Security Basics mailing list archives

RE: File Encryption - Laptop

From: "Nero, Nick" <Nick.Nero () disney com>
Date: Tue, 16 Sep 2003 17:41:49 -0400

I recently had to set a standard on this myself.  I would recommend
Windows XP with SP1 and then using Encrypting File System (EFS).  This
is a completely free solution and very tight security.  The algorithm is
256bit AES so it is practically impossible to break (you have to brute
force a huge key).  There is one tool out there that will break EFS on
2k (and I think recently XP SP1), but the hacks work by exploiting key
management.  

For extra sensitive laptops, like those of executives, you may want to
enable syskey in mode 3.  I have recently been experimenting with
storing the syskey instead of on a floppy, on a USB Jumpdrive mapped to
A:.  This provides paramount security - even if the laptop is stolen,
there is no access to the SAM account database to try to crack the EFS.
If the SAM is overwritten (new install of 2k) then all the certificate
info for the EFS is also destroyed leaving the files unrecoverable.
This is really a technique of last resort though.  If the key is lost
there is no chance of recovering that box - even from backup tape - so
be forewarned.

Nick Nero
CISSP 

-----Original Message-----
From: Ethan Harris [mailto:harris_ethan () hotmail com] 
Sent: Friday, September 12, 2003 10:53 AM
To: security-basics () securityfocus com
Subject: File Encryption - Laptop



Hi all,



I'm fairly new to the secuirty world, but have been recently asked by my
company to find a product that will be able encrypt files on a PC
(mostly Win98 and Win2k based), especially on laptops.  They want an
extra layer of security in case any of these machines get stolen.
Thanks in advance for the input.


------------------------------------------------------------------------
---
Captus Networks
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW -  FREE
Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

Re: File Encryption - Laptop, (continued)
- Re: File Encryption - Laptop Markus Rossi (Sep 15)
- RE: File Encryption - Laptop Marcel Janus (Sep 15)
- Re: File Encryption - Laptop Birl (Sep 15)
- RE: File Encryption - Laptop Oliver Rebollido (Sep 15)
- RE: File Encryption - Laptop Ross Wakelin (Sep 15)
  - RE: File Encryption - Laptop wbradd (Sep 16)
- RE: File Encryption - Laptop Ruiz Cifuentes, Rolando Matias (CL - Santiago) (Sep 15)
- RE: File Encryption - Laptop Bill_Roswell (Sep 15)
- Re: File Encryption - Laptop Chris Berry (Sep 15)
  - Re: File Encryption - Laptop Ansgar Wiechers (Sep 16)
- RE: File Encryption - Laptop Nero, Nick (Sep 16)
- RE: File Encryption - Laptop Pierre A. Cadieux (Sep 17)
- Re: File Encryption - Laptop Chris Berry (Sep 17)