Endpoint Encryption

 View Only

  • 1.  SEE Full Disk - Without requiring user registration

    Posted Oct 29, 2010 04:25 AM

    I am looking to roll-out SEE Full-Disk.

    I have been testing with the option to "Do not require registered users to authenticate to SEE" option selected in the framework.

     

    My question is this.

    With the above options selected, am I less secure, as the user turns the computer on and only has to put a password in to get to log onto the domain ?



  • 2.  RE: SEE Full Disk - Without requiring user registration

    Posted Oct 29, 2010 04:40 AM
    Hi Mark,. Yes you are less secure, though it depends on your security stance. By having the pre-boot authentication enabled you effectively stop anyone getting to anything on the disk without first having the passwords. Without it someone could in theory boot to the windows screen and hack past it (third party tools, safe mode etc) and also the laptop is then network-enabled so could be exploited that way. Obviously the casual user wouldn't know how to do this but it does leave it less secure. You still have full disk encryption so if someone takes the disk out and puts it in another machine they wont be able to get to the data. We started out with the same option enabled but later decided the most secure and effective use of the software was to let it do it as designed and go with pre-boot. I guess the way to decide is to think you safe you would feel if a laptop was stolen.. Hope that helps.


  • 3.  RE: SEE Full Disk - Without requiring user registration

    Posted Nov 01, 2010 07:45 AM

    Registering user has another advantage that once the user is registered then the same user must be authenticated in preboot.no other can log on to the machine exept see client admin which you create. For more security, it is recommended to use see authentication.



  • 4.  RE: SEE Full Disk - Without requiring user registration

    Posted Nov 08, 2010 07:00 AM

    Thanks for the help.

    I have one last question.

    Is it possible to create a "low" security SEE admin, which any user can put in at the PBE, then authenticate against windows, but not register with SEE ?

    This is how it works with our existing encryption tool, and would be easy for the users



  • 5.  RE: SEE Full Disk - Without requiring user registration
    Best Answer

    Posted Nov 08, 2010 07:11 AM

    Technically possible yes, though still a little risky if the credentials get leaked. I think you would still need the windows users to register with SEE though. If you have a test system / policy, give it a try on a test machine first to see if it works how you'd expect.



  • 6.  RE: SEE Full Disk - Without requiring user registration

    Posted Nov 08, 2010 07:21 AM

    Thanks.

    I am just giving this a go now, in a test environment



  • 7.  RE: SEE Full Disk - Without requiring user registration

    Posted Nov 11, 2010 05:54 AM

    Mark

    We run in this way.  It also helps with automated patching.  If a patch install reboots a machine you cannot then install a second patch as its waiting at the boot menu.

    The way around this is to use AD to tell it to ignore the boot menu for a period of time or number of reboots.

    We also use AD to add a second account to the machine so if we need to give the password out to an engineer, we can change it quite easily.

    We found AD updates did not work with fresh installs of 7.0.5 only upgrades and 7.0.7