Reviewing PC security, and have a few PC's that are self contained and not networked, all running XP pro. Currently we have standard windows XP user accounts but I am not sure how secure these are? Machines contain a lot of personal data about customers and orders etc, credit card numbers for regular buyers, addresses, bank details, etc not just in secure Access databases, but also spread over various older software user management programs, some of which dont have password control access.

To make such machines 100% secure in case of theft, what should I be looking at to protect all data on the hard drives? I did think about encrypting all the contents using XP encrypting services, but is this very secure if the hard drives get into wrong hands? Will this allow the disks to be read on any other machine? Will we be able to use the disks in other machines ourselves? Any advice without getting in expensive 3rd party software?

I have heard WIndows Xp login is easy to crack, which is not good news. ANd if machines are stolen and hard drives put into other machines, how can I still protect the sensitive data on the disks?

Windows XP login is easy to get around... infact you'd just take the HD out and mount it and access the files without even having to boot the PC...

as for access files being password protected... again... easy to crack, so don't assume they're particulally safe...

you might want to look into PGP encrypting files or something... to be honest I don't know that much about on the fly encrypting files which is probably what your after...

although, if someone was stealing your systems they're probably just after the hardware and not the details on them... but you never know I guess

I'll let someone who knows more about the subject tell you what is good, but I can tell you that the things you've suggested aren't... Windows itself offers absolutely no serious protection or security, so I'm afraid it will need some third party solutions. I guess you need something that will encrypt/decrypt the whole drive (or partition) on the fly...

Some computers have built in encryption at the BIOS level which will basically prevent access to the machine AND leave the data encrypted if stolen.

However, I'd say that any hard disc will give up it's secrets (certainly civillian ones) if someone wants to pay the data recovery companies for teh privelege.

I'd go for physical security. Put the files on ONE PC, and secure that - lock it away, bolt it to the floor if you want, and access it via an encrypted wireless network link from another PC that doesn't keep the data on it. If you like, use a wired link. The machine with the data on it is effectively a server and so you can shut it away and only access it when you need to reboot or similar. It's not convenient in some ways, but physical security is hard to beat.

An alternative is a removable or external disc containing the files that you put in the safe every night.

Joe

As a follow on....

Encrypting files with PGP is only useful if you can GUARANTEE that teh files are re-encrypted AFTER they've been used. You'll need to decrypt the files for most applications to read them, unless you have bespoke applications that do PGP encryption and decryption on the fly, which aren't going to be cheap.

Such applications using hard encrypted data are also slow - if you have older PCs you may fnd teh performance hit is unacceptable.

Joe

I like the idea of a remote PC acting as a wireless server..certainly this could be done here and it could be locked away very securely and run 24/7.

Also considered the idea of removing all key data files from the machines and storing them on portable plug in USB hard drives all of which were removed from the premises at night. Too much info to use memory sticks so it would have to be portable HDD's.

Don't use wireless unless you know what you are doing or have no other choice - the standard methods of encryption aren't totally secure, and it's not that hard to run a cable (if it is hard, your wireless signal might not work so well anyway! :)). I guess it depends whether you think the risk is someone targetting your data, or if you just want to secure it from opportunistic thieves.

If you're going to take the data away on removeable drives, where is it going? It would be unfortunate to go through all this to have the data stolen from home...

just want to secure it from opportunistic thieves.

If you're going to take the data away on removeable drives, where is it going? It would be unfortunate to go through all this to have the data stolen from home... [/B]


yes just in case of random thieves in general really. The USB drives could be locked away very securely on the premises where no one could find them. Quite a few nooks and crannies.

as above, your more likely to have the physical PC's stolen than the data off them, so make them as impraticle to move as possible, anything over 128bit encryption is going to be very difficult to break - thousands of computing hours, 512bit is getting on for military encryption. Make sure that the machines are free of any sypwere and viri before encrypting though - possible issues with keylogging... The most secure PC is one that is not connected to the internet though... Then no remote access is possible. It is possible to arrange a network so the 'server' has no internet access, and the 'terminals' can.... I've been advised that buying a linksys wifi router WAG54G is a good option - they won't connect to the internet at the best of times, and enabling the internet will completely shaft the connection!!!!! ;)

I'd need to check this to be sure but I'm pretty sure that you can encrypt windows files in WinXP so that only that user can access them.

-Right click the relevant areas,
-choose "properties" -> "General" tab
-Click the "Advanced" button
- You can then set the "Advanced Attributes" for those files including encrypting them.


No idea how secure that is but I'm pretty sure it deals with the "pull out a hard drive and read it on another PC" side of things.

At university we use the Cryptoloop functionality built into more recent version of Linux (i.e. ones based on the 2.6 kernel - Cryptoloop is part of the CryptoAPI). We also use encrypted communication via. ssh to ensure that even internally communications cannot be intercepted, as the data we handle is confidential. This is a very good way to ensure data is safe. The server we use also has a very minimal amount of software (i.e. no graphical interface with web browser and other software that can be exploited). It was also quite easy to set up (took about 30 mins including installing it, and hasn't crashed or mis-functioned in three years or so of heavy use).

Even if the hard disk was stolen there's no way the data could be read unless they had a few decades of time to spare!

can i just ask why you're worrying about this?

If it's to comply with data protection laws then you are only obliged to take "reasonable precautions" to secure the data. Which probably doesn't include any extreme physical measures or expensive bespoke software.

If it's mainly to secure the data against casual perusal after a more normal hardware theft issue, then the standard windows protections will likely be enough. A thief isn't generally bothered about hacking windows, or brute forcing the encryption, they'll just format the drive, install windows again and sell the pc at a carboot.