Disaster Recovery

Take steps to protect your data before it is too late

Operating systems and applications can always be reinstalled, but your data is unique, making it the most important thing on your computer or network.

When you think about it, the most valuable thing on your computer or network is the data you create. After all, that data is the reason for having the computer and network in the first place -- and it's the bits and bytes that make up that data that are your first priority when putting protective strategies in place. Operating systems and applications can always be reinstalled, but user-created data is unique and, if lost, may be irreplaceable.

Some data is also confidential; not only do you not want to lose it, but you don't want others to even view it without authorization. Exposure of your social security number, credit card number, and bank account information could subject you to identity theft. Company documents that contain trade secrets, personal information about employees or clients, or the organization's financial records are also highly confidential.

Let's look at some ways to protect your all-important user data from loss and/or unauthorized access.

This blog post is also available in PDF format as a free TechRepublic download. Adapted from a 10 Things article published April 17, 2006.

Back up early and often

The single most important step in protecting your data from loss is to back it up regularly. How often should you back up? That depends -- how much data can you afford to lose if your system crashes completely? A week's work? A day's work? An hour's work?

You can use the backup utility built in to Windows (ntbackup.exe) to perform basic backups. You can use Wizard Mode to simplify the process of creating and restoring backups, or you can configure the backup settings manually and schedule backup jobs to be performed automatically.

There are also numerous third-party backup programs that can offer more sophisticated options. Whatever program you use, it's important to store a copy of your backup offsite in case of fire, tornado, or other natural disaster that can destroy your backup tapes or discs along with the original data.

Use file-level and share-level security

To keep others out of your data, the first step is to set permissions on the data files and folders. If you have data in network shares, you can set share permissions to control what user accounts can and cannot access the files across the network. With Windows 2000/XP, this is done by clicking the Permissions button on the Sharing tab of the file's or folder's properties sheet.

However, these share-level permissions won't apply to someone who is using the local computer on which the data is stored. If you share the computer with someone else, you'll have to use file-level permissions (also called NTFS permissions, because they're available only for files/folders stored on NTFS-formatted partitions). File-level permissions are set using the Security tab on the properties sheet and are much more granular than share-level permissions.

In both cases, you can set permissions for either user accounts or groups, and you can allow or deny various levels of access from read-only to full control.

Password-protect documents

Many productivity applications, such as Microsoft Office applications and Adobe Acrobat, will allow you to set passwords on individual documents. To open the document, you must enter the password. To password-protect a document in Microsoft Word 2003, go to Tools | Options and click the Security tab. You can require a password to open the file and/or to make changes to it. You can also set the type of encryption to be used.

Unfortunately, Microsoft's password protection is relatively easy to crack. There are programs on the market designed to recover Office passwords, such as Elcomsoft's Advanced Office Password Recovery (AOPR). This type of password protection, like a standard (non-deadbolt) lock on a door, will deter casual would-be intruders but can be fairly easily circumvented by a determined intruder with the right tools.

You can also use zipping software such as WinZip or PKZip to compress and encrypt documents.

Use EFS encryption

Windows 2000, XP Pro, and Server 2003 support the Encrypting File System (EFS). You can use this built-in certificate-based encryption method to protect individual files and folders stored on NTFS-formatted partitions. Encrypting a file or folder is as easy as selecting a check box; just click the Advanced button on the General tab of its properties sheet. Note that you can't use EFS encryption and NTFS compression at the same time.

EFS uses a combination of asymmetric and symmetric encryption, for both security and performance. To encrypt files with EFS, a user must have an EFS certificate, which can be issued by a Windows certification authority or self-signed if there is no CA on the network. EFS files can be opened by the user whose account encrypted them or by a designated recovery agent. With Windows XP/2003, but not Windows 2000, you can also designate other user accounts that are authorized to access your EFS-encrypted files.

Note that EFS is for protecting data on the disk. If you send an EFS file across the network and someone uses a sniffer to capture the data packets, they'll be able to read the data in the files.

Use disk encryption

There are many third-party products available that will allow you to encrypt an entire disk. Whole disk encryption locks down the entire contents of a disk drive/partition and is transparent to the user. Data is automatically encrypted when it's written to the hard disk and automatically decrypted before being loaded into memory. Some of these programs can create invisible containers inside a partition that act like a hidden disk within a disk. Other users see only the data in the "outer" disk.

Disk encryption products can be used to encrypt removable USB drives, flash drives, etc. Some allow creation of a master password along with secondary passwords with lower rights you can give to other users. Examples include PGP Whole Disk Encryption and DriveCrypt, among many others.

Make use of a public key infrastructure

A public key infrastructure (PKI) is a system for managing public/private key pairs and digital certificates. Because keys and certificates are issued by a trusted third party (a certification authority, either an internal one installed on a certificate server on your network or a public one, such as Verisign), certificate-based security is stronger.

