Implementing Additional Security for Laptop Computers
Mobile computers are one of the most difficult IT assets to secure because network administrators must rely on users to be responsible for the security of their computers on a daily basis. To secure mobile computers, you not only must implement technology-based security, you must ensure that users understand the threats to their mobile computers and can make appropriate judgments about using their machines so that they do not jeopardize the security of information on their mobile computers or the network itself.
When implementing security for laptop computers beyond the baseline configuration, you should have two goals in mind: to secure the information on the laptop, and to prevent a compromise of the laptop from leading to the compromise of the network. To accomplish these goals you must address the following areas:
-
Hardware protection
-
Boot protection
-
Data protection
-
User education
Hardware Protection
The first area of additional security for laptop computers is protecting the laptop itself. To help prevent a laptop from being stolen when left unattended, you can use hardware locks. Several types of hardware locks exist, and they vary in cost and degree of protection. The most basic type of lock is a passive cable lock. Passive cable locks use a cable connected to the security slot on a laptop that wraps around an unmovable object. For example, a user storing a laptop in the trunk of a car could wrap the cable around the frame of the car. Typically, these locks use a key or combination lock and have cables that cannot be easily cut with handheld cable cutters. To circumvent a passive hardware lock, an attacker must pick the lock, cut the cable, or figure out a way to move the object the laptop is attached to. Some passive cable locks have alarms built into them. When the cable is looped around an object and reattached to the cable lock base, the lock creates a weak electric circuit that passes through the cable. If the circuit is broken because the cable is cut, the alarm sounds. These alarms are typically loud enough to be heard clearly from 100 yards or more. The alarm will continue to sound until the lock is unlocked or the internal battery runs out.
The effectiveness of a cable lock is dependent on the laptop user using the lock properly. Two common mistakes that users make with cable locks are leaving the key to the lock in an obvious location and attaching the cable to an object that is not secure. For example, users might leave the key to the lock in their laptop carrying case and place the case on the floor near the locked laptop, or they might loop the cable around the leg of a table, which could easily be picked up. Thus, if you implement hardware locks, you must train users in how to properly use them; otherwise, the locks can be ineffective. Hardware locks are by no means undefeatable, but if properly used, they can deter would-be thieves. The addition of an alarm to such a lock increases the likelihood of capturing the thief immediately after he steals the laptop.
Instead of (or in addition to) using passive cable locks, you can use active security systems. The most common types of active security systems use a hardware token that detects unusual motion of the laptop and sounds an alarm. If an unusual amount of motion is detected, the security system will activate. In the event of unusual motion depending on the computer you are protecting the security system might prevent the computer from being booted without the deactivation code, encrypt sensitive information (including data already encrypted by the OS, such as passwords), and sound an alarm. Some active security systems use proximity switches instead of motion detectors. These hardware protection systems prevent computers from leaving a confined area, such as an office building or a particular floor in the building. Active security systems typically cost two to three times more than passive cable locks.
In addition to using locks, alarms, and countermeasures to protect laptops that have highly confidential information, you might consider using a hardware tracking system. Such a system enables you to locate the laptop after it has been stolen and thereby catch the thief (and have her arrested). Hardware tracking systems for laptops or desktops typically rely on one of two mechanisms: an Internet tracking system, or a Global Positioning System (GPS). The client-side tracking agent is installed in protected areas on the computer s hard drive or in hardware tokens installed inside the laptop s case. The agent contacts the tracking service periodically with information about where the computer is located, on the Internet or physically. If the computer is reported stolen, the tracking service can wait for the device to contact it. When contacted by the agent running on the device, the tracking service can retrieve the information about the location of the device. You can then give this information to law enforcement officials to attempt to track the stolen computer. Obviously, not all laptops need this degree of protection. This type of protection is very expensive. You might want to consider hardware tracking services on laptops that you know could hold information that, if compromised, might result in the loss of human life. For example, such hardware tracking services might be more appropriate for laptops that are used by government agencies, law enforcement agencies, or mission-critical assets, such as offline root Certification Authorities (CAs).
