I recently sat in a meeting to discuss our company’s laptop security practices. Now, we aren’t a publicly traded company but we should be protecting out data to the best of our abilities without impacting the user too much. There we many topics discussed in this meeting — everything from encryption of the HDs to using encrypted thumb drives to CMOS passwords/HD passwords via the CMOS. It was a fun time and explaining why certain processes would be helpful and others wouldn’t was quite a challenge.
I think we finally came to the realization that encrypting all of our hard drives was not going to be a viable option. The major issue we face is we have too many older laptops that do not offer hardware encryption on the drives. Software encryption is an option but in my experience it’s a slow and painful process that usually requires some work on the user’s end to make it function properly.
Next we talked about thumb drives or remote devices. Something with built-in encryption and possibly a fingerprint scanner on the drive itself. While this seems like a great idea we run into two different issues. First, we would need to get the users to start saving all of their data to the thumb drive — those who have worked in an IT department (which is probably quite a number of you) know that getting someone to do something different, no matter what it is, is never a walk in the park. In fact, it’s downright horrible to have to explain time and time again that we have this process to protect them, their data and the future of their company. Seems like a simple argument but it’s usually right over their head.
We came up with a third option which was protecting the user’s computer and hard drive with a password out of the BIOS. Let’s stop people in their tracks before they even get the POST from the machine. That way the data on the drive is protected and the computer is useless to the person if they stole it or “found” it somewhere (interestingly enough, seeing it in someone’s locked car, breaking the window and taking it off the back seat is sometimes still referred to as “finding” it.) In our shop we run with Dell, HP and Lenovo primarily but we always have a few other machines here or there that don’t match spec of the company. The next step was figuring out how to protect the user’s machine while still giving us the ability to get into it later on. This posed a challenge. There is an administrative function on the machine but then how do we A) choose the password for the machine and B) make sure that we can get into it later on even if the user changes their own password.
I came up with 3 options and I’m hoping to get some input to find out what you think would be the best option:
- Generate the administrative password for each machine randomly and record it in some sort of protected document.
- Choose a single admin password for all of the laptops.
- Create a unique password per machine that can be revealed at a later date (almost like MD5 hashing)
I know what my preference is but I wanted to find out what the community though. So, thoughts?
