Microsoft says ”
Strategic planning, research, product development, marketing data, third-party information, and other corporate secrets are widely distributed on individual computers throughout an enterprise. These workstations, regular desktop computers, individual computers in home offices, and notebook computers are the most numerous, most vulnerable entry points to any enterprise, and they’re all open to intrusion and theft. Even if an enterprise uses advanced network access security, an unattended workstation offers instant access to files on the hard drive and also the network. Similarly, a stolen notebook computer offers easy access to critical data by competitors, unauthorized employees, and others whose knowledge of such information can profit at the expense of the victimized organization”
Traditional solutions such as file encryption leave too much to the discretion of individual users. What’s needed is an automatic encryption system that can be deployed and managed across the network—one that implements security policy without burdening users.Related.My-snort.org
Data Security (Now called Protect!) Overview
A possible Data Security solution offers a desktop security solution that enables System Administrators to restrict access to all enterprise PCs running Windows 95/98/2000/xp or NT 4.0. This will creates a secure computing environment by combining boot protection and powerful encryption with enterprise administration capabilities. Equally important to large organizations, Your Data Security should be designed to be deployed, administered, and upgraded without desktop visits.
Boot protection combined with encryption is an essential component of PC security. Because Protect! requires user authentication before the Windows operating system is invoked, it completely defeats the numerous and widely available Windows password cracking programs. Other common attacks such as moving the hard drive to a different machine or booting from a floppy will not enable unauthorized entry. Until an authorized user is properly authenticated, all information on the hard disk remains encrypted such that not even files or directories are visible to prying eyes.
Hard Disk Encryption
Protect! uses the industry-proven CAST and Blowfish encryption algorithms to encrypt the entire workstation hard drive. The encryption key is itself encrypted and can only be unlocked through the user password. This means that the key that encrypts the data is never stored in the clear.
Encryption is transparent to the user and creates no perceptible decrease in speed. Protect!, also relieves users of the responsibility for encrypting individual files, eliminating the possibility of leaving certain files unsecured. Because the encryption process is automatic and entirely transparent to the end-user, it is easy to use and implement in any size organization.
Delegated administration secures a distributed environment
Protect! incorporates unique “delegated” management that permits the enforcement of enterprise security policy while spreading the burden of administration throughout the organization. A System Administrator creates a Master Profile, which defines the rules that all installations must follow throughout the enterprise. Lower level Administrators can modify this Master Profile for local conditions..
The Master Profile also dictates the configuration and installation of Protect! Deploying Protect! can be accomplished through a variety of methods including software distribution tools such as Microsoft SMS or Novell ACU. Alternatively administrators can utilize login scripts, email or physical distribution of CDs or diskettes. Each installation specifies a network drive where Protect! can find updates to user profiles or enhancements to the program. Support for users who have lost or forgotten passwords is also provided across the network
Protect!’s Basic Security Functions:
- Central configuration
- Zero desktop administration
- Delegated administration
- Hard disk partition encryption
- Secure assistance for remote users
- Boot protection
- Keyboard lock and screensaver
- User-specific partition restrictions
- Limited login attempts with automatic locking
Positive Identification and Secure Authorization
- Dynamic password support
- Stringent password requirements
- Role-based authorization
- Complete record of login activity, updates, and remote assistance
- Configurable audit reports
How Does Protect! secure the machine?
Boot Protection and Hard Disk Encryption:
Protect! provides two levels of protection: boot protection and hard disk encryption.
Authorized users need to provide valid name and password in order to boot a protected desktop PC or notebook. Even if someone boots via some alternative method, everything on the hard disk—programs and data—remains encrypted until an authorized user enters the computer.
After an authorized user enters the system, Protect! automatically encrypts and decrypts the data stream to and from the hard disk. Also, for Windows 95/98, a keyboard lock and secure screensaver can be activated manually or automatically if the user leaves the computer. The user must enter the password again when upon return. Because Protect!’s encryption is automatic, security policy is not left to the discretion of individuals. No one needs to know encryption programs or procedures because encryption and decryption occur automatically in the background.
What if someone forgets the password?