One other type of hardware protection for computers that you should consider is to remove removable media drives from the laptop. One of the most common methods of breaking into a computer running Microsoft Windows NT 4.0 or later is to boot the computer by using a bootable floppy disk or CD. Although this is by no means a foolproof security measure, by removing these drives, you make compromising the laptop computer much more difficult and time-consuming. If you remove the floppy disk and CD-ROM drives from a computer, you should also disable the use of USB ports in the BIOS. Otherwise, the attacker might be able to attach a USB floppy or CD-ROM drive to the computer and use it as a boot device.
Boot Protection
One way that you can protect information contained on a laptop and protect account information stored on the laptop from being used to attack your organization s network if the computer is stolen is to prevent the OS from loading. You can do this by using BIOS passwords or the Windows System Key feature (Syskey).
Although different BIOS versions have different names for passwords, most BIOS versions on laptop computers have two types of passwords that you can install: boot passwords and setup passwords. Both password types are configured in the BIOS. A boot password prevents the BIOS from transferring control to the OS installed on the hard drive or any other type of media, including bootable floppy disks and CDs, without entering the password. A boot password does not prevent a user or attacker from entering the BIOS configuration; however, in newer BIOS versions, you must enter the existing password to change the boot password. BIOS setup passwords prevent a user or attacker from entering the BIOS configuration and changing information stored in the BIOS, such as the boot password or the order of precedence for boot devices.
There are only two ways to reset the BIOS setup password and boot password: by entering the existing password, or by clearing the CMOS. To clear the CMOS memory on a laptop, you must disassemble the laptop and remove the CMOS battery, which completely clears the BIOS settings. Although BIOS passwords will not completely prevent an attacker from booting the computer, under most conditions, these passwords will buy network administrators enough time to disable the user s user account and any other accounts that need to be disabled. The use of BIOS passwords also gives the user enough time to change any Web site account passwords that have been persistently stored on the laptop.
You can also use the Windows System Key utility to prevent the OS from being loaded by unauthorized people. To do so, set System Key to use Mode 2 or Mode 3 (explained in the following list). You can configure System Key by typing syskey at the command prompt. Only members of the Administrators group can initialize or change the system key level. The system key is the master key used to protect the password database encryption key. System keys have three modes:
-
Mode 1 Uses a machine-generated random key as the system key and stores the key on the local system. Because the key is stored on the OS, it allows for unattended system restart. By default, System Key Mode 1 is enabled during installation on all computers running Microsoft Windows 2000 and Windows XP.
-
Mode 2 Uses a machine-generated random key and stores the key on a floppy disk. The floppy disk with the system key is required for the system to start before the system is available for users to log on. The OS will not load unless the floppy disk is in the floppy drive. When System Key is enabled in Mode 2, the OS will never be able to be loaded if the floppy disk is damaged or lost, unless you have previously created a repair disk.
-
Mode 3 Uses a password chosen by the administrator to derive the system key. The OS will prompt for the system key password when the system begins the initial startup sequence, before the system is available for users to log on. The system key password is not stored anywhere on the system; instead, an MD5 hash of the password is used as the master key to protect the password encryption key. If the password is forgotten, the OS will be rendered unbootable.
Setting the System Key to Mode 2 or Mode 3 will greatly increase the security of the OS and the password-based keys it contains, such as the contents of the Security Accounts Manager (SAM) database and local security authority (LSA) secrets.
| Caution | Because there is no way to recover from a damaged or lost floppy disk or a forgotten System Key password, you should implement System Key Mode 2 or Mode 3 with great caution. Develop a secure method of archiving system keys if you decide to implement System Key Mode 2 or Mode 3 on your network. |
Data Protection
Regardless of whether you use hardware alarms or boot protection mechanisms, you should implement protection for data that is stored on a laptop computer. On network servers, discretionary access control lists (DACLs) are the primary method of protecting files. Unfortunately, access control lists (ACLs) are of little use when a computer is in the possession of an attacker. Unlike network servers, whose physical security can be protected by network administrators, laptop computers can be easily stolen. An attacker can remove the hard drive from a laptop and install it in a computer that they are the administrator of. The attacker can take ownership of the files and folders on the laptop computer s hard drive and read the files and folders.