You can protect data you want to share with someone else by encrypting it with the public key of its intended recipient, which is available to anyone. The only person who will be able to decrypt it is the holder of the private key that corresponds to that public key.

Hide data with steganography

You can use a steganography program to hide data inside other data. For example, you could hide a text message within a .JPG graphics file or an MP3 music file, or even inside another text file (although the latter is difficult because text files don't contain much redundant data that can be replaced with the hidden message). Steganography does not encrypt the message, so it's often used in conjunction with encryption software. The data is encrypted first and then hidden inside another file with the steganography software.

Some steganographic techniques require the exchange of a secret key and others use public/private key cryptography. A popular example of steganography software is StegoMagic, a freeware download that will encrypt messages and hide them in .TXT, .WAV, or .BMP files.

Protect data in transit with IP security

Your data can be captured while it's traveling over the network by a hacker with sniffer software (also called network monitoring or protocol analysis software). To protect your data when it's in transit, you can use Internet Protocol Security (IPsec), but both the sending and receiving systems have to support it. Windows 2000 and later Microsoft operating systems have built-in support for IPsec. Applications don't have to be aware of IPsec because it operates at a lower level of the networking model.

Encapsulating Security Payload (ESP) is the protocol IPsec uses to encrypt data for confidentiality. It can operate in tunnel mode, for gateway-to-gateway protection, or in transport mode, for end-to-end protection. To use IPsec in Windows, you have to create an IPsec policy and choose the authentication method and IP filters it will use. IPsec settings are configured through the properties sheet for the TCP/IP protocol, on the Options tab of Advanced TCP/IP Settings.

Secure wireless transmissions

Data that you send over a wireless network is even more subject to interception than that sent over an Ethernet network. Hackers don't need physical access to the network or its devices; anyone with a wireless-enabled portable computer and a high-gain antenna can capture data and/or get into the network and access data stored there if the wireless access point isn't configured securely.

You should send or store data only on wireless networks that use encryption, preferably Wi-Fi Protected Access (WPA), which is stronger than Wired Equivalent Protocol (WEP).

Use rights management to retain control

If you need to send data to others but are worried about protecting it once it leaves your own system, you can use Windows Rights Management Services (RMS) to control what the recipients are able to do with it. For instance, you can set rights so that the recipient can read the Word document you sent but can't change, copy, or save it. You can prevent recipients from forwarding e-mail messages you send them and you can even set documents or messages to expire on a certain date/time so that the recipient can no longer access them after that time.

To use RMS, you need a Windows Server 2003 server configured as an RMS server. Users need client software or an Internet Explorer add-in to access the RMS-protected documents. Users who are assigned rights also need to download a certificate from the RMS server.

Stay on top of the latest XP tips and tricks with TechRepublic's Windows XP newsletter, delivered every Thursday. Automatically sign up today!

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

8 comments
Excelmann
Excelmann

From an earlier 2007 TR blog: "Office 2007 uses AES (Advanced Encryption Standard) with a 128-bit key and SHA-1 hashing. For stronger protection, you can increase the key length to 256 bits by editing the registry or using Group Policy. This improves the security of password-protected files, especially when long, complex passwords are used." There are commercial cracking services which state that depending on the length and complexity of a 2007 password it will take months, if not years, to crack the password.

staffordd
staffordd

This is a good article, but to me, we are almost to the point of diminishing returns. For every new technique we develop to protect data, hackers and criminals are developing FIVE ways to break it. I am no longer sure how or if law abiding, decent citizens will be able to prevail. For example, the article recommends password protecting documents (but then notes that Microsoft's password protection is "relatively easy" to crack) - I disagree. It's INSANELY easy. We did a test at work, and I was one of the subjects. One of our technical people password protected a Word document, and then emailed it to two different people to test. One of those people was myself - I am reasonably technically astute, can install programs, etc. The second person was a Business Analyst, who by his own admission is NOT technical, can operate a computer and understands programs, etc. but certainly not highly technical. The test was - using only Google, break the password and reveal the contents of the document - how fast can you do it? The non-technical person, with NO assistance from anyone, did it in less than five minutes. I did it in about 50 seconds - well under a minute. FIFTY SECONDS. To break a "password protected" Microsoft Word file. And - I had **never** previously used any kind of crack (no jokes here) for any purpose EVER, I had no idea how it would work - and it was INSANELY EASY. I just went out, downloaded the first free program that offered to "recover" my "lost password" - ran it, pointed it at the document - it sent the encrypted info up to a server, that cracked it and sent it back to me unencrypted....ALL IN UNDER ONE MINUTE !!! Unbelievable! The reason I give this illustration, we have many employees here, who are "protecting" sensitive, personal information by "password protecting" it. We have had to undergo a radical reorientation here to demonstrate to these folk that this is NOT a valid way to protect ANYTHING. So we are trying to get users to STOP using Microsoft Password Protection (as it's basically useless) and instead, request a restricted access folder on the network, with permissions set for ONLY privileged employees who need to see the sensitive data. But it's not easy. People think their files are safe "oh, it's OK, I put a password on it". Send it to me. In less than a minute, I'll send back an unencrypted version of your document in no time! And I am no hacker. And expert could probably have decrypted that Word document in less than 30, or maybe even 15 seconds. All those sensitive, personal details - unsafe. Obviously, encryption has come a long way, and the advice given here is certainly expert. But unfortunately, what that also does, is that it just informs the criminals of exactly what they need to focus their next "cracking" efforts on - we bring out new encryption technology, they go to work immediately to crack it. Then we have to up our game again. They crack it again....and on and on it goes. I worry about who will "win". However - forget about Microsoft Password Protection - a COMPLETE waste of time from what we found. Have fun ! Dave :-)

