Follow these tips, tools, and techniques to protect your Windows notebook against theft, intrusion, and data loss
Security: You either have it you don't. It's a matter of degrees or, as the experts prefer to think of it, layers. The more varieties of security you have, the better the odds your goods can be protected successfully from intrusion or theft.
Layered security applies as much to laptop computers as it does to corporate networks or the Pentagon -- good news because laptops present a major target for theft. Aside from the (illegal) resale value of the laptop itself, there's always the possibility that personal data can be harvested from it. Although hacking has surpassed the lost or stolen laptop as the leading cause of data breaches, the notebook is no less vulnerable to theft for precisely that reason.
With that in mind, I've collected a variety of techniques, software products, services, and functionalities that are either available on certain notebooks or can be implemented on just about all of them. Some involve hardware (fingerprint readers), some involve software (Prey, TrueCrypt), and some involve nothing more than using your head (strong passwords). Not all of them might be implemented on a given machine, but the more layers of each kind of security you can add, the better.
I don't expect most people to implement every single suggestion found here. I myself have a notebook that has a TPM (Trusted Platform Module), a fingerprint reader, full-disk encryption, a StuffBak sticker (to facilitate the return of a lost device), and a Prey account (to track a stolen unit) -- but I know full well that combining all of these protections is the exception, not the rule.
That said, there's nothing stopping you from implementing two or more of these layers of security on your notebook. Prey plus full-disk encryption, for instance, are both feasible and inexpensive; you can do both without paying a cent, and together they provide useful defenses. StuffBak costs money, but not a lot; a package of stickers can be had for under $20, and you pay (if you pay at all) only for a return when it actually takes place. The most expensive proposition is to either add a fingerprint reader to an existing system or to buy a system that has a fingerprint reader plus TPM as factory-installed features.
But no matter what your budget -- $2, $20, or $2,000 -- there are affordable layers of security you can add to your notebook that can prove priceless.
Laptop security step No. 1: Strong passwords
I know, I know, you've heard this drill too many times, and it never sounds any more compelling each time it's repeated. That's why you're using your birthday or "password123" or some other too-easy-to-guess string ... because when you get down to it, you don't really believe someone's going to crack open your notebook and ransack it for everything they can find. Right?
The point of a long password is not just to annoy you, even if it feels like that at times. It's to provide a nontrivial first line of defense for the system. Passwords are one of the first and easiest protections to attack if a system falls into the wrong hands. By that token, they're also one of the easiest protections to make secure in the first place -- provided you choose them properly.
Fortunately, it's quite possible to create secure passwords without exceptional stress on your part. The trick is to pick a password that means something to you and that has a degree of complexity to it, but which most anyone else -- even someone with a casual amount of knowledge about you -- will have a hard time guessing. Above all else, it should not be a word that can be found in a dictionary.
One of the best ways I've found to generate a secure password is to start with a phrase -- a short sentence, something you can easily remember. A song lyric is perfect for this sort of thing, since almost anyone can remember one that they like. The trick is not to use the lyric or the short sentence itself, but to use the first letter of each word to compose the password. Example: The opening words of Bob Dylan's "Like a Rolling Stone" might be rendered "ouatydsfyttbadiyp."
The end result is usually fairly long, complex enough to meet most passwords requirements, and easy to bring back to mind. If you're using a system where password length and complexity have been set by an administrator, you can enhance any of the above schemes by swapping symbols for letters ($ for S, @ for A, and so on).
What's crucial is that you find a way to keep your passwords in your memory and not rely on some external storage (such as a Post-it Note). Using a passphrase as a mnemonic is one way to avoid having to write it down. The less of your laptop's security you make available to prying eyes in any form, the better. This takes practice, but not as much as you might think, and it creates good password-generating habits that can be used elsewhere.
Laptop security step No. 2: Fingerprint readers
If your laptop comes equipped with a fingerprint reader, that's another layer of protection you can use. Fingerprint readers complement existing ways to secure a system; they can be used to log on instead of a password, but you can always fall back on a password if the fingerprint reader goes out of whack or you don't have a finger handy anymore (ouch). It's also often faster and more convenient to log in via a fingerprint than it is to type a password. There's nothing to memorize; you are the credential.
Note that fingerprint readers are not offered in all notebooks; they're mainly found in business-class machines. It is possible to add a fingerprint reader to a notebook after the fact, by plugging one in via USB. That said, I'm not crazy about the idea, if only because of the form factor. Having something the size of a stick of gum perennially hanging off the side of one's notebook sounds like an invitation to smashing it against something -- doubly so if you're a commuter.
