GoFuckYourself.com - Adult Webmaster Forum - View Single Post

Hal · 09-26-2004, 05:36 AM

There was a post about this last week, so I did a search and found this. (Had to post in 2 parts lol)

Basic Security Measures
Choose a secure operating system and lock it down
If you care about your data, pick an operating system that is secure. Windows 2000 Professional and Windows XP Professional both offer secure logon, file level security, and the ability to encrypt data. If you are running Windows 95/98/Me, anyone who picks up your laptop can access your data.

Enable a strong BIOS password
Foil would be data thieves right from the start by password protecting the BIOS. Some laptop manufacturers have stronger BIOS protection schemes than others, so do some homework before relying on this alone. Find out from your laptop manufacturer what the procedure is for resetting the BIOS password. If they absolutely demand that you send it back into the factory and don't give you a "workaround", you'll have a better chance of recovering the machine and maybe even catching the thief. (Both IBM and Dell scored well in our field tests) Also find out if the BIOS password locks the hard drive so it can't simply be removed and reinstalled into a similar machine.

Asset Tag or Engrave the laptop
Permanently marking (or engraving) the outer case of the laptop with your company name, address, and phone number may greatly increase your odds of getting it returned to you if you happen to carelessly leave it in a hotel room. There are also a number of metal tamper resistant commercial asset tags available that could help the police return your hardware if it is recovered. According to the FBI, 97% of unmarked computers are never recovered. Clearly marking your laptops deters casual thieves and may prevent it from simply being resold over the internet via an online auction.

Register the laptop with the manufacturer
We've become so used to throwing away the registration cards for all of the electronic items we buy every day, because we've learned that it just leads to more junk mail. Registering your laptop with the manufacturer will "flag" it if a thief ever sends it in for maintenance, and increases your odds of getting it back. It also pays to write down your laptop's serial number and store it in a safe place. In the event your laptop is stolen, it will be impossible for the police to ever recover it if they can't trace it back to you.
Physical Security

Get a cable lock and use it
Over 80% of the laptops on the market are equipped with a Universal Security Slot (USS) that allows them to be attached to a cable lock or laptop alarm. While this may not stop determined hotel thieves with bolt cutters, it will effectively deter casual thieves who may take advantage of you while your sleeping in an airport lobby, leaving a table to go the bathroom, etc., Most of these devices are between $30 - $50 and can be found at office supply stores or online. In addition to the quality of the cable, consider the quality of the lock. (Tubular locks are preferable to the common tumbler lock design) And remember: They only work if you use them properly. Tether them to a strong immovable and unbreakable object.

Use a docking station
Unbelievably, almost 40% of laptop theft occur in the office. Poorly screened housekeeping staff, contractors, and disgruntled employees are the usual suspects. You can help prevent this by using a docking station that is permanently affixed to your desktop and has a feature which locks the laptop securely in place. If you are leaving it overnight, or for the weekend, lock your laptop in a secure filing cabinet in your office and lock your office door.
Lock up your PCMCIA cards
While locking your PC to desk with a cable lock may keep someone from walking away with your laptop, there is little you can do to keep someone from stealing the PCMCIA NIC card or modem that is sticking out of the side of your machine. When not in use, eject these cards from the laptop bay and lock them in a safe place. Your docking station should have a NIC card built into it at your desk, and if you are traveling you won't be connected to the network anyway. Even when they aren't being used, PCMCIA cards still consume battery power and contribute to the heat levels within your laptop while they are left inserted into their slots.
Use a personal firewall on your laptop
Corporate networks protect their Servers and Workstations by configuring a firewall to prevent intruders from hacking back into their systems via the company's internet connection. But once users leave the corporate buildings and connect to the web from home or a hotel room, their data is vulnerable to attack. Personal firewalls such as BlackIce and ZoneAlarm are an effective and inexpensive layer of security that take only a few minutes to install. Although Windows XP comes with a personal firewall, it does not attempt to manage or restrict outbound connections at all. We recommend using a good third-party personal firewall to secure your Windows XP workstations. If you want to test how much information your personal firewall "leaks out" to the web, try the online leak test at http://grc.com/lt/leaktest.htm
Consider other devices based on your needs
Since laptop theft has become such a big issue, the market has been flooded with a variety of security gadgets and gizmos. Motion detectors and alarms are popular items, as are hard drive locks. Biometric identification systems are also being installed on some laptop models which allows your fingerprint to be your logon ID instead of a password. Consider the cost and bulk of these items along with your risk of theft before you go all out on a security solution.
Use tracking software to have your laptop call home
There are a number of vendors that offer stealthy software solutions that enable your laptop to check in to a tracking center periodically using a traceable signal. In the event your laptop is lost or stolen, these agencies work with the police, phone company, and internet service providers to track and recover your laptop. CompuTrace, SecureIT, Stealth Signal, and ZTrace provide tracking services for corporations and individuals.
Protecting your Sensitive Data
Use the NTFS file system
Assuming your using Windows NT/2000/XP on your laptop, use the NTFS file system to protect your data from laptop thieves who may try to access your data. FAT and FAT32 File systems don't support file level security and give hackers a big wide open door to your system.
Disable the Guest Account
Windows 2000 finally disables the guest account by default, but if you didn't build the image yourself, always double check to make sure the guest account is not enabled. For additional security assign a complex password to the account anyway, and restrict its logon 24x7.
Rename the Administrator Account
Many hackers will argue that this won't stop them, because they will use the SID to find the name of the account and hack that. Our view is, why make it easy for them. Renaming the Administrator account will stop some amateur hackers cold, and will annoy the more determined ones. Remember that hackers won't know what the inherit or group permissions are for an account, so they'll try to hack any local account they find and then try to hack other accounts as they go to improve their access. If you rename the account, try not to use the word 'Admin" in its name. Pick something that won't sound like it has rights to anything.
Consider creating a dummy Administrator account
Another strategy is to create a local account named "Administrator", then giving that account no privileges and impossible to guess +10 digit complex password. This should keep the script kiddies busy for a while. If you create a dummy Administrative account, enabled auditing so you'll know when it is being tampered with.
Prevent the last logged-in user name from being displayed
When you press Ctrl-Alt-Del, a login dialog box appears which displays the name of the last user who logged in to the computer, and makes it easier to discover a user name that can later be used in a password-guessing attack. This can be disabled using the security templates provided on the installation CD, or via Group Policy snap in. For more information, see Microsoft KB Article Q310125

