The Road Warrior's Guide to Laptop Protection
January 31, 2006
If you've been traveling for a while, you've probably experienced the nightmare of boarding your plane without a key piece of luggage. If that piece is your laptop, you might consider taking that dream flight to Hawaii instead of returning to work. You might have just placed your corporation's key intellectual property directly into the hands of your competitor. As knowledge workers become more and more mobile, and as the computing and knowledge management tools we all depend on become more powerful, increasing volumes of data are floating around, largely unprotected, on laptops!
Large chunks of source code, financial data, corporate strategies and more can all easily fit on a laptop's hard drive along with a few days worth of music! As that laptop travels well beyond the bounds of the traditional corporate security realm, this data becomes much less secure. Without adequately protecting the data on board your mobile computer, you are virtually inviting the public inside your corporation's networks.
Secure Your File System
The file system of your computer controls how data and files are stored on disk and how access to those items is controlled. Windows XP and Windows 2000 Professional give you multiple choices for what file system your hard drive will be formatted with; you can use the FAT, FAT32 or NTFS file systems. FAT and FAT32 are provided for legacy and upgrade compatibility, because they were the standard filesystems for Windows 95/98/Millenium.
NTFS provides a number of welcome improvements, including access controls that let you specify which users can access which files. NTFS Access Control Lists (ACLs) grant or deny specific users and groups the permissions on files and folders that you want them to have. Individual users can be granted Read, Write, Change or Full Control to a given file or folder containing files. By default, permissions are hierarchical, with each folder inheriting permissions from the folder above all the way up to the root drive.
Action: If you're not using NTFS on your laptop, follow these instructions to convert your disks to NTFS.
Protect Your Laptop Against Theft
In the glaringly obvious department: if you keep good physical control over your laptop, it will be harder to steal. A few examples:
Use a cable lock. Cable locks easily make up for their added travel weight by deterring casual thefts in both hotels and at workplaces. As long as you pick something secure to lock your laptop to, you will not have to fret about it at work when you leave for lunch or back at the hotel when you head out to dinner. Be sure to lock up your laptop whenever you have to leave it unattended.
Don't leave your laptop unattended. For example, when you're going through security at the airport, and they make you put your laptop through the X-ray machine, stand there and wait for it so no one can grab it while you're taking off your shoes and so forth.
Label all of the laptop's components. This may not deter a determined thief, but it does make it more likely that you'll get back that battery, port replicator, or other piece that you accidentally leave somewhere.
Disable Auto-Logon
Of course, why do people need to take your laptop if you give them free access to the data inside it when your account automatically logs on? Both Windows 2000 and Windows XP give you the option to have the operating system automatically log on with specified user credentials upon boot. This is extremely convenient, but it gives unauthorized users a free ticket to your data—auto-logon isn't always a bad choice at home, but it is an ill-advised configuration when you are traveling with important corporate information on your laptop.
To disable auto-logon in a Windows XP computer:
1. Point to Start and then click Run.
2. In the Open box, type control userpasswords2.
3. In the dialog box that appears, make sure that the Users must enter a username and password to use this computer option is checked.
4. Click OK.
Encrypt Critical Files
Passwords and NTFS ACLs go a long way in keeping would be hackers away from your system. Unfortunately for mobile users, if the hacker has unlimited physical access to the machine, they will eventually find a way to the bits on the hard drive. (Remember, if a bad guy has unlimited physical access to your computer, it's not your computer anymore.)
Aside from chaining the laptop to your wrist while you are in the airport, you should consider that someday your laptop might not board with you on your flight back home. Besides from the potentially painful expense of replacing your laptop, you might have just handed over some very expensive corporate data (or personal information) that far outweighs the cost of the hardware.
The Encrypting File System (EFS), which runs on top of NTFS, allows you to encrypt selected files and folders on your hard drive, rendering them extremely difficult for a malicious user to decipher. EFS best practices dictate that you encrypt folders instead of files to ensure that all temporary files written to the folder while working with the data are also encrypted.
Of course, not everything on your hard drive needs to be encrypted; you can choose what to encrypt based on its value. As many people use the "My Documents" folder as a repository for their information, the EFS best practices recommends that it be encrypted as well.
Use Strong Passwords
The next worst thing to enabling auto-logon on a laptop is using your name, birthdate, favorite color, or something else easily guessable as a password. This simple rule would save a lot of administrative headaches and potentially your data as well: Don't use an easily guessable password. The stronger your password is, the less likely an attacker is to gain access to your machine.
Depending on its complexity, a password can be the weakest link in the line of defense between your data and attackers trying to log on to your computer. If a user can guess your password, or if you do not have one, he will have exactly the same access to your system and data that you do. To make matters worse, there are many programs out there that try to guess passwords by using dictionaries to programmatically generate passwords. Strong passwords, made up of a combination of numbers, letters and symbols make life much more difficult for malicious users and password guessing programs.
In addition to your password, you should confirm that every other account on your computer has a strong password as well. To ensure that all local user accounts have strong passwords, you can configure your computer's local policy to require them. To enforce strong passwords in Windows XP Professional:
1. Point to Start, Programs, Administrative Tools and click Local Security Policy
2. In the Local Security Settings window, under Account Policies, click on Password Policy to view the local password policies.
3. Double click the Password must meet complexity requirements policy and click Enabled.
About the Author
You May Also Like