When you set up a fingerprint reader, here are a few tips to keep in mind:
- Enroll at least one finger from each hand. That way, if you have a hand injury, you can easily fall back on the other finger.
- If your reader supports it, configure the system to require a fingerprint at power-on. This way, the system cannot be cold-booted by anyone who's not already registered. In many cases, the system will use the same fingerprint credential swiped at startup to automatically log you in, so you don't have to swipe your finger twice.
- Fingerprint credentials (the data sampled for your fingerprint) can be protected using the reader's own key for additional security. There's no noticeable overhead or cost for doing this, so use this option if it's available with your fingerprint reader.
- It's typically possible to set a backup password for the fingerprint reader in case it fails to work. If you do this, don't use a password that matches anything else in the system. Come up with something fresh.
Some fingerprint-reader software suites also have the ability to protect password fields, either in system prompts or in pages viewed by Web browsers. I'm not crazy about doing this, if only because I found another approach that does not store passwords locally at all: SuperGenPass. It's a browser-side add-on that uses a master password to dynamically generate strong passwords for websites based on their domain name. Nothing is ever stored locally, unless you use your browser's own password-storage feature to cache the results (which defeats the purpose).
Laptop security step No. 3: Full-disk encryption
A third level of protection comes in the form of encryption, which can range from simply encrypting individual files to encrypting the entire contents of the system disk. Windows has long had on-disk encryption for individual files and folders, but now features the native ability to encrypt the system drive itself: operating system, applications, data, everything. Whether you use Windows' built-in solution or an alternative (more on that below), don't overlook the importance of full-disk encryption. It's one of the most thorough physical defenses for a notebook.
Windows' native disk encryption system, BitLocker, can be used to protect either individual drives or the entire system drive. It doesn't appreciably affect system performance, so you can use it without worrying about slowing down the system. If you elect to encrypt your notebook's entire system drive with it, you'll need one of two things:
- A TPM (Trusted Platform Module) in the notebook in question. Notebooks equipped with a fingerprint reader generally have a TPM included, and BitLocker uses the TPM as a safe place to store the encryption keys.
- A removable USB drive which serves as a boot key for the system. By default BitLocker looks for a TPM, so it will need some administrative modification to use a USB key.
I've used BitLocker on notebooks both with and without TPM. On the whole, TPM makes it far simpler, but there's no appreciable difference in functionality on a system that's protected by USB key only. If you plan on using a USB key, do yourself a favor and spend some money to buy the smallest USB drive you can find (that you're confident you won't lose). This makes it less onerous to plug and unplug, especially if you find yourself doing so on the train.
Microsoft went through some trouble to make sure that data stored on BitLocker drives are recoverable in the event of hard disk damage or failure. BitLocker-encrypted drives can also be accessed in the Windows pre-installation environment and the Recovery Console, provided you have the encryption key or the backup password. If something does indeed go wrong, you will still have some way to access the encrypted drive. Also, if you're using the notebook in an Active Directory-managed environment, you can have a backup of the key saved in AD. It remains a good idea to have any valuable data backed up elsewhere (and to keep those backups encrypted, too), of course. My point is that you have multiple lines of defense against disaster.
BitLocker has one restriction that may put it out of the reach of many users: It's available in only the Enterprise and Ultimate SKUs of Windows. Since not everyone can afford those editions, it's good to know much of the same functionality is available through free third-party software.
One of the best ways to get roughly the same level of functionality as BitLocker is via TrueCrypt, an on-disk encryption system for multiple platforms that allows for full system-disk encryption in Windows. Once a system drive is encrypted with TrueCrypt, it requires a password at boot time -- one that you should pick according to the parameters I outlined previously. No password, no boot; no boot, no data.
Another major feature offered by TrueCrypt is the ability to create a hidden operating system partition. Depending on the password you supply at boot time, you can boot to one of two partitions: a visible OS partition (in which you have nothing of consequence) or a partition hidden at the end of the visible one that contains your real OS. This is an extension of an existing TrueCrypt function, where you can hide one encrypted volume inside another. If you're ever in a position where you're forced to reveal your encryption password, you can do so without giving up your secrets. I recommend this only for the truly cautious, because a) setting up a hidden OS is somewhat complicated and b) it's not likely you'll need it unless you work in an environment where guns might end up being pointed at you.
TrueCrypt also insists on creating a recovery .iso that you can boot (from a CD or USB drive) to perform system recovery in the event the drive doesn't boot properly for whatever reason. Thus, you have something to fall back to in the event of a problem.
