Securing Portable Computers

Because portable computers are vulnerable to theft, it is important that you provide security for portable computers and the data that is stored on them. You can do this by formatting hard disks to use NTFS so that permissions can be set and encryption can be enabled on files and folders by means of Encrypting File System. You can also add portable computer users to the Power Users group so that they have maximum control of the portable computer without having full control of the system. Ensuring that users use strong passwords to log on to their portable computers and that administrators use strong passwords for the local administrator account is another important security measure. Also, Group Policy settings can be used to restrict access to the computer and any data that is stored on it. For more information about these security features, see Logon and Authentication, Managing Files and Folders, and Encrypting File System in this book.

Securely Undocking Portable Computers

Portable computers can be undocked in two ways, depending on the type of docking station, the type of portable computer, and the permissions and Group Policy settings that have been implemented on the computer. A portable computer can be undocked in the following circumstances:

• While the portable computer is shut down and the power is off, a user physically ejects it or removes it from the docking station (a cold undock).

• While the portable computer is running, a user uses the Eject PC command in Windows XP Professional to eject the computer from the docking station, before physically removing the computer (a hot undock).

To prevent an unauthorized user from undocking a portable computer from a docking station, the portable computer or docking station must include some type of physical lock. Portable computers might simply use a keyed lock that must be manually unlocked to prevent undocking by unauthorized users. Docking stations can include a lock as well, some of which can be programmatically controlled.

For example, some docking stations allow administrators to require that an authorized user log on and select Eject PC before freeing the lock and allowing physical removal of the portable computer from the docking station.

You can choose a local Group Policy setting that controls who has undocking privileges on a portable computer. If a user has undocking privileges, he or she is able to use the Eject PC command. If the user does not have undocking privileges, the Eject PC command is not available. However, any program can call the application programming interface (API) that controls the Eject PC command, which means that any program can have its own button or menu item that tries to eject a portable computer. If a user tries to use such a button or menu item and does not have undocking privileges, the command fails.

By default, undocking permissions are granted to a user during a clean installation of Windows XP Professional and during an upgrade from Windows 95, Windows 98, or Windows NT 4.0. To prevent a user from undocking, you must use Group Policy to set undocking privileges.

To set undocking privileges by using Group Policy

1. In the Run dialog box, type gpedit.msc.

2. In the details pane of Group Policy, under Computer Configuration, open Windows Settings, Security Settings, and the Local Policies, and open the User Rights Assignment folder.

3. In the details pane, right-click Remove computer from docking station, and then click Properties.

4. In the Properties dialog box, click Add to add users and groups to the list.

   or

   Click Remove to remove users and groups from the list.