Administrators can remotely help users who have forgotten their passwords, or need to unlock accounts that have been suspended due to excessive failed login attempts. In organizations using dynamic passwords that change with every login (such as Safeword from Secure Computing), Administrators can offer “one time login” assistance if users misplace the password calculator.
Protect! Delegated Administration
Unlike many centralized administration programs that impose the entire burden of administration on a few individuals, Protect! allows diffuse responsibility throughout the organization. The System Administrator delegates privileges to local administrators but still retains control over critical elements of enterprise security.
Simplicity and Central Control
Protect!’s administration affords simplicity and strong central control of system information, group information, and individual user information. System Administrators have the ability to install and configure the system, delegate privileges throughout the network, modify the system for local conditions, and set properties and privileges for individual users through the use of a simple database consisting of Profiles.
This scalable system allows user privileges to be easily mirrored from the existing organizational structure. Profiles can be administered centrally and updated automatically on the local workstation. The system administrator can choose to allow multiple users to operate the same computer without compromising other secure files (each user is given a unique ID and password). Protect! also works with all standard utilities and software.
Installation and Deployment
System administrators can deploy Protect! across the network without having to install the software manually on individual machines. They can also use profiles in conjunction with system installation management software to perform silent installations of Protect!. Administrators create the installation profile and modify it to meet local requirements. User systems can then be installed “silently” from the installation directory on the server. This allows site administrators to use their preferred installation management software to aid in the deployment of Protect!.
Installation using Profiles:
Profiles are the essential element in the installation and maintenance of Protect!. The System Administrator creates an enterprise-wide security model in an “installation profile” when Protect! is initially installed.
The installation profile consists of initial system settings. Protect! uses these settings as the default in all subsequent installations. Some settings can be locked to enforce enterprise-wide security rules. The System Administrator then distributes the initial installation profile to the local site Administrators. These administrators make local changes to the profile, if permitted.
After the installation profile has been modified by the local Administrator(s), subsequent user installations will not require any additional configuration information. In essence the installation profile is a template for user installations. Administrators can change profiles with “updates” to the configuration of Protect! after it has been deployed to users’ desktops.
One important configuration detail in the initial installation profile is the “update path.” The update path is the network location of a system directory where Protect! looks every time it starts and also at regular intervals. This directory can contain User and Group changes, access level changes, or changes to any of the other settings in the initial installation profile. Either the System Administrator or a site Administrator can create a profile update, which they can automatically distribute to users through the update directory. This allows for easy maintenance of the system without having to deal with each desktop individually.
How does Protect! organize different types of users?
Protect! utilizes profiles to describe the configuration of the database and to set the properties of Groups and individual Users. Profiles organize three types of information:
System information defines universal settings including partitions to be encrypted, the paths to directories for updates, and the type of encryption algorithm to employ. System information also defines levels of authority and the privileges of System Administrators, Administrators, and Users.
Group information defines settings and privileges for Groups, including User access to Remote Help and unlocking security functions such as keyboard locking. A User created under a Group will inherit the current Group settings.
Individual information consists of settings and privileges of individual users, including user access to specific partitions, remote help, and unlocking security functions such as keyboard locks.
Levels of Authority:
Protect! enables Administrators to establish a flexible hierarchy of authority that grants access to different parts of the system. You can specify levels of authority to personnel according to what they need to do in the system or with specific applications or data. The three levels of authority are:
The System Administrator has the highest level of authority to administer Protect! and can perform the following functions:
- Create and administer profiles
- Specify and alter settings for Users and Administrators
- Add new and delete old Users in the system
- Help Users who have been locked out of the system.
Administrators have limited authorization to remove, install, and change settings for specific Users. The Administrator is only allowed to work with Users who have similar or lower authority than the Administrator himself. The Administrator cannot alter the System Administrator’s profile or in any way increase his/her own rights. Administrators are normally assigned authority to provide remote help and modify profiles.
Users have limited access to the computer as defined by system settings. Each User has an assigned account with a User identity and password that permit access to the entire hard disk, or specific partitions on that disk. This is particularly useful for contractors or multiple Users who have access to the same machine.