Laptop Security…

Access control
Application security
Current threats
Digital certificates
Disaster Recovery
human factors
Identity & Access Management
Incident response
Instant Messaging
Intrusion management
Microsoft Exchange
Network security
PEN testing
Platform Security
Risk management
Secure Coding
Security Program Management
Security tokens
Single sign-on
vulnerability management
Web security
Hi, I am the head of my department and by the nature of the job I hold some confidential information on my laptop. How do I ensure that 1. Nobody can access any files on my laptop from the LAN or the internet (not even sys admins) 2. If somebody tries to access, can I find out /trace who it is or which computer is trying to access my stuff? cheers Blackmagic

Answer Wiki

Thanks. We'll let you know when a new response is added.

You can minimize your risks. The following suggestion are not enough for the truly paranoid, but I believe them to be good for normal yet wary people.

1. Get disk encryption tools like SafeGuard. Encrypted disks cannot be read by removing the physical disk.

2. Install a personal firewall on your laptop that is fully managed by you – ZoneAlarm is a good candidate.
Block all shared folders, shared printers nad remote management tools.

3. Create encrypted volumes where you store your sensitive material. Windows has EFS which may be good enough, but commercial solutions also exist, like pgp disk.


Discuss This Question: 12  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Mistoffeles
    One thing you should consider - if you have reason to distrust your SysAdmins, there is a problem. Their job involves access to sensitive data, and if you can't trust them, there is something wrong either on their end or on yours. Just food for thought, nothing more. Cheers
    0 pointsBadges:
  • Bobkberg
    Mistoffeles makes an excellent point, but I'd like to expand on it - based on my own experience. There are two factors here - One, which he mentioned is whether or not you can trust your "official" admins. The other is whether or not your organization has tight controls on WHO can be an admin. I recall one place where the director level manager was VERY tight on who could be an admin - until his 14 year old son visited for the summer - and he made his teenager a domain admin. Geez!!!!! Another possibility will give you more control, but may not be allowed - which is to never have your laptop become a member of the domain. This has its own disadvantages and difficulties, but is worth considering. Also - visit and get the appropriate lockdown benchmark standard for your laptop O/S. This will eliminate many potential entry points into your system to begin with. It's a consensus-based tool, so there are many points of view incorporated, which allows for awareness of weak points that any one person might not have thought of. And follow the other recommendations above about encryption too. Bob
    1,070 pointsBadges:
  • LuisHernandez
    From my point of view to avoid that someone else access your laptop that is connected to internet (or network) requires software but mainly to follows some rules or political. The best software that fix your needs and the guidelines, rules or political to be implemented should be consulted to their administrator. If you don?t trust in this person, as well has mentioned it previously, the solution requires of more depth. In such a case perhaps you need to respond yourself the question: "What I have to do to trust in my administrator and what the administrator has to do to be trusty"?. Maybe you would ask some help from your security suppliers in a reserved way. Going to the bottom of the topic, I believe the most appropriate question is "What I have to do if someone else access to my laptop to avoid he/she can see my critical information?. To use encryption software would be the answer. And this software should be used because even using the best security software always exist the possibility that someone is able to break the firewall (it would be necessary to also consider what happens if someone steal your laptop) The encryption software usually has mechanism to get a logging of who, when and that data was visualized. But remember that the security software and the encryption software even have limitations and it depends on how you follow basic guides/rules to minimize the risk: -If you don't activate your laptop for 5 minutes the system has to ask a password. -Your password must be at least 8 characters length as a combination of lower-cases, capitals and numbers. -Connect your laptop to internet outside your office using VPN. -And several more rules that I sure you must be familiar. Good Luck Luis Hernandez
    0 pointsBadges:
  • JohnBF
    There are some very good points above! I'm assuming the files you wish to protect are "work" files and not "Private" ones in which case I wouldn't want you to use anything other than the built in Windows EPS. This will protect them from casual access but should something disasterous happen to you, your company will with a bit of work be able to recover them. Any security on your machine if it's a work one should be set up and administered by your sysadmins, ask them to enable file and object access auditing on your Laptop and the file system should be set to NTFS. If it's not a work one or you are keeping private files on it, it shouldn't be anywhere near the work domain. As noted above a Sysadmin must have access to anything on the Domain and be responsible for security, including auditing what you are storing on your machine, so this must be a position of ultimate trust within the company.
    60 pointsBadges:
  • BadFinger
    As far as your files... ever think of an encrypted thumb drive? This way they would never be on your laptop in the 1st place.
    0 pointsBadges:
  • Preytell
    All the above replies state one very important point. You admins must be trusted, if they are not, fire them and hire someone you do trust. That said there is one exception to the above rules. You company must have a clearly defined data proctection policy, to protect your files and more important, to protect thier intrest. The files on your laptop are not yours, you a a trustee for the company, and if you leave, get hit by a bus, or just plain up a die the company must have access to your files for your replacement. I would never suggest to anyone in a corporate invironment to install any encryption software, or personal firewall without consent of management and IS backing. Encrytion software must have third party key escrow so when you disappear the keys can be recovered and the files passed to your successor. To stop the poking around in your data you must consider all the other places that the files exist, I assume you are backing up these files, and that those backups are somewhere on the network or on tapes that IS controls? Do you gather this data via some plain text or standard protocol from a network source that can be "sniffed" by a network administrator? Once again, you must trust in your admins. To repeat a famous quote, "There is no such thing as security, there is only your understanding of reality."
