Solved supporting an office of computers with full drive encryption
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
I presume that there is data on there?
All my software, and Keepass files. Encrypted SSH keys and RDP password a la MobaXterm. Yeah. There's a bit on here that I don't want folks to have access to.
And if somebody steals my office machine, they'd have to steal the UPS too... and then know the password to unlock my screen... and my desktop weighs about as much as my UPS (it's a small one), lol.
Nearly all of that is already encrypted, though. So those parts won't benefit from further encryption.
Many of our laptops do have unencrypted data that would be very bad to have leaked/stolen. Never mind just having access to the email on some of our machines - yikes.
The last manager meeting here, the owners were sounding very interested in this new LANLess thing @scottalanmiller has been talking about. I'll probably be getting a request for a NextCloud, Spreed.Me, and one of the office integration suites here in the near future
-
@travisdh1 said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
I presume that there is data on there?
All my software, and Keepass files. Encrypted SSH keys and RDP password a la MobaXterm. Yeah. There's a bit on here that I don't want folks to have access to.
And if somebody steals my office machine, they'd have to steal the UPS too... and then know the password to unlock my screen... and my desktop weighs about as much as my UPS (it's a small one), lol.
Nearly all of that is already encrypted, though. So those parts won't benefit from further encryption.
Many of our laptops do have unencrypted data that would be very bad to have leaked/stolen. Never mind just having access to the email on some of our machines - yikes.
The last manager meeting here, the owners were sounding very interested in this new LANLess thing @scottalanmiller has been talking about. I'll probably be getting a request for a NextCloud, Spreed.Me, and one of the office integration suites here in the near future
Sweet, did they watch the video? Did they remember to give some likes? LOL
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
I presume that there is data on there?
All my software, and Keepass files. Encrypted SSH keys and RDP password a la MobaXterm. Yeah. There's a bit on here that I don't want folks to have access to.
And if somebody steals my office machine, they'd have to steal the UPS too... and then know the password to unlock my screen... and my desktop weighs about as much as my UPS (it's a small one), lol.
Nearly all of that is already encrypted, though. So those parts won't benefit from further encryption.
Many of our laptops do have unencrypted data that would be very bad to have leaked/stolen. Never mind just having access to the email on some of our machines - yikes.
The last manager meeting here, the owners were sounding very interested in this new LANLess thing @scottalanmiller has been talking about. I'll probably be getting a request for a NextCloud, Spreed.Me, and one of the office integration suites here in the near future
Sweet, did they watch the video? Did they remember to give some likes? LOL
Nope, they were sold when I told them about the Spreed.Me integration. They've been looking for a way to do webinars and being able to interact with remote people. A way to have that available and keep it all "in house" was the kicker.
Also, don't get me started, 3rd party services just won't work because of the crazy legalities surrounding the business. In a sane world I'd have them connect with Skype or something like that.
-
@PenguinWrangler said in supporting an office of computers with full drive encryption:
We use Dell DDPE encryption solution. We can log into the server and tell the computer bypass the first Encryption Screen on next boot if the computer is in the office. So that is how we handle WOL scenarios.
Is that product still made by Wave?
I know Wave was having some issues a little while back.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
Sure, that can happen, depending on how it is set up. But you can encrypt all user space without encrypting the OS.
How would I go about encrypting the user space without the OS?
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
Sure, that can happen, depending on how it is set up. But you can encrypt all user space without encrypting the OS.
How would I go about encrypting the user space without the OS?
Standard method is to have all user accessible space on a different volume. Like a D drive (partition.) That way the system can fire up, get patched and be used like a normal system but the data you need to protect can only be accessed with a password (or something) to allow it to decrypt.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
Sure, that can happen, depending on how it is set up. But you can encrypt all user space without encrypting the OS.
How would I go about encrypting the user space without the OS?
Standard method is to have all user accessible space on a different volume. Like a D drive (partition.) That way the system can fire up, get patched and be used like a normal system but the data you need to protect can only be accessed with a password (or something) to allow it to decrypt.
The issue with that that needs to still be considered can be local data being pulled down to the
drive you are unaware of. Outlook, temp files, whatever.I know in the past when we're argued ... er, discussed ... this, you say you don't use anything that create local temp files, but it's a consideration for many.
-
@BRRABill said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
Sure, that can happen, depending on how it is set up. But you can encrypt all user space without encrypting the OS.
How would I go about encrypting the user space without the OS?
Standard method is to have all user accessible space on a different volume. Like a D drive (partition.) That way the system can fire up, get patched and be used like a normal system but the data you need to protect can only be accessed with a password (or something) to allow it to decrypt.
The issue with that that needs to still be considered can be local data being pulled down to the
drive you are unaware of. Outlook, temp files, whatever.I know in the past when we're argued ... er, discussed ... this, you say you don't use anything that create local temp files, but it's a consideration for many.