Mark W. Kaelin
Mark W. Kaelin

What steps do you take to protect your data? Do you encrypt your email?

staffordd
staffordd

>>>>>>From an earlier 2007 TR blog: "Office 2007 uses AES (Advanced Encryption Standard) with a 128-bit key and SHA-1 hashing. For stronger protection, you can increase the key length to 256 bits by editing the registry or using Group Policy. This improves the security of password-protected files, especially when long, complex passwords are used." >>>>>>There are commercial cracking services which state that depending on the length and complexity of a 2007 password it will take months, if not years, to crack the password. Fair enough, well spoken. But, my crack time of less than one minute, with NO experience whatsoever, still stands too - it's real. Just so you know, it was Word 2000 that I cracked. But I would say, right off the bat, that to my mind, users of 2007, with whatever amazing functionality it has, are thin on the ground. Most large organisations cannot afford to immediately move to the latest version of Office. If you can, a) you are lucky and b) your documents are protected for months, not minutes and c) it won't belong before months becomes weeks, weeks becomes days, days become hours, and hours pare down to less than one minute. It's a temporary respite only; it's ONLY useful to 2007 users, and MILLIONS and MILLIONS of people are running Office 97, Office 2000, Office 2003. And will continue to do so for YEARS. I still run Office 2000 at home. I've seen a trial copy of Word 2003 and I think one of Word 2007, but I'm not particularly interested - don't need it. And personally, with software, or Operating Systems - I ALWAYS wait at least a year, if not more, before I think about upgrading. This stood me in good stead when I recently STAYED on XP at home and CLEVERLY MISSED the entire "Vista" fiasco. Windows 7 - well, maybe in a few years time. XP runs well, it's so much better than 95 or any other predeccessor - why do I want Vista OR Windows 7 yet??? Word 2000 runs beautifully - why do I need 2007? Certainly not for the improved password protection. So notwithstanding the excellent news that for you 137 Word 2007 users, your documents are "safe" (maybe) I think my original assertion stands (which just reiterated something in the original article) - that "password protection" - for the bulk of Microsoft users, is about as much protection as a ... well, you fill in the blank. Got to go. Have fun! D. P.S. It's my observation, that the majority of users do not use, refuse to use, "long complex passwords" - in fact, you are lucky if you can get most of them to comply with even a simple password protocol like "use a combination of characters and numerals" so for 99% of people, a "long and complex password" means "mypetsname66", not "wapwap~~tHisP@ssw0rdiSr3allyC0MPYKAYTed24OURSaDaY17~~zeep". So let's say the password is "WifesName32" - how good does that one stack up under the "months to crack" scenario? Food for discussion....

Floop70
Floop70

Out of curiosity, was this a Word 2007 document? or older?

ExNavyNuke
ExNavyNuke

Password protection on files is like locks on most everything else. They only keep the honest people out. Professional thieves or unethical folk will do what it takes to see and perhaps take what's inside.

kevlar700
kevlar700

Quite right, it's called brute force and there may be other avenues of attack, not to mention whether it was safe whilst you were writing it or typing the password. Encryptions better than nothing though. You can get a free more secure alternative to office 2007 which opens and saves .docs from http://www.openoffice.org You may want to use the export as PDF (with encryption options too) feature to GUARANTEE that viewers don't have ANY problems on complexly layed out docs though.

angelacat
angelacat

I usually export documents to pdf files because of some reasons. First is to gain more accessible to my files while distribution, second is to secure the files for the pdf files is not easy to edit directly and I can also add password to pdf file to protect it from copying, printing and editing. Even there is software out there making acrobat security complete illusory, in most cases, its a safe way to display files.

Editor's Picks