Lock Down Your PC

1. Physical Security

Even if you adopt the best encryption schemes, employ the strongest passwords, and implement the toughest security policies on your PC, an insider--a coworker, a contract employee, or even a family member--can still steal information right out from under your nose if you don't protect the physical integrity of the PC itself and turn off some settings that let an insider bypass your stringent software security.

How bad is the insider threat? Pretty bad, according to the FBI and the Computer Security Institute. In their 2003 Computer Crime and Security Survey, a poll of top corporate IT managers, 45 percent of the companies reported unauthorized access of data by insiders. What's worse, insiders are harder to detect and repel than some anonymous hacker pinging your firewall.

Boot-proof it: Your Windows password may be 26 characters long, with letters, numbers, and special characters--but if an intruder can read your hard drive without having to boot up Windows, what good will it do you? Armed with a freely available, custom boot floppy or CD, a knowledgeable snoop can access your digital goods without ever entering Windows. To prevent this, use the system BIOS to disable boot devices other than the hard disk (or, if that's not possible, select the hard disk as the first boot device). For computers located in hard-to-protect public areas, consider removing floppy and CD/DVD drives, and disabling or removing USB and FireWire ports, to prevent people from booting the PC with a Linux disc, IPod, flash memory USB drive, or FireWire hard disk.

Password-protect the BIOS: Most types of BIOS let you create a user password that must be entered thereafter to permit the system to start up. If the BIOS supports it, an administrator password will prevent intruders from changing your BIOS settings (including the boot password). To get started, check your system's online or printed documentation to find out how to enter the BIOS setup program. In most cases, you'll need to reboot and then press Delete, Esc, F1, or another key or key combination to enter the BIOS setup utility. (Newer computers may come with a configuration program that lets you modify BIOS settings from within Windows.) Once in the program, look for a security or password section; then simply follow the on-screen prompts, enter the password, save the new settings, and restart the system.

Two important warnings: First, write down this password (carefully--it's often case-sensitive) someplace where you'll be able to find it but others won't.

Second, don't assume that a BIOS password will stop everyone. Some systems accept "master" passwords, lists of which appear on the Web. Holding down certain keys or mouse buttons will sidestep password security on other models.

And anyone with the opportunity to open the system's case can clear the passwords by moving a jumper on the motherboard, or by disconnecting the battery that powers the BIOS settings' memory chip. If you're worried about that happening, get a lock for the case itself.

Bruce Schneier, CTO, Counterpane Internet Security: "Keep your laptop with you at all times, like a wallet or purse. Regularly purge unneeded files from it, and encrypt the rest."
Photograph: Steve Woit
Eliminate data to reduce risk: Is the value of your data so high that its loss or destruction would be a calamity? Are you keeping a supersensitive file on your laptop unencrypted, and carrying it to out-of-town business meetings? If you have no pressing need to carry that valuable stuff around with you, stick it on your file server (or on a CD) and delete the sensitive documents from your hard drive today.

Shackle that laptop: Do you and your notebook spend hours in libraries, coffee shops, airports, hotel rooms, and other public or semipublic places? Depending on where you are, leaving your laptop unattended falls somewhere between risky and just plain nuts.

Cable locks deter out-in-public, broad-daylight thefts (but not in private places, like your hotel room; bolt cutters slice through cables like butter). Most laptops, some desktop PCs, and even some flat-panel monitors are designed with standard cable-lock slots. Just be sure to wrap the cable around something substantial and escape-proof--unless it's bolted to the floor, a straight table leg won't do. The 6.5-foot Targus Defcon CL lock sells for less than $30 (street), and Kensington's $43 (street) MicroSaver Guaranteed Notebook Replacement lock offers theft reimbursement of up to $1500 if someone steals your locked laptop.

BIOS passwords, accessed through your PC's setup utility, prevent unauthorized people from bypassing Windows security. Some newer BIOS utilities let you create one password for logging in to the computer and another for making changes to the BIOS.
BIOS passwords, accessed through your PC's setup utility, prevent unauthorized people from bypassing Windows security. Some newer BIOS utilities let you create one password for logging in to the computer and another for making changes to the BIOS.
Go biometric: Ready to go all James Bond on your coworkers? Consider using a biometric device, such as a fingerprint reader. Many biometric devices include password manager software to keep track of passwords for networks, Web sites, and even other applications. For instance, the Fellowes Secure Touch Mouse ($70 list) combines a biometric fingerprint scanner with Omnipass password management and encryption software from Softex. After training either device with your fingerprint, you will be able to log in to Web sites or Windows, or encrypt and decrypt files and folders, with merely the press of a finger.

PC, phone home: If someone manages to swipe your PC or laptop despite all your precautions, you stand a chance of getting your machine back if you've installed tracing software on it. Programs like Absolute Software's ComputracePlus ($50 per year) and ZTrace Technologies' ZTrace Gold (also $50 per year) lurk invisibly, checking in with the vendor's tracking servers whenever the computer is connected to the Internet. When you report the computer stolen, the software vendor can help authorities locate the laptop and the thief.

Subscribe to the Security Watch Newsletter

Comments