Hi Bill,
Thanks for your reply.
I'll take this stuff into account. Suprisingly all the FDE products I've
reviewed do not mention in their blurb any performance issues/ vulnerabilities.
The group I'm trying to protect barely know how to login now so the solution
has to take this into account from the start. Any data loss woud be a disaster.
Thanks again Bill,
Cheers,
S
----- Original Message ----
From: Bill Stout <billbrietstout@yahoo.com>
To: fac51 <fac51@yahoo.com>; security-basics@securityfocus.com
Sent: Tuesday, October 23, 2007 6:34:01 PM
Subject: Re: Laptop - Full Disk Encryption? (Booting defeats FDE)
S,
How to defeat full disk encryption: Boot up
A workmate reminded me that the disk is decrypted during startup by the
decryption drivers. It's an all or nothing deal. Once the computer has booted
you have a normal; logon prompt, network services (\\notebook\c$), USB devices,
etc. Check if the product protects against safeboot (F8) interruption. A
startup password could add security depending on how strongly that is
implemented, but most users/companies want transparent operation.
Disk errors and failures are common on laptops, and FDE vendors are very
cautious about checking for existing disk errors before installation so
research the impact FDE has on disk reliablity. I believe things like
defragmentation are no longer possible afterwards either (I may be wrong on
this).
Also keep in mind that you're loading more file system filter drivers, and the
Windows kernel (2003, XP) has only three slots available. Combining things
like AV, DFS, Backup agents, and FDE may cause data corruption. Any two
security products loaded may not show an incompatibilty, but three or more
could be a problem. There is a special request MS patch to increase the number
of kernel slots for file system filters, btw.
- File system filter drivers
http://www.microsoft.com/whdc/driver/filterdrv/default.mspx
- Three file system filter limit patch http://support.microsoft.com/kb/906866
For protection of data on the computer _after_ it's running, you may consider
products that offer more granular file-level encryption like Credant
Technologies or Information Security Corp. These products encrypt what's
important (user files and temp files), but allow for standard support, backup
and recovery practices.
Bill Stout
----- Original Message ----
From: fac51 <fac51@yahoo.com>
To: security-basics@securityfocus.com
Sent: Wednesday, October 17, 2007 2:04:30 AM
Subject: Laptop - Full Disk Encryption?
Does anyone know of a good full disk encryption product.
It will be used for senior management so it must be easy to use and recover if
the password is forgotten.
Assumptions are that laptop information security is strongest if data is not
saved locally but an audit has revealed otherwise.
Technical Controls (proposed)
1. BIOS password. (currently not enforced)
2. Full disk or partition encryption. (currently not enforced)
Is there anything else I should take into account?
I have read that encryption is useless if the password that is used is not
strong is this true?
Thanks in advance for any help, greatly appreciated.
S
____________________________________________________________________________________
Don't let your dream ride pass you by. Make it a reality with Yahoo! Autos.
http://autos.yahoo.com/index.html
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
