What to do in the event of theft, network attacks, or virus infection

Do you realize how important laptops have become to the security of corporate information and assets? Stolen laptops can compromise confidential employee, customer, and trade-secret information. Because of the difficulty of keeping laptops backed up, you can also lose information if a laptop's hard disk becomes corrupted. In addition, laptops are more vulnerable to data loss from network attack and viruses than firewall-sheltered desktop systems. If you have mobile users, you need to take steps to prevent data loss from laptops and minimize your risk if loss occurs.

You can start by teaching your employees some simple low-tech measures to prevent laptop theft. The sidebar "Physical Prevention Measures," page 3, discusses common risks and provides information about proximity alarms and cable locks. However, both Windows 2000 and Windows NT are vulnerable if an attacker does manage to gain physical access to a system, and any hard disk can become corrupted or irretrievably damaged. You need to go further to minimize loss of confidential information and ensure that you can recover it should all your protective measures fail.

Protecting Laptop Data
For anyone with access to an NT laptop, accessing files is a piece of cake. A thief needs only to boot a DOS floppy disk and run Winternals Software's NTFSDOS Professional utility. An inexpensive way to complicate a thief's job is to disable floppy-disk and CD-ROM boot in the BIOS and password-secure the BIOS. However, a determined thief, armed with a little Internet research, can reset your BIOS (typically by opening the case and inserting a jumper) or can simply remove the hard disk and insert it into an unsecured laptop. Some laptops, such as IBM's ThinkPads, take advantage of the IDE password command to assign a password that stays with the disk even if the thief moves the disk to another computer.

Often, intruders aren't content with accessing the laptop's files—they want to access the company's VPN or RAS servers. Unfortunately, many companies configure VPN and RAS connections to automatically store passwords so that users needn't enter them each time users connect. In such a case, the attacker will seek to use your name and password to log on to the network. If you use local user accounts instead of domain accounts, the intruder needs simply to boot the laptop with an Offline NT Password & Registry Editor (i.e., Ntpasswd) boot disk, which mounts the computer's NTFS or DOS volumes, searches for the SAM, and displays a list of usernames. The attacker then selects the desired username, and the utility prompts for a new password. Ntpasswd edits the SAM and replaces the current password hash with the new password's hash. The attacker reboots into NT and logs on as that user.

You might think that the Syskey tool would provide protection because Syskey encrypts the password hashes in the SAM. However, Ntpasswd can disable Syskey regardless of the key-storage mode you use, so configuring Syskey to require a startup password or floppy disk isn't much help. Because the password hash for domain accounts doesn't reside in your workstation's SAM, Ntpasswd doesn't work if users access their computers through domain accounts. I highly recommend that you avoid using local user accounts on NT—and Win2K—laptops. Domains provide much better security.

Attackers who want to log on to an NT computer with administrative authority don't need to use Ntpasswd or a cracker tool such as L0pht Heavy Industries' L0phtCrack. They can simply load NTFSDOS Pro and delete the SAM from \%systemroot%\system32\ config. After a reboot, NT graciously creates a new SAM and gives the Administrator account a blank password. Consequently, the only way to protect information on an NT laptop is to use a third-party disk-encryption or file-encryption program. Both have pros and cons.

Disk-encryption programs (e.g., PC Dynamics's SafeHouse, SoftWinter's SeNTry, Jetico's BestCrypt) let you encrypt data at the disk level so that the encryption is transparent to applications and requires little user interaction (other than entering a password at startup). Some of these tools run between NT and the hard disk, encrypting the entire hard disk. Virtual volume-encryption programs, such as BestCrypt, run as a device driver that creates one large file on an NTFS volume and presents that file to the system as another volume. I prefer the latter type of tool because it's less intrusive and yields more stable results. Because of disk-encryption products' low-level nature, as well as the inherent stability and speed concerns that arise, few companies have implemented these products without angering users. Before you implement such a tool, be sure to evaluate several products in limited rollouts.

A less practical option is to choose a file-based encryption tool, such as Network Associates' PGP. This type of product demands that users consciously encrypt and decrypt files before and after using them in applications. File-encryption programs are much more stable than disk-encryption tools, but users soon tire of encrypting and decrypting files all the time and often stop using the tool. Also, file-encryption programs can leak unencrypted information into unused disk sectors after the user has deleted the unencrypted version of the file. On laptops that run NT, I recommend that you use a virtual volume-encryption product and perform regular backups in case the encrypted volume becomes corrupted.

