Physical security is something that doesn’t get enough attention. I don’t mean that it doesn’t get enough attention in the Microsoft security literature or among Windows security admins. What I mean to say is that in practice, people don’t pay enough attention to physical security. It never ceases to amaze me how often people visiting a client or partner site will leave their laptops sitting out in the middle of a conference room while going out for lunch or just a cup of coffee. Or how many people I’ve seen leave their laptops in a hotel room, trusting that the hotel staff will not steal the computer or that someone using a very light amount of social engineering wouldn’t be able to get into the room to steal the laptop.
Its for this reason that hundreds of thousands of laptops are stolen each year. These laptops contain valuable data, either personal data or your company’s data. Think about the information you store on your laptop and then think about what if someone were able to steal your laptop and gain access to the information on your hard disk. Also, think about what the intruder would be able to do with applications. Many of you have Outlook configured to not ask for a password on start-up. What will the intruder do with complete access to your email account?
While you might think that losing a laptop is something that happens to other people, the fact is that it’s not true. Many of the brightest minds in the industry have lost their laptops and sometimes with painful results. So what you can you do protect yourself against the results of a lost laptop? Encryption. Encryption will reduce your loss to only lost productivity and the price of the hardware and software.
Windows gives you two powerful encryption options:
- Encrypting File System
The Encrypting File System or EFS has been around since Windows 2000. Using EFS, you can encrypt individual files or folders on your computer. For example, you can encrypt your entire “My Documents” folder using EFS or your user profile folder.
The problem with EFS is that there may be sensitive information located on other parts of the hard disk that you’re not even aware of. In that case, you need something more comprehensive than EFS. This is where BitLocker comes into play. With Windows Vista SP1 and Windows Server 2008, you will be able to encrypt entire disk volumes. It can be the system volume, or any other volume on the machine. Vista prior to SP1 supported encrypting only the boot volume (containing the system files).
If these options sound attractive to you (and they should), then you can get up to speed quickly on how to encrypt information on your hard disk using EFS or BitLocker by using the Data Encryption Toolkit for Mobile PCs put out by Microsoft.
You can download this kit over at http://www.microsoft.com/technet/security/guidance/clientsecurity/dataencryption/default.mspx?SA_SC=ContentSpotlight
Let me know what you think of the kit and if you have any questions.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP – Microsoft Firewalls (ISA)