Last week, I wrote about Microsoft's Encrypting File System (EFS). A few readers pointed out that when you improperly configure EFS, an intruder can defeat EFS to expose a system's data. Other readers noted that I didn't offer any encryption suggestions for Windows NT 4.0 systems. This week, I fill in the gaps.
Kip Boyle wrote to point out that when using EFS, you must modify the Recovery Agent's default setup in which the Administrator account is the agent for locally encrypted data. You should reassign the Recovery Agent role to a separate domain account so that in the event of failure, the designated domain account-based Recovery Agent can recover the data. Also, if you send sensitive data over a network in clear text, the EFS security becomes less effective: A malicious user can capture your data as it travels over the network, so consider using IPSec to secure any network communications.
Frank Knobbe reminded me that NT 4.0 users need to protect their data too, but NT doesn't support EFS. NT users should consider a third-party add-on solution, such as PC Guardian's Encryption Plus for Hard Disks (EPHD). The product runs on NT and Windows 9x and uses Bruce Schneier's 160-bit Blowfish algorithm for encryption. In addition, the product supports a one-time password in case users get locked out of their data.
EPHD might offer some users advantages over EFS and virtual-drive type encryption products, such as PGPDisk, because EPHD encrypts the complete disk, including the registry and OS files. EFS encrypts only selected files and folders, not system files. Virtual-drive encryption systems create a large disk-based file that is subsequently mapped to a virtual drive letter, where only the virtual drive's contents are encrypted. Take a look at EPHD—it's good stuff.
Last week, I also mentioned the need for cable lock systems for your laptop, but I didn't name any vendors. PCGuardian has some great cable lock systems for various applications, as does Noble Security Systems.
If you want more than just a cable lock, be sure to look at bluVenom, "" which is an intelligent, portable alarm that locks directly into your disk drive—like a car alarm for your PC. The device has adjustable sensitivity for its built-in motion detector, which lets out a 120-decibel siren when someone moves the computer.
The bottom line is that you can't be overcautious when securing your data and hardware—especially when it comes to portable devices. Be certain you understand the complete scope of a security product before you decide which one to use; you'll save a lot of time and headaches. Until next time, have a great week.