A Note About Win2K's EFS
If you've migrated your laptops to Win2K Professional, you're probably excited about the OS's Encrypting File System (EFS) feature. But be wary of EFS gotchas in the form of clear-text leakage and EFS certificate management. First, be sure to follow the recommendations of the Win2K Help text document "Best Practices for Encrypting File System" (http://support.microsoft.com/support/ kb/articles/q223/3/16.asp). Second, to prevent attackers from scavenging your pagefile for clear-text fragments of encrypted files, configure your laptops to clear the pagefile at shutdown. To set this option for every computer in your domain, go to Administrative tools and select Active Directory Users and Computers. Right-click the domain root and open the Properties dialog box. On the Group Policy tab, highlight Default Domain Policy and click Edit. In the Group Policy tree, drill down to \Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, and enable the Clear virtual memory pagefile when system shuts down option. Third, be aware that attackers can defeat EFS if your laptop isn't a member of an Active Directory (AD) domain. (For information about this vulnerability, see my Windows 2000 Magazine article "Controlling Group Policy, Part 1," http://www.win2000mag.com, InstantDoc ID 15704.)

Network Risks
Your company's firewall adequately protects your desktop workstations from outside network attacks, but laptops are directly exposed to network attacks whenever employees use a modem to connect to the Internet. Laptops are also vulnerable when employees travel to a client's site and connect the laptop to the client's network. Malicious users know many methods (e.g., mapped drives, the Scheduler service, Telnet) of gaining entry into a Win2K or NT computer over a network. To protect laptops from such attacks, you need to lock down your standard laptop configuration by disabling all unnecessary services. For information about the risks of Win2K's native services, see my three-part "Dangerous Services" series listed in "Related Reading." You can adapt this information to the NT platform. I also strongly recommend that you consider implementing a personal firewall on your laptops.

NT lets you define port filtering, but because the OS can't distinguish incoming packets from outgoing packets, you'll probably find this functionality useless. Win2K's IP Security (IPSec) offers more flexible port filtering, which lets you provide good protection for your laptops from network attacks. Of course, you can always opt to purchase one of the many personal firewalls available from Independent Software Vendors (ISVs). For more information about personal firewalls, see "Related Reading."

Virus Signature Updates
The importance of installing a virus scanner on each computer and keeping it up-to-date is obvious, but laptops present unique virus concerns. Most enterprise antivirus products offer a variety of methods for updating virus signatures on your computers, including the ability to configure a server to regularly download the latest signatures and distribute them to workstations through your LAN. To conserve network bandwidth, many administrators choose this option rather than configuring computers to individually contact the antivirus vendor's Web site. However, laptops typically connect to your company's LAN irregularly and thus might not receive updates through your internal distribution mechanism for weeks at a time. I recommend that you configure laptops—particularly those belonging to highly mobile users—to automatically download virus signature updates directly from the Internet.

The Importance of Backups
Backing up laptops is usually even more important than backing up workstations. You probably don't permit users to store important information on workstations, instead centralizing that information on servers that you back up nightly. But laptop users must keep important files on their local hard disk because they're often not connected to the company LAN. Yet you can't depend on users to regularly back up their computers. Even if laptop users conscientiously back up their computers, the backup media are probably nestled inside the carrying case with the laptop. Backups won't do you any good if they're damaged, lost, or stolen along with the computer.

Online backups provide a solution. You can implement an online backup server internally, or you can use an online backup service over the Internet. I use NetMass's SystemSafe service. I simply created an account on the company's Web site, installed the SystemSafe client software, and chose an encryption key. Each night, the client determines which files have changed since the most recent backup, compresses and encrypts those files locally, then sends the update to a NetMass backup server. I get offsite, fault-tolerant backups for about $15 a month. Because the backup client uses compression and transmits only information that has changed, the backup is quick—even over a dial-up line. You can configure most backup clients to automatically initiate a dial-up connection if the computer isn't already connected to the Internet. You don't need to keep track of backup floppy disks or offsite storage. The service is secure because it encrypts information with a key that doesn't leave your computer. Neither the backup-service provider nor anyone sniffing packets on the Internet can use the information. If you're uncomfortable with the thought of another company maintaining your information, you can implement an inhouse online backup product, such as Dantz Development's Retrospect Backup.

Don't Rely on Users
Laptop security is a difficult prospect. As a primary measure, make sure users implement appropriate physical security. But don't bet the farm on your users. Use encryption products to protect confidential information. Ensure that the virus protection on laptops is equal to or better than that on your internal computers. Protect your laptops from network attacks, particularly when they're exposed to potentially hostile networks. And do your users and yourself a favor: Implement an automatic online backup solution.

Related Reading
WINDOWS 2000 MAGAZINE
You can obtain the following articles from Windows 2000 Magazine's Web site at http://www.win2000mag.com.

RANDY FRANKLIN SMITH
"Controlling Group Policy, Part 1," November 2000, InstantDoc ID 15704

SECURITY ADMINISTRATOR
You can obtain the following articles from the Security Administrator Web site at http://www.secadministrator.com.

PAULA SHARICK
"Secure Your SOHO, Part 2," June 2001, InstantDoc ID 20901
"Secure Your SOHO, Part 1," May 2001, InstantDoc ID 20554
"Dangerous Services, Part 3," January 2001 Web Exclusive, InstantDoc ID 16476
"Dangerous Services, Part 2," December 2000 Web Exclusive, InstantDoc ID 16363
"Dangerous Services, Part 1," December 2000 Web Exclusive, InstantDoc ID 16301