• This article is only available to VIP subscribers. Sign up now and get instant access!
  • [October 29, 2001]
  • Protect Your Win2K and NT Laptops
  • By:  Randy Franklin Smith
  • Feature
  • InstantDoc #22795
  • Web Exclusive from Windows IT Pro
SideBar    Physical Prevention Measures

What to do in the event of theft, network attacks, or virus infection

Do you realize how important laptops have become to the security of corporate information and assets? Stolen laptops can compromise confidential employee, customer, and trade-secret information. Because of the difficulty of keeping laptops backed up, you can also lose information if a laptop's hard disk becomes corrupted. In addition, laptops are more vulnerable to data loss from network attack and viruses than firewall-sheltered desktop systems. If you have mobile users, you need to take steps to prevent data loss from laptops and minimize your risk if loss occurs.

You can start by teaching your employees some simple low-tech measures to prevent laptop theft. The sidebar "Physical Prevention Measures," page 3, discusses common risks and provides information about proximity alarms and cable locks. However, both Windows 2000 and Windows NT are vulnerable if an attacker does manage to gain physical access to a system, and any hard disk can become corrupted or irretrievably damaged. You need to go further to minimize loss of confidential information and ensure that you can recover it should all your protective measures fail.

Protecting Laptop Data
For anyone with access to an NT laptop, accessing files is a piece of cake. A thief needs only to boot a DOS floppy disk and run Winternals Software's NTFSDOS Professional utility. An inexpensive way to complicate a thief's job is to disable floppy-disk and CD-ROM boot in the BIOS and password-secure the BIOS. However, a determined thief, armed with a little Internet research, can reset your BIOS (typically by opening the case and inserting a jumper) or can simply remove the hard disk and insert it into an unsecured laptop. Some laptops, such as IBM's ThinkPads, take advantage of the IDE password command to assign a password that stays with the disk even if the thief moves the disk to another computer.

Often, intruders aren't content with accessing the laptop's files—they want to access the company's VPN or RAS servers. Unfortunately, many companies configure VPN and RAS connections to automatically store passwords so that users needn't enter them each time users connect. In such a case, the attacker will seek to use your name and password to log on to the network. If you use local user accounts instead of domain accounts, the intruder needs simply to boot the laptop with an Offline NT Password & Registry Editor (i.e., Ntpasswd) boot disk, which mounts the computer's NTFS or DOS volumes, searches for the SAM, and displays a list of usernames. The attacker then selects the desired username, and the utility prompts for a new password. Ntpasswd edits the SAM and replaces the current password hash with the new password's hash. The attacker reboots into NT and logs on as that user.

You might think that the Syskey tool would provide protection because Syskey encrypts the password hashes in the SAM. However, Ntpasswd can disable Syskey regardless of the key-storage mode you use, so configuring Syskey to require a startup password or floppy disk isn't much help. Because the password hash for domain accounts doesn't reside in your workstation's SAM, Ntpasswd doesn't work if users access their computers through domain accounts. I highly recommend that you avoid using local user accounts on NT—and Win2K—laptops. Domains provide much better security.

Attackers who want to log on to an NT computer with administrative authority don't need to use Ntpasswd or a cracker tool such as L0pht Heavy Industries' L0phtCrack. They can simply load NTFSDOS Pro and delete the SAM from \%systemroot%\system32\ config. After a reboot, NT graciously creates a new SAM and gives the Administrator account a blank password. Consequently, the only way to protect information on an NT laptop is to use a third-party disk-encryption or file-encryption program. Both have pros and cons.

Disk-encryption programs (e.g., PC Dynamics's SafeHouse, SoftWinter's SeNTry, Jetico's BestCrypt) let you encrypt data at the disk level so that the encryption is transparent to applications and requires little user interaction (other than entering a password at startup). Some of these tools run between NT and the hard disk, encrypting the entire hard disk. Virtual volume-encryption programs, such as BestCrypt, run as a device driver that creates one large file on an NTFS volume and presents that file to the system as another volume. I prefer the latter type of tool because it's less intrusive and yields more stable results. Because of disk-encryption products' low-level nature, as well as the inherent stability and speed concerns that arise, few companies have implemented these products without angering users. Before you implement such a tool, be sure to evaluate several products in limited rollouts.

A less practical option is to choose a file-based encryption tool, such as Network Associates' PGP. This type of product demands that users consciously encrypt and decrypt files before and after using them in applications. File-encryption programs are much more stable than disk-encryption tools, but users soon tire of encrypting and decrypting files all the time and often stop using the tool. Also, file-encryption programs can leak unencrypted information into unused disk sectors after the user has deleted the unencrypted version of the file. On laptops that run NT, I recommend that you use a virtual volume-encryption product and perform regular backups in case the encrypted volume becomes corrupted.

A Note About Win2K's EFS
If you've migrated your laptops to Win2K Professional, you're probably excited about the OS's Encrypting File System (EFS) feature. But be wary of EFS gotchas in the form of clear-text leakage and EFS certificate management. First, be sure to follow the recommendations of the Win2K Help text document "Best Practices for Encrypting File System" (http://support.microsoft.com/support/ kb/articles/q223/3/16.asp). Second, to prevent attackers from scavenging your pagefile for clear-text fragments of encrypted files, configure your laptops to clear the pagefile at shutdown. To set this option for every computer in your domain, go to Administrative tools and select Active Directory Users and Computers. Right-click the domain root and open the Properties dialog box. On the Group Policy tab, highlight Default Domain Policy and click Edit. In the Group Policy tree, drill down to \Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, and enable the Clear virtual memory pagefile when system shuts down option. Third, be aware that attackers can defeat EFS if your laptop isn't a member of an Active Directory (AD) domain. (For information about this vulnerability, see my Windows 2000 Magazine article "Controlling Group Policy, Part 1," http://www.win2000mag.com, InstantDoc ID 15704.)

   Prev. page   [1] 2     next page



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

<br><br> Interesting article, but it misses one point: Users don't shut down the laptop or even log off before leaving the office. They rather put the computer in standby or hibernation mode, in order to restore the desktop instantly at some temporary workplace (home, airport, train, etc.).<br>

Thus, the administrator cannot rely on policies such as clearing the pagefile on shutdown or updating virus signatures on logon. Those events simply don't happen very often.<br>

An attacker (e.g. a thief) would have to provide the user's or an administrator's password to wake up the machine. Evidently, the passwords are checked locally. Can they be easily cracked in that situation?<br>

Lars Staurset- October 21, 2002