If you're loathe to encrypt the whole system, you can use BitLocker or TrueCrypt to encrypt individual nonsystem volumes -- USB drives, for instance, where you might keep your most sensitive data. This provides less global protection, but also with slightly less hassle.
Laptop security step No. 4: Theft and loss recovery
One final layer of protection you can add to a notebook is what to do if it's lost or stolen. Since notebooks are lost and stolen a lot more regularly than their desktop counterparts (which goes hand in hand with the fact that they're portable), it makes sense to either protect them from being lost in the first place or to make sure they can be recovered if they go missing.
Theft recovery for a notebook can take roughly two forms: a service or an application. Sometimes you have one as an extension of the other, but those two basic incarnations are the most common.
On the service side, there's a system I've used for some years now: StuffBak. With StuffBak, you buy special stickers -- made of the same metal foil as industrial inventory-control tags -- that come with serial numbers. You attach one such sticker to your notebook in a conspicuous place, then register the device with StuffBak's website. If the device goes missing, you can log into the website and report it as lost. The sticker itself sports the words "Reward for return!" along with an 800 number and the Stuffbak website's URL.
If a Good Samaritan finds the device and reports it as found, they can claim a reward for returning it. You set the reward amount, and StuffBak handles all the shipping logistics; whoever finds it doesn't ever have to know your name or address. It's all completely hands-off.
StuffBak has a few different grades of service depending on how many items you have to protect. A basic pack of labels comes with lifetime item registration and two years of free returns, but you can buy additional levels of protection and recovery services depending on your needs. Some PC makers are now adding features like this to notebooks out of the box. Sony, for instance, includes TrackItBack recovery labels on many of its new notebooks.
The one major drawback to StuffBak (and other services of its kind) is that it depends entirely on the good graces of whoever finds your hardware. Sure, your lost or stolen laptop might end up in the hands of an upstanding citizen or at least one who will respond to the offer of a reward. Unfortunately, not everyone is motivated to be so helpful. That's why it makes sense, at least from my point of view, to also use software that can help find your computer if it goes missing.
I've since settled on the application-and-service combo known as Prey, which provides protection for both PCs and phones. You install the open source Prey software on the machines you want to track, then register each machine with Prey's website. If one of the devices goes missing, you note it as such on the site and can activate a whole slew of possible recovery mechanisms:
- An audible alarm (useful if you think it might be nearby)
- An alert message that warns any would-be users the device is being tracked
- Device locking and wiping (capabilities vary depending on the device and level of service)
- Geolocation based on GPS or network connections
- Session spying (to see what the user might be doing)
- Webcam access (to silently take pictures of the current user)
If the Prey client has a network connection, it checks every few minutes (you can set this interval, from 10 to 40) to see if the host has been reported lost. Prey can also attempt to automatically -- and silently -- make a connection through a Wi-Fi hotspot.
One of the recommendations made for Prey users, as counterintuitive as it sounds, is to deliberately leave the Windows guest account active. A prospective thief will think someone's left the front door wide open and cheerfully log in through the guest account to try to see what he can find. Windows automatically grants the guest user very limited privileges, so that account can't be used to read data stored in other user accounts. If you've encrypted the drive as well, the intruder won't be able to access your data even if he pries the drive out of the notebook.
The free version of the Prey service only lets you register up to three devices and imposes some limitations on how they can be tracked. For-pay versions of Prey's services can be purchased at different tiers for different numbers of devices, and they add more tracking functionality, like the ability to connect persistently to your stolen device if it's on the network.
This story, "4 simple steps to bulletproof laptop security," was originally published at InfoWorld.com. Keep up on the latest developments in mobile technology, Microsoft Windows, and network security at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.
Announcement follows two-week investigation into major cyberattack
Sponsored by Nuage Networks
Last Tuesday's MS14-066 causes some servers to inexplicably hang, AWS or IIS to break, and Microsoft...
Apple's iCloud Drive deployment was sure to mess up people's access to documents -- and it did
The larger design is very welcome, but there's much more to the iPhone 6 than a bigger screen
Sponsored by Rackspace
Sponsored by Nuage Networks
Sponsored by Fibre Channel Industry Association
Which office package provides the best productivity experience on Android? We put the leading...
We look back at the tech products that were released for sale to the general public in 2014, and picked...
Windows 7 is suddenly telling users it isn't genuine -- and it has nothing to do with Windows being...
From BGP to SSL, several Internet protocols are no match for today’s malicious hackers -- and should be...