Talk to me about securing a work laptop.

DoubleCheese · 12 Sep 2010 at 21:27

Two of my colleagues will be working remotely and using laptops. What software should I install on the machines to secure them in case they are stolen? The machines will be running Win XP Pro and will have VPN connections to connect to the office Server.

Any recommendations and tips?

Thanks.

tntcoder · 12 Sep 2010 at 21:31

Full disk encryption with TrueCrypt.

Then if lost/stolen, your data is rendered effectively useless to a thief.

Also ensure that any removable storage devices (aka usb flash) are secured as well.

theheyes · 12 Sep 2010 at 21:41

In addition to the above take administrator rights away if they don't need them. Also go into the local policy editor and enable automatic install of updates.

If you have some corporate antivirus you might as well stick that on too.

DoubleCheese · 12 Sep 2010 at 22:01

tntcoder said:
Full disk encryption with TrueCrypt.

Then if lost/stolen, your data is rendered effectively useless to a thief.

Also ensure that any removable storage devices (aka usb flash) are secured as well.

Is there a separate log-in for TruCrypt or is it just the normal XP Pro log-in? i.e just one the one XP Pro username and password prompt to gain access to the machine?

dave-lew99 · 12 Sep 2010 at 22:01

Depending on the laptop, it may also have some sort of anti-theft/call home features built into the hardware, my company Dell E6500 does for example, it would be work looking into.

tom_e · 12 Sep 2010 at 22:06

DoubleCheese said:
Is there a separate log-in for TruCrypt or is it just the normal XP Pro log-in? i.e just one the one XP Pro username and password prompt to gain access to the machine?

You enter a separate password on start up much like you would do if you had the start up password enabled in BIOS

DoubleCheese · 12 Sep 2010 at 23:08

tom_e said:
You enter a separate password on start up much like you would do if you had the start up password enabled in BIOS

Ok, got you. Thanks!

Roland0 · 15 Sep 2010 at 14:54

This is good for WDE. you can set it up with a single sign on with windows as well

.Simon · 15 Sep 2010 at 17:12

A very good alternative to TrueCrypt is DiskCryptor.

# Support for encryption algorithm AES, Twofish, Serpent, including their combinations.

* Transparent encryption of disk partitions.
* Full support for dynamic disks.
* Support for disk devices with large sector size (important for hardware RAID operation).

# High performance, comparable to efficiency of a non-encrypted system.

* Support for hardware AES acceleration:
o AES-NI instruction set on new Intel CPU;
o PadLock extensions on VIA processors.

# Broad choice in configuration of booting an encrypted OS. Support for various multi-boot options.

* Full compatibility with third party boot loaders (LILO, GRUB, etc.).
* Encryption of system and bootable partitions with pre-boot authentication.
* Option to place boot loader on external medium and to authenticate using the key medium.
* Support for key files.

# Full support for external storage devices.

* Option to create encrypted CD and DVD disks.
* Full support for encryption of external USB storage devices.
* Automatic mounting of disk partitions and external storage devices.

# Support for hotkeys and optional command-line interface (CLI).
# Open license GNU GPL v3

SiriusB · 15 Sep 2010 at 17:30

If you use TruCrypt you can save a copy of the Header file to say a USB disk, then store it in a safe place [a company safe/strong box]. Then if the employees ever forget their password you can effectively reset it and change it to something new.

Whatever encryption you use, you should make sure the password is nice and strong and do NOT let anyone write it down!

CaptainCrash · 15 Sep 2010 at 18:34

SiriusB said:
If you use TruCrypt you can save a copy of the Header file to say a USB disk, then store it in a safe place [a company safe/strong box]. Then if the employees ever forget their password you can effectively reset it and change it to something new.

Just to clarify - you need to first set a password, then back up the header, *then* reset the volume with a "user" password (once this is done, they can change it themselves as much and as often as they like). If any of these later passwords get lost or forgotten, restoring the header will reset the encrypted volume with the *original* password.

I'm sure that's what you meant, but it's rather a crucial point... if you only back up the header *after* the user has changed the password, and then they forget it, you're shafted.

SiriusB · 15 Sep 2010 at 22:59

Well I was keeping it brief on the assumption the OP would read all the documentation!

Nanobot · 17 Sep 2010 at 11:10

Is it for business purposes and how secure and sensitive is the data?
If you want serious industrial strength protection, you could try Dead Man's Handle.