Enable EFS (Encrypting File System)
Windows 2000 ships with a powerful encryption system that adds an extra layer of security for drives, folders, or files. This will help prevent a hacker from accessing your files by physically mounting the hard drive on another PC and taking ownership of files. Be sure to enable encryption on Folders, not just files. All files that are placed in that folder will be encrypted. For more information check out our EFS Resource Center
Disable the Infrared Port on you laptop
I don't know anybody who actual transmits data via the infrared port on their laptop, but we have been able to use the IR port to browse someone else's files from across a conference room table without them knowing it. Disable the IR port via the BIOS, or simply cover it up with a small piece of black electrical tape.

Backup your data before you leave
Many companies have learned the hard way that the data on your computer is more expensive to replace than the hardware. Always backup you laptop before you do any extended traveling that may put your data at risk. This doesn't have to to take a lot of time, and you can use the built in backup utilities that come with Windows 2000. If your network doesn't have the disk space to backup all of your traveling laptop users, you may wish to look into some of personal backup solutions including external hard drives, CD-R's, and tape backup.

09-26-2004, 05:36 AM
Hal Confirmed User Join Date: Mar 2002 Location: London, UK Posts: 768	There was a post about this last week, so I did a search and found this. (Had to post in 2 parts lol) <b>Basic Security Measures</b> Choose a secure operating system and lock it down If you care about your data, pick an operating system that is secure. Windows 2000 Professional and Windows XP Professional both offer secure logon, file level security, and the ability to encrypt data. If you are running Windows 95/98/Me, anyone who picks up your laptop can access your data. <b>Enable a strong BIOS password</b> Foil would be data thieves right from the start by password protecting the BIOS. Some laptop manufacturers have stronger BIOS protection schemes than others, so do some homework before relying on this alone. Find out from your laptop manufacturer what the procedure is for resetting the BIOS password. If they absolutely demand that you send it back into the factory and don't give you a "workaround", you'll have a better chance of recovering the machine and maybe even catching the thief. (Both IBM and Dell scored well in our field tests) Also find out if the BIOS password locks the hard drive so it can't simply be removed and reinstalled into a similar machine. <b>Asset Tag or Engrave the laptop</b> Permanently marking (or engraving) the outer case of the laptop with your company name, address, and phone number may greatly increase your odds of getting it returned to you if you happen to carelessly leave it in a hotel room. There are also a number of metal tamper resistant commercial asset tags available that could help the police return your hardware if it is recovered. According to the FBI, 97% of unmarked computers are never recovered. Clearly marking your laptops deters casual thieves and may prevent it from simply being resold over the internet via an online auction. <b>Register the laptop with the manufacturer</b> We've become so used to throwing away the registration cards for all of the electronic items we buy every day, because we've learned that it just leads to more junk mail. Registering your laptop with the manufacturer will "flag" it if a thief ever sends it in for maintenance, and increases your odds of getting it back. It also pays to write down your laptop's serial number and store it in a safe place. In the event your laptop is stolen, it will be impossible for the police to ever recover it if they can't trace it back to you. Physical Security <b>Get a cable lock and use it</b> Over 80% of the laptops on the market are equipped with a Universal Security Slot (USS) that allows them to be attached to a cable lock or laptop alarm. While this may not stop determined hotel thieves with bolt cutters, it will effectively deter casual thieves who may take advantage of you while your sleeping in an airport lobby, leaving a table to go the bathroom, etc., Most of these devices are between $30 - $50 and can be found at office supply stores or online. In addition to the quality of the cable, consider the quality of the lock. (Tubular locks are preferable to the common tumbler lock design) And remember: They only work if you use them properly. Tether them to a strong immovable and unbreakable object. <b>Use a docking station</b> Unbelievably, almost 40% of laptop theft occur in the office. Poorly screened housekeeping staff, contractors, and disgruntled employees are the usual suspects. You can help prevent this by using a docking station that is permanently affixed to your desktop and has a feature which locks the laptop securely in place. If you are leaving it overnight, or for the weekend, lock your laptop in a secure filing cabinet in your office and lock your office door. Lock up your PCMCIA cards While locking your PC to desk with a cable lock may keep someone from walking away with your laptop, there is little you can do to keep someone from stealing the PCMCIA NIC card or modem that is sticking out of the side of your machine. When not in use, eject these cards from the laptop bay and lock them in a safe place. Your docking station should have a NIC card built into it at your desk, and if you are traveling you