General Recommendation

I am trying to weigh the pros and cons of allowing a set of users in my
enviroment to use public wireless (hotel etc). These users are s specific
group (politicians). They are travelling to hotels with their laptops. The
laptops could contain sensitive data and do not currently have any form of
encryption etc. Does anyone have any recommendations on where to start or
what to implement before allowing wireless?

Malke
Wed Nov 08 10:48:35 CST 2006

Bad Beagle wrote:

> I am trying to weigh the pros and cons of allowing a set of users in
> my
> enviroment to use public wireless (hotel etc). These users are s
> specific
> group (politicians). They are travelling to hotels with their
> laptops. The laptops could contain sensitive data and do not
> currently have any form of
> encryption etc. Does anyone have any recommendations on where to
> start or what to implement before allowing wireless?

I wouldn't. It would be better to either:

1. Give them a "travel hard drive" that has a basic install of the
operating system and some necessary programs and show them how to
switch hard drives. That way they never travel with the important drive
in the laptop.

2. Make an image of a plain install and an image of their current drive
and image the laptops with the plain install before they go on a trip.
Image back when they return.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Steve
Wed Nov 08 22:47:51 CST 2006

This is a multi-part message in MIME format.

------=_NextPart_000_0027_01C70377.285243E0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

What risks are you trying to mitigate? Someone attempting to attack the =
computer while it's online and connected to the hotel network? Or =
someone stealing the computer?

If the former, then there are two important steps required for =
mitigating the risk: enable the Windows firewall and make sure the =
computer is always kept current with all security updates.

If the latter, then you can use EFS to encrypt the files. But since =
these are politicians, who generally aren't tech-savvy, EFS presents an =
operational challenge -- you have to remember to store the files in the =
folders that you've enabled EFS on. If you can, maybe consider using =
Windows Vista (Ultimate or Enterprise editions) for the politicians. =
Those editions include a technology called BitLocker than can encrypt =
the entire volume transparently.

--=20
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Bad Beagle" <maxwelli@nospam.postalias> wrote in message =
news:ex7sBt0AHHA.3396@TK2MSFTNGP02.phx.gbl...
I am trying to weigh the pros and cons of allowing a set of users in =
my=20
enviroment to use public wireless (hotel etc). These users are s =
specific=20
group (politicians). They are travelling to hotels with their =
laptops. The=20
laptops could contain sensitive data and do not currently have any =
form of=20
encryption etc. Does anyone have any recommendations on where to =
start or=20
what to implement before allowing wireless?=20


------=_NextPart_000_0027_01C70377.285243E0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252">
<STYLE></STYLE>

<META content=3D"MSHTML 6.00.6000.16386" name=3DGENERATOR></HEAD>
<BODY id=3DMailContainerBody=20
style=3D"PADDING-RIGHT: 10px; PADDING-LEFT: 10px; FONT-SIZE: 10pt; =
COLOR: #000000; PADDING-TOP: 15px; FONT-FAMILY: Cambria"=20
bgColor=3D#ffffff leftMargin=3D0 topMargin=3D0 CanvasTabStop=3D"true" =
acc_role=3D"text"=20
name=3D"Compose message area">
<DIV>What risks are you trying to mitigate? Someone attempting to attack =
the=20
computer while it's online and connected to the hotel network? Or =
someone=20
stealing the computer?</DIV>
<DIV>&nbsp;</DIV>
<DIV>If the former, then there are two important steps required for =
mitigating=20
the risk: enable the Windows firewall and make sure the computer is =
always kept=20
current with all security updates.</DIV>
<DIV>&nbsp;</DIV>
<DIV>If the latter, then you can use EFS to encrypt the files. But since =
these=20
are politicians, who generally aren't tech-savvy, EFS presents an =
operational=20
challenge -- you have to remember to store the files in the folders that =
you've=20
enabled EFS on. If you can, maybe consider using Windows =
Vista&nbsp;(Ultimate or=20
Enterprise editions)&nbsp;for the politicians. Those editions include a=20
technology called BitLocker than can encrypt the entire volume=20
transparently.</DIV>
<DIV><BR>-- <BR>Steve Riley<BR><A =
title=3Dmailto:steve.riley@microsoft.com=20
href=3D"mailto:steve.riley@microsoft.com">steve.riley@microsoft.com</A><B=
R><A=20
title=3Dhttp://blogs.technet.com/steriley=20
href=3D"http://blogs.technet.com/steriley">http://blogs.technet.com/steri=
ley</A><BR><A=20
title=3Dhttp://www.protectyourwindowsnetwork.com/=20
href=3D"http://www.protectyourwindowsnetwork.com">http://www.protectyourw=
indowsnetwork.com</A></DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Bad Beagle" &lt;