Securing access to PC

Flyboy

Flyboy

Pre-takeoff checklist
Joined
Feb 23, 2005
Messages
213
Location
Charlotte NC
Display Name
Display name:
Ron Kinney
My company is merging witha nother and I'll be taking on added responsibilites that will require access to sensitive informaition. :dance:

What is the best way to lock a pc so that when I am away from my desk no one can use it? I've seen several programs on the net that do this but have no idea if any are better than others. Also, I'm assuming this could be bypassed by someone using a boot diskette/CD and just accessing the drives that way.

Suggestions?
 
What operating system? What about your corporate network? What network o/s are you running?

One thing you can do thats very simple: Password protect your screensaver. Set it to a low value like 2 minutes and make it require a pw everytime someone tries to clear it. The negative to that is, you'll be entering your password every time you get up for coffee or answer the phone.

In my case I set my screensaver to 10 minutes, and manually lock the workstation by hitting ctrl-alt-del followed by "Lock Computer" but that's an XP Pro/NT Pro/2k Pro thing and probably won't work on 98/Me.
 
Chuck,

Thanks, I'd thought about the passworded screen saver idea and it will probably suffice but I'd like a little more protection if I can get it.

I'm running win3kpro. There will be 2 servers 1, our current server running SCO unix and the second is their server running win2k server. I can lock down the unix side tighter than a drum. :D

But the windows side will have holes in it. I also have a linux box set up as a network firewall, email server and spam filter plus antivirus so I feel fairly secure from outside hacks.
 
Ron Kinney said:
Chuck,

Thanks, I'd thought about the passworded screen saver idea and it will probably suffice but I'd like a little more protection if I can get it.

I'm running win3kpro. There will be 2 servers 1, our current server running SCO unix and the second is their server running win2k server.
Click to expand...
I'm assuming it's Win2KPro?

Ctrl-Alt-Del, lock computer (usually just the Enter key) to lock your system when you walk away. The password screen saver is the same as login level security. Reauthentication to the local domain is required if you're in it (or locally if you're not).

Regarding bootdisks: if your hard drive is NTFS, it's fairly well protected since it will require a LOCAL password to access it. It's not foolproof, however, and can be hacked.

Are you concerned about someone accessing YOUR computer or making sure the new computers from the merged company are locked down? There are a lot of ways to access a workstation on a network, including some basic stuff that a lot of folks don't realize (but is widely available at hack sites).
 
At my last 2 previous clients, we were FDA compliant re: computer security and the screen saver passwords were sufficient. Policy and Procedures manual said lock the screen with CTL-ALT-DEL whenever you were away from your desk.
Greg
 
Yes, win2kpro. Sorry for the typo.

From what I've found out from the net, most of the extra security programs add too much over head. Some even replace system files. I'm not real comfortable with that and it looks like the ctl-alt-delete lock will be good as well as a password on the screen saver.

I think I'll go that route.

Thanks!
 
Ron Kinney said:
Also, I'm assuming this could be bypassed by someone using a boot diskette/CD and just accessing the drives that way.

Suggestions?
Click to expand...

Most computers allow you to disable the boot from CD/diskette in the Bios, then you can password protect the bios to prevent changes to it. Doesn't make it foolproof, but adds a little more protection from booting up from a diskette/Cd and browsing around the files on the hard drive. It's a pain if you boot from removable media a lot, but most people don't so it's not a big deal usually, just don't forget the bios password ;-)



Lisa
 
If you want real protection from an agressive hack, encrypt the files themselves in addition to securing the computer. And if physical access is an issue then definitely lockout any alternative boot paths and add password protection to the BIOS. Also make sure any passwords and encryption keys are "hard" (check the internet) and put them in a physically secure place that someone you trust has access to (unless you want the files to be totally lost if you forget any of them (or pass away).
 
Flyboy said:
My company is merging witha nother and I'll be taking on added responsibilites that will require access to sensitive informaition. :dance:

What is the best way to lock a pc so that when I am away from my desk no one can use it? I've seen several programs on the net that do this but have no idea if any are better than others. Also, I'm assuming this could be bypassed by someone using a boot diskette/CD and just accessing the drives that way.

Suggestions?
Click to expand...

Ask for a laptop and take it with you. :D
 
Flyboy said:
Suggestions?
Click to expand...

This may be kind of silly, or more likely too much of a hassle to mess with in your situation, but if you install a removeable hard drive tray (some are supposedly hot swappable), well, they can't access your data if the hard drive is physically missing. Pull it out, stick it in a drawer, lock the drawer, walk away. Accessing a missing drive is usually extremely difficult to impossible. I recall at least one version that if you turn the keylock without a drive in the bay, you can't insert a drive into the bay until you unlock it (the latch lever is in the way). $20-50 a pop but you have to trust people to not steal stuff.

You asked and you got what you paid for... ;)
 
Chances are that the data does not reside on the local PC, but however on some network server somewhere. Securing that is a whole different topic!

For local PC access, check out: http://www.ensuretech.com/ Its a badge that locks the pc once you are out of range (user definable). Works very well, and is a simple install. If you rely on hitting CTRL-ALT-DEL everytime to lock it, you will soon give it up.

As for NTFS, breaking that is simple - Knoppix.

S.
 
sshekels said:
Chances are that the data does not reside on the local PC, but however on some network server somewhere. Securing that is a whole different topic!

For local PC access, check out: http://www.ensuretech.com/ Its a badge that locks the pc once you are out of range (user definable). Works very well, and is a simple install. If you rely on hitting CTRL-ALT-DEL everytime to lock it, you will soon give it up.

As for NTFS, breaking that is simple - Knoppix.

S.
Click to expand...
Actually, the idea of hitting Ctrl-Alt-Delete every time I get up is so ingrained that I have no problems with it. I even do it at home. Just habit now.

I also trained the folks at my last employer to do the same thing. Walk away from your computer and I find it...very weird things will happen. Mysterious e-mails, redirected home pages, etc.. People learn fast.

Regarding NTFS and Knoppix: easily defeated by password protecting the BIOS and setting boot order to network, hard drive, then any removable media. If the CD or floppy never gets accessed in the first place, it can't be booted.

Personally, given the tools and expertise available to the user who wants to do the research, I'd be more worried about network traffic and servers than anything else. Once data hits the wire (or wireless nowadays), I can pretty much take it anywhere I want if I'm plugged in somewhere.
 
Just be SURE to not forget the BIOS password. Or, you're screwed.
 
Keep all your secure data on a USB memory stick. They can hold a good deal of data now. Keep it in your pocket or on a loop around your neck.

- Richard
 
bbchien said:
Just be SURE to not forget the BIOS password. Or, you're screwed.
Click to expand...
Not entirely. There is a technique for clearing the BIOS memory (CMOS) using either a jumper on the motherboard or popping the battery for a certain amount of time. You'll have to reset any custom BIOS settings, though.
 
Brian is correct, also many BIOS have backdoor passwords.
 
Could use a Mac or Linux OS:)

But this is a serious issue now. Sarbanes-Oxley Compliance is a really big deal. Even as a Macintosh administrator I have gone through two killer security audits in the last 6 month, not to mention what seems like non stop software compliance audits. I ended up having to repurchase a half dozen copies of Photoshop because I couldn't provide proof we purchased under the correct license plan.
 
The only reason Macs aren't a security issue right now is because they are not a 'target rich' environment. Linux already has its own issues. It just gets fixed faster than most proprietary software due to its community involvement.
 
You must log in or register to reply here.
Back
Top