Microsoft

Notebook computer security for the user on the go

When users carry notebooks outside the safe confines of the office, they become a security risk waiting to happen. However, by instructing users on how to protect their data, you can help keep intruders at bay. Brien Posey offers a few quick tips.


There is little you can do to guard your employees against laptop theft or loss. While the chances of having data stolen and used against the company are slim, it can happen. So it’s critical to prevent just anyone from picking up a laptop and gaining any useful information from it. Here are some techniques you can use to enhance notebook computers' security in case they are ever lost or stolen.

Notebook hard disk security tips
I first recommend securing the hard disk by dividing it into two partitions. Store OS files and programs on the first partition and store data on the other. Why use dual partition configuration? Windows offers file-level encryption, but one of the limitations of the encryption algorithm is that you can’t encrypt the partition that contains Windows. So if you use separate partitions for your OS and your data, you’re free to encrypt the data partition.

However, even with this encrypted partition, the only thing that stands between the encrypted data and the world is a password. Many believe that to prevent unauthorized access, a user should employ strong passwords that are difficult to crack or guess. However, an unscrupulous person doesn’t have to figure out a password to gain access to files. Utilities such as ERD Commander 2000 from Winternals Software can be used to change a password without having to know the original password. ERD Commander 2000 works by booting the system to a command prompt outside of the Windows OS and then allowing the user to run a suite of recovery utilities to gain access to the system. Basically, you boot the program and then use the REGISTRY command followed by the PASSWORD command. For example, if you wanted to reset the Administrator's password, you could enter these commands:
REGISTRY
PASSWORD Administrator newpassword


So how can you prevent someone from using such a utility? Well, you can’t stop them from doing it, but you can slow them down. I recommend using the system’s BIOS to set a power on password. When you boot the laptop, enter the appropriate key combination—each laptop model is different—to open the BIOS setup program. From there, you can change or create a power on password. Then, a person will actually have to open the notebook case and remove the CMOS battery or set a jumper before he or she will be able to get the computer to boot up without the power on password.

Also, since utilities such as ERD Commander 2000 usually load from a boot disk, why not have your users leave the laptop’s floppy drive at home? If someone steals a laptop with the intention of hacking it with a boot-disk-based utility, not having a floppy drive installed will definitely slow him or her down.

Password security
I’ve seen several cases where laptop users tell Windows to save various passwords, such as those used to access e-mail or to log in to an HTTP server. Having passwords stored locally on a laptop is a bad idea. If someone cracks the primary Windows password, he or she will instantly gain access to all cached passwords. While they may not be able to tell what the password actually is, they will be able to use them to gain access to your company’s network. So the general rule for users should be not to accept the Save Passwords feature when Windows asks.

Use smart cards
One other way of protecting your system against a password breach is to use smart card technology. Once a system has been configured to require a smart card, a user can’t simply enter a password to log in. Instead, he or she will have to insert a smart card into a card reader. As further protection, the smart card requires the user to enter a PIN number before it will allow access to the system.

If you do decide to use smart card technology on your notebook computers, remember to tell users not to store their smart cards and notebooks in the same place. If someone steals or finds a notebook and the required smart card is in the bag, the person only has to figure out the PIN to access the data inside the computer.

Hide valuable data
One of my first IT jobs was a second-shift job at an insurance company. Usually, after 5:00 P.M., there was no one in the office and nothing to do. After a few weeks of boredom, I decided to come up with a way to hide video games on my system’s hard drive. Of course, at that time, sophisticated software detection programs simply didn’t exist. Instead, the company’s policy was enforced through random spot checks.

While it's pointless these days to try to hide entire programs, it's easy to hide sensitive document files. One of the most effective techniques is to disguise a document as a part of Windows. After all, Windows is a really bloated OS, so why not use Windows’ size and complexity to your advantage in a game of hide-and-seek?

For example, suppose that you had a Microsoft Word document named Importantstuff.doc. Instead of leaving this file in you’re My Documents folder, move the file to the \%SYSTEMROOT%\SYSTEM folder and disguise the document as a system file by renaming it to something like 3C5X9.DLL, which would normally be a DLL file associated with a specific type of 3COM network card. The idea is to use a filename that could potentially exist on your system, but doesn’t.

In all Microsoft Windows OSs except 9.x or NT, you can create a directory that uses a null as the directory name. I would do this by entering the MD command at the command prompt followed by a space and then pressing 255 while holding down the [Alt] key. The result of pressing [Alt] 255 is a null character. By using this technique, you'll create a directory that no one can figure out how to access. To prevent anyone from using a GUI interface to point-and-click into such a directory, you can use Norton’s Disk Editor to hide the directory.

As I mentioned, you can’t create a directory with a null name in the 9.x or NT OSs; however, if you’re using the FAT file system, you can boot from an old DOS disk, create a directory, move files into it, and then later take the files out when you need to use them.

Prevent someone from loading a second copy of the OS
A few years ago, I heard about a data-theft technique that was extremely simple and effective. The job was performed on a machine running Windows NT Workstation. The person who was attempting to steal data simply installed a new copy of Windows NT into a different directory. Because the person installed a clean copy of Windows NT, he or she knew the administrative password for that copy of Windows. Therefore, he or she was able to boot to the new copy of Windows NT and then freely browse the contents of the system's hard disk.

Unfortunately, there are very few ways of protecting your system against this type of security breach. The best that you can do is to make it as difficult as possible for someone to install a new copy of Windows. For example, some support techs are in the habit of copying the Windows installation CD to a directory on the hard drive called WINNTCD. Don’t place such a directory on your laptop unless it exists on an encryption-enabled partition.

Another way to prevent someone from loading a second copy of Windows is to make the system partition large enough to contain Windows and your applications but too small to hold anything else. Begin with an ample size NTFS partition. When everything has been installed and you’re happy with the way that the system is running, adjust the size of the pagefile so that it will fill up all but a few MBs of space on the partition. It’s important to leave a few MBs for temporary files. The method for adjusting the pagefile size varies between the different versions of Windows, although the process isn't all that different between versions. In XP, you open Control Panel, click Performance And Maintenance, and click System. When the System Properties sheet appears, select the Advanced tab and then click the Settings button in the Performance section. When the Performance Options properties sheet appears, select the Advanced tab and use the Change button to manipulate the pagefile.

If the partition that contains Windows is the only partition on the system that isn’t encrypted, it will be the only location where a hacker could install a second copy of Windows. Remember, you can’t encrypt the partition that contains Windows, and you can’t install Windows onto an encrypted partition. If you still aren’t convinced, you could always fill in any leftover space on the encrypted partition with meaningless junk, such as a copy of a very large pagefile.

Conclusion
If a laptop is stolen or lost, all of the data on the hard drive is at risk of being compromised. By using one or several techniques I've described, you can help safeguard user and company data. However, the best way to prevent such data from falling into the wrong hands is for users not to allow a laptop to be lost or stolen in the first place.

What's your favorite laptop theft story?
Do you have a favorite story of a user reporting a lost or stolen laptop? If so, send us your comments on how you or your company handled the situation.

 

Editor's Picks