won't be connected to the network anyway. Even when they aren't being used, PCMCIA cards still consume battery power and contribute to the heat levels within your laptop while they are left inserted into their slots. Use a personal firewall on your laptop Corporate networks protect their Servers and Workstations by configuring a firewall to prevent intruders from hacking back into their systems via the company's internet connection. But once users leave the corporate buildings and connect to the web from home or a hotel room, their data is vulnerable to attack. Personal firewalls such as BlackIce and ZoneAlarm are an effective and inexpensive layer of security that take only a few minutes to install. Although Windows XP comes with a personal firewall, it does not attempt to manage or restrict outbound connections at all. We recommend using a good third-party personal firewall to secure your Windows XP workstations. If you want to test how much information your personal firewall "leaks out" to the web, try the online leak test at http://grc.com/lt/leaktest.htm Consider other devices based on your needs Since laptop theft has become such a big issue, the market has been flooded with a variety of security gadgets and gizmos. Motion detectors and alarms are popular items, as are hard drive locks. Biometric identification systems are also being installed on some laptop models which allows your fingerprint to be your logon ID instead of a password. Consider the cost and bulk of these items along with your risk of theft before you go all out on a security solution. Use tracking software to have your laptop call home There are a number of vendors that offer stealthy software solutions that enable your laptop to check in to a tracking center periodically using a traceable signal. In the event your laptop is lost or stolen, these agencies work with the police, phone company, and internet service providers to track and recover your laptop. CompuTrace, SecureIT, Stealth Signal, and ZTrace provide tracking services for corporations and individuals. Protecting your Sensitive Data Use the NTFS file system Assuming your using Windows NT/2000/XP on your laptop, use the NTFS file system to protect your data from laptop thieves who may try to access your data. FAT and FAT32 File systems don't support file level security and give hackers a big wide open door to your system. Disable the Guest Account Windows 2000 finally disables the guest account by default, but if you didn't build the image yourself, always double check to make sure the guest account is not enabled. For additional security assign a complex password to the account anyway, and restrict its logon 24x7. Rename the Administrator Account Many hackers will argue that this won't stop them, because they will use the SID to find the name of the account and hack that. Our view is, why make it easy for them. Renaming the Administrator account will stop some amateur hackers cold, and will annoy the more determined ones. Remember that hackers won't know what the inherit or group permissions are for an account, so they'll try to hack any local account they find and then try to hack other accounts as they go to improve their access. If you rename the account, try not to use the word 'Admin" in its name. Pick something that won't sound like it has rights to anything. Consider creating a dummy Administrator account Another strategy is to create a local account named "Administrator", then giving that account no privileges and impossible to guess +10 digit complex password. This should keep the script kiddies busy for a while. If you create a dummy Administrative account, enabled auditing so you'll know when it is being tampered with. Prevent the last logged-in user name from being displayed When you press Ctrl-Alt-Del, a login dialog box appears which displays the name of the last user who logged in to the computer, and makes it easier to discover a user name that can later be used in a password-guessing attack. This can be disabled using the security templates provided on the installation CD, or via Group Policy snap in. For more information, see Microsoft KB Article Q310125 <b>Enable EFS (Encrypting File System)</b> Windows 2000 ships with a powerful encryption system that adds an extra layer of security for drives, folders, or files. This will help prevent a hacker from accessing your files by physically mounting the hard drive on another PC and taking ownership of files. Be sure to enable encryption on Folders, not just files. All files that are placed in that folder will be encrypted. For more information check out our EFS Resource Center Disable the Infrared Port on you laptop I don't know anybody who actual transmits data via the infrared port on their laptop, but we have been able to use the IR port to browse someone else's files from across a conference room table without them knowing it. Disable the IR port via the BIOS, or simply cover it up with a small piece of black electrical tape. <b>Backup your data before you leave</b> Many companies have learned the hard way that the data on your computer is more expensive to replace than the hardware. Always backup you laptop before you do any extended traveling that may put your data at risk. This doesn't have to to take a lot of time, and you can use the built in backup utilities that come with Windows 2000. If your network doesn't have the disk space to backup all of your traveling laptop users, you may wish to look into some of personal backup solutions including external hard drives, CD-R's, and tape backup.