had bitlocker technology and there is also a program called SafeGuard Easy which allows you to encrypt the complete hard drive. I would use TrueCrypt as it is free and works well.

I have some issues with EFS. It changes the date/time stamp on files. We used to use this and I needed to get access to a users encrypted files who left the company. All I had to do was reset their password and login as them.

SafeGuard Easy has it's own set of problems. First once a computer is booted into Windows an administrator can still access your files from the network.

[Sonic]

TrueCrypt work great. I use it too.

FranckE9999 : Do you mean data can be read if password is different than password used to encrypt data ? Have you used EFS in domain ?

[tech]

Thanks for the replys lads will give TrueCrypt a go soon

[Brainpiercing]

Some Laptops offer hardware encryption of files, notably some HP business-line laptops - in conjunction with fingerprint authentication, even, and possibly some Stinkpads, too. If it's really important you might consider changing your laptop. Do look at the individual configuration though.

[FrankE9999]

TrueCrypt work great. I use it too.

FranckE9999 : Do you mean data can be read if password is different than password used to encrypt data ? Have you used EFS in domain ?

I know that normally if you change a users password they won't be able to access their encrypted files. However in our configuration users download a certificate/key the first time they logged on and that was used to encrypt their files (there was also a process for recovering a key). In this configuration it was possible for an administrator to reset a users password and not affect their ability to access their encrypted files. We don't use this anymore or I wouldn't have said anything about it. I'm not sure if this was done by design or just configured incorrectly.

The only issue I can have with TrueCrypt is you better not forget you password as there doesn't seem to be anyway to recover your information. As a side note if anyone is looking for a good/free password manager I recommend KeePass Password Safe.

[Woomera]

You can set NTFS rights to prevent accessing data from network.

You can crypt data using EFS (right click on folder, property , advanced attributes and check Crypt) if you don't login with the user which was crypted dat you can't read data.

Keep same user profile & password to keep data safe.

Cant agree more BUT if you wanna use the NTFS ecryption system DONT FORGET to backup your user certification.you find the steps to do this in windows help.type NTFS ENCRYPTION in windows help.

If you dont get this backup and somehow your windows get destroyed (like by a virus) then you will lose all the encrypted data's and they'll be useless.

[Idontwantspam]

OK, you probably know this, but I'm just going to through it out there, since some people just seem to forget this:

It doesn't matter how darn much security you put on your laptop if someone can get it. Because if they want to, they will eventually get in. If someone has your computer in their hands, they have all the time in the world to get in. Sure, you can make it really, really hard, but in the long run, it doesn't matter. So I'd say, if you haven't already, get yourself a good cable lock and always lock it up, even when it's just sitting on your desk. Better yet, stick it in a filing cabinet or something like that, that you can lock. Physical security is a huge part.

Another thing regarding software security, which you probably also know, but hey, it can't hurt to mention. I know you said you have a bios password and logon password, but beyond those, what's your setup? I always recommend to people that they use the Windows 2000-style logon instead of the welcome screen, and that they hide the last username from being shown, since this makes it that much harder to log on without permission. Both of those settings can be accessed from secpol.msc, or through Group Policy.

PS: I'm back!

[tech]

HI thanks for advise

yeah I have a laptop lock and also use the crtl Alt Del login and have modifed the GPO so it doesnt show last user logged in

Thanks

[Idontwantspam]

HI thanks for advise

yeah I have a laptop lock and also use the crtl Alt Del login and have modifed the GPO so it doesnt show last user logged in

Thanks

[ringler]

remember to change the adminstrator account password i got into a lot of computer with the f8 safe mode trick

[IcemanND]

It doesn't matter how darn much security you put on your laptop if someone can get it. Because if they want to, they will eventually get in. If someone has your computer in their hands, they have all the time in the world to get in.

Yes, that is correct but what length of time do you want to spend getting into a system encrypted with SafeGuard Easy? For each incorrectly entered password the length of time until the login appears again is exponential. The user ID or password incorrectly and you will wait an hour after the 4th missed attempt. Now it you want to try and crack AES-256 you could access it directly. If you put the drive in another machine windows will recognize it as a RAW partition. Read it with a disk editor and you get the encrypted data from end to end.

Now if it is incorrectly configured it could be made easier by giving you one piece of the puzzle (login ID) or using XOR encryption instead.

So yes while it would eventually be possible to get the data from the drive, could you do it in a reasonably practical length of time.