Home / server / Questions / 24282
Accepted
TechGuyTJ
Asked: 2009-06-12 10:27:07 +0800 CST

How do you secure your mobile computers?

  • 772

The possibility of having one of your users' laptop being either stolen or lost is fairly high. What are some of the best practices/policies when protecting your data on mobile computers?

Understanding that Disk Encryption is a must have, what products give you as the IT admin the most flexibility when working with a user's laptop?

mobile-devices security user-management

6 Answers

  1. Best Answer

    In addition to disk encryption, a policy to not allow any sensitive data to be left on the laptop may be helpful. Instead require the laptop to VPN & RDP to a secured machine back at the office. With this approach you will lose the ability to work offline, but depending on how sensitive the data is, this might be the best option.

    You can also use some type of Remote Laptop Security (RLS) that phone home. If the purp is using the laptop, this can be a good way to find and recover the laptop. I have never used these services, but here is an example.

    • 5

  2. Two words - Disk Encryption.

    We use SecureDoc from WinMagic, but there are a number of them out there.

    Ok, 7 words. In addition to the above we have the policy "no data allowed on c:"

    Some cautions on certain disk encryption packages

    • Sleep mode can bypass the encryption login as the system does not go down far enough. Hibernate is a workaround for this, but hard to enforce.
    • Make DARN sure to unencrypt a disk prior to trying to run any kind of Windows recover console tools (.....)
    • Look for something that'll encrypt removable media as well.
    • 2

  3. I suggest TrueCrypt for full disk encryption. Being open source, the price is right and it works well. The one downside is there's no way to centrally manage it, so if someone left on bad terms, there's no way to retrieve the password.

    • 1

  4. Things other people have said about disk encryption and VPN are very good. Another good idea is to disable USB ports. If a legitimate user moves data to a USB stick from an encrypted drive, the encryption is useless.

    The best thing you can do, above and beyond that, is to have multi-factor authentication such as Yubikey or RSA SecurID. Someone who steals an unattended laptop is unlikely to also steal someone's keys. By forcing someone to have a password as well as a physical object in order to authenticate, it becomes extremely difficult for thieves to access the data. If they steal the laptop, they'll get free hardware, but they won't get your data.

    • 1

  5. If your machines are Windows Vista or 7, go with BitLocker, which is a pretty nice built in full disk encryption solution. I think with Vista you need Ultimate or Enterprise, and 7 includes it with those two and buisness. If I am wrong on this feel free to comment and I will adjust my entry.

    • 1

  6. At my company, we use Symantec Endpoint and disk encryption.

    • 0