You can include the program files on the D drive. It's not too hard to look at the apps that you will be using and see where they store data.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@BRRABill said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
Sure, that can happen, depending on how it is set up. But you can encrypt all user space without encrypting the OS.
How would I go about encrypting the user space without the OS?
Standard method is to have all user accessible space on a different volume. Like a D drive (partition.) That way the system can fire up, get patched and be used like a normal system but the data you need to protect can only be accessed with a password (or something) to allow it to decrypt.
The issue with that that needs to still be considered can be local data being pulled down to the
drive you are unaware of. Outlook, temp files, whatever.I know in the past when we're argued ... er, discussed ... this, you say you don't use anything that create local temp files, but it's a consideration for many.
You can include the program files on the D drive. It's not too hard to look at the apps that you will be using and see where they store data.
I wonder if there would be issues trying to force Internet Explorer to install to an alternate path. (another drive) If you can't and the user launches it, and logs in to a confidential site, and their alternate temporary internet file location is unavailable, does it just store the temp files where it has access, or crash? I did a quick google search and couldn't find much on getting internet explorer to install to an alternate path, so I think that idea might not get to far.
-
Are you asking if IE just starts putting private data anywhere? That seems very unlikely. What makes you think that?
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
Are you asking if IE just starts putting private data anywhere? That seems very unlikely. What makes you think that?
If you log in to windows and your profile isn't available, Windows creates a temporary profile for you and runs under that. This isn't the exact case since you would have to have to unlock your secure volume after you log in and your profile loads, but I'm thinking the behavior would be the same.
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
Are you asking if IE just starts putting private data anywhere? That seems very unlikely. What makes you think that?
If you log in to windows and your profile isn't available, Windows creates a temporary profile for you and runs under that. This isn't the exact case since you would have to have to unlock your secure volume after you log in and your profile loads, but I'm thinking the behavior would be the same.
That's just user profile data. Are you talking about redirecting the user profile?
-
@black3dynamite said in supporting an office of computers with full drive encryption:
That's just user profile data. Are you talking about redirecting the user profile?
No , the question is two fold. First, can you install internet explorer to a secure volume so it can't launch unless they unlock their secured drive? Second If IE can't be installed on an alternate path, if the path to their temporary files is unavailable, will Windows just dump them somewhere else?
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
@black3dynamite said in supporting an office of computers with full drive encryption:
That's just user profile data. Are you talking about redirecting the user profile?
No , the question is two fold. First, can you install internet explorer to a secure volume so it can't launch unless they unlock their secured drive?
Why would you care?
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
@black3dynamite said in supporting an office of computers with full drive encryption:
That's just user profile data. Are you talking about redirecting the user profile?
No , the question is two fold. First, can you install internet explorer to a secure volume so it can't launch unless they unlock their secured drive? Second If IE can't be installed on an alternate path, if the path to their temporary files is unavailable, will Windows just dump them somewhere else?
Internet explorer is not like the other browsers. It's part of the operating system. How about not using Internet explorer and stick with Firefox. I believe Opera and Vivaldi allows USB like installation.
-
@black3dynamite said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
@black3dynamite said in supporting an office of computers with full drive encryption:
That's just user profile data. Are you talking about redirecting the user profile?
No , the question is two fold. First, can you install internet explorer to a secure volume so it can't launch unless they unlock their secured drive? Second If IE can't be installed on an alternate path, if the path to their temporary files is unavailable, will Windows just dump them somewhere else?
Internet explorer is not like the other browsers. It's part of the operating system. How about not using Internet explorer and stick with Firefox. I believe Opera and Vivaldi allows USB like installation.
I expect that they do. And even IE is effectively phased out. But even assuming that it is absolutely required, I'm unclear why its installation location matters. Maybe I'm missing something obvious, but no matter where it is running from, does that affect anything to do with security?
-
Coming into the conversation late here.
I have a full enterprise where most, if not all, of my laptops are bitlockered before they are deployed. Security keys are stored in the TPM for boot decryption. I also hold the kyes to the encryption on an IT controlled drive.
There is also a boot up password that must be entered by the user when the boot the computer up from cold. If they are rebooted, the startup password is bypassed automatically by the bios/uefi.
-
The requirement is that temporary files from using the web based software are not left unencrypted. In the suggestion that the
drive is not encrypted so that OS patches can happen I don't think that will work. If the user can launch IE without decrypting the secure drive, it fails the requirement. -
You're asking for full drive encryption while the computer is running?
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
The requirement is that temporary files from using the web based software are not left unencrypted. In the suggestion that the
drive is not encrypted so that OS patches can happen I don't think that will work. If the user can launch IE without decrypting the secure drive, it fails the requirementWhy? Does IE store local files in a shared space? That sounds very unlikely. You've tested that?