To lessen this risk, you can use the EFS to secure the information on a laptop. When you use EFS properly, the only way to retrieve the information contained in the files is by performing a brute force attack on the encryption algorithm. In Windows 2000 and Windows XP, EFS uses the 56-bit DESX algorithm. Although computationally feasible, this algorithm is difficult to break. Windows XP also allows you to use the 3DES algorithm, which is computationally infeasible and thereby makes performing a brute force attack virtually impossible, given current hardware constraints.
The other data protection issue to address with laptop computers is the logical security of the laptop. Unlike desktop computers, which are protected from untrusted networks by firewalls and routers, laptop computers might be connected to untrusted networks on a regular basis. For example, a user might use the high-speed connection in her hotel room to create a virtual private network (VPN) connection to the corporate network. By doing this, the user creates a relatively unprotected, authenticated route to the corporate network from the Internet, not to mention placing the data stored locally on her laptop in danger. To prevent this situation, users can use personal firewall applications, such as Internet Connection Firewall, or ICF, in Windows XP.
| Note | ICF is covered in detail in Chapter 18, Implementing TCP/IP Security, of this book. |
You might have certain users in your organization who have especially high security requirements, such as those needed to safeguard information that, if disclosed, could lead to the loss of life. You should avoid storing any important information persistently on the laptops of these users. You should also require these users to create a VPN connection to the corporate network and then use Terminal Services to connect to a computer on the network to access information. Furthermore, you should disable the option of storing cached credentials by setting the number of cached credentials to 0 in Group Policy or in the local Group Policy object (GPO) if the laptop is not a member of a domain. When you prevent credentials from being cached on the laptop, the user will not be able to log on to his laptop when a domain controller cannot be located to authenticate his credentials. You also should not install any applications locally on the laptop. This means the laptop will have little functionality other than acting as a remote access point to the network, but it will not place precious data or the network in danger.
 |
Securing mobile devices, such as Pocket PCs and Pocket PC Phone Edition devices, is similar to securing laptop computers. Mobile devices should have user passwords to prevent unauthorized users and attackers from accessing them. For example, Pocket PC 2002 supports both four-digit passwords and alphanumeric passwords for protecting access to the device. Each time an incorrect password is attempted, a time delay is activated before the logon screen will reappear. The delay increases exponentially upon each successive incorrect attempt.
In addition, if the mobile device will be connecting to the Internet or untrusted networks, such as public 802.11b wireless networks, you should ensure that the computer securely transmits authentication packets and data. For example, Pocket PC 2002 supports connecting to Web sites that have Secure Sockets Layer (SSL) connections enabled and wireless networks that use WEP.
Although no viruses or Trojan horses that specifically attack the Pocket PC platform or other types of mobile devices have been reported, as with laptop computers, you must install and maintain antivirus software on mobile devices and ensure that all security updates are applied as soon as they are released.
|
User Education
All the security measures discussed so far are completely dependent on the user properly protecting his laptop. Consequently, you must train users in the potential threats to their laptops and the measures they must take to secure their computers. Although most of the measures users must take to protect their laptops might seem obvious to you such as not leaving a laptop in the car while buying groceries, or at least using a hardware lock to secure the laptop inside the trunk they might not be obvious to your users. As with any type of training, it s best to be creative in how you get your message across to users in a way that they will understand. For example, when explaining to users the level of attention they should give to protecting their laptops, you can use this analogy: tell them to secure their laptops as though they were $2000 bundles of cash. Few people would ever consider locking $2000 in a car or leaving it on a table in a restaurant while they used the restroom. Posters, wallet cards, and e-mail reminders containing laptop security tips are also particularly effective in helping train users.