    0 pointsBadges:
  • Preytell
    Wow, and I spell checked that. I apologize for the complete massacre of the English language in my previous post.
    0 pointsBadges:
  • INeedHelp61
    Sounds like you are more concerned with internal threats than external. This may be valid, but I would not ignore the external threat - such as theft of your laptop. Until you a good encryption solution set up, I would store confidential data on your network (with appropriate access controls) rather than on the laptop.
    0 pointsBadges:
  • Josephs
    Methods described are good. If the data to be protected is your company's data than it ultimately belongs to the company. In that case, somebody has to be trusted to access the data in case you are unavailabe to access the data yourself. This has to remembered specially when encription is to be used. A safe copy of the 'key' has to be left with someone for an emergency alternate access.
    0 pointsBadges:
    I have to go with the flow and say that if you don't trust your sysadmin than a)fire him (if you can, you are only a dept head if I read right) b)keep the information on an encrypted (moreso password protected) external drive (such as a thumb drive). Password protect the needed files (easily done in MSOffice and using windows security (are we talking windows here? sometimes I assume)) you can usually trace it through event log files NOW LET LOOK @ THE DOWNFALL OF THIS NOBODY CAN ACCESS THING 1) you must update your own computer to keep it safe and secure (your sysadnin probably takes care of this right now) This includes Likely canidates such as your Operating System and Virus protection but also Quicktime, Adobe, Realplayer, Web applications Yahoo mail, gmail ( . . .ok ok I'll stop because the list is inexhaustable.) 2) You must be responseable enough to watch against all malware known and unknown 3)if you forget the password or code to these files you might be up **** creek w/o a paddle) this happened to us with quickbooks the ED had it passcoded and did not remember the code to get in (luckly I "bashed" my way in.) 4)backing up will be your responsibilty too cause in the sysadmin can't get in via any account including the backup operator account than that stuff only exisits @ your whim. Finally if the sysadmin is at all versed, he may be able to get in no matter what you do to the laptop (see suggustions a) and b) above :-) Blackmagic if you're asking sysamdmins if we think a dept head should stop all file access I think we're mostly going to answer no. If you want a few files inaccessable it is easy and many of us would love to point you in the correct direction
    0 pointsBadges:
  • Maclanachu
    If u r concerned about the LAN admins. 1 remove ur computer from the domain to it is it's own local workgroup. 2 double check the local admins group and remove anyone bar urself and the local admin account. 3 Change the local admin account to something only u know. If u do forget pwds and that u can always use a bootable cd with a pwd cracking tool to reset the local admin account. 4 Ur local admins may now be a bit miffed at u and u r now on ur own in terms of backups. If that laptop gets stolen or HD broken, how do u plan to recover? Make regular backups to dvdcd and don't leave the backups in the laptop bag or ur car. 5 set up auditing on ur sensitive folders so u can keep a track of any attempted access: from XP help: To apply or modify auditing policy settings for a local file or folder Open Windows Explorer. Right-click the file or folder that you want to audit, click Properties, and then click the Security tab. Click Advanced, and then click the Auditing tab. Do one of the following: To set up auditing for a new user or group, click Add. In Enter the object name to select, type the name of the user or group that you want, and then click OK. To remove auditing for an existing group or user, click the group or user name, click Remove, click OK, and then skip the rest of this procedure. To view or change auditing for an existing group or user, click its name, and then click Edit. In the Apply onto box, click the location where you want auditing to take place. In the Access box, indicate what actions you want to audit by selecting the appropriate check boxes: To audit successful events, select the Successful check box. To stop auditing successful events, clear the Successful check box. To audit unsuccessful events, select the Failed check box. To stop auditing unsuccessful events, clear the Failed check box. To stop auditing all events, click Clear All. If you want to prevent subsequent files and subfolders of the original object from inheriting these audit entries, select the Apply these auditing entries to objects and/or containers within this container only check box. Important Before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited. For more information about how to enable object access auditing, see "Define or modify auditing policy settings for an event category" in Related Topics. Notes You must be logged on as a member of the Administrators group or you must have been granted the Manage auditing and security log right in Group Policy to perform this procedure. To open Windows Explorer, click Start, point to All Programs, point to Accessories, and then click Windows Explorer. For information about how to audit local registry keys, see "Audit activity on a registry key" in Related Topics. After object access auditing is enabled, view the security log in Event Viewer to review the results of your changes. You can set up file and folder auditing only on NTFS drives. If you see the following: In the Auditing Entry for File or Folder dialog box, in the Access box, the check boxes are unavailable ? In the Advanced Security Settings for File or Folder dialog box, the Remove button is unavailable ? auditing has been inherited from the parent folder. Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer. 6 If u can get the budget hang tough for Vista. It has some super duper encryption and stuff that supposedly will make it impossible to get data even if they have physical access. Allegedly.
    0 pointsBadges:
  • DarkCornerBoy
    Stop being so childish. As a SysAdmin I can see whatever I want - no matter what you try and do. But we dont. It's just as good as saying you want to go see a therapist, but you want to kill him when you leave - just incase he tells someone. Just quit and go find something else to do where you dont have confidential data to deal with. Also, distrust stems from within - if you dont trust them you are most likely a devious person yourself. Aah - I feel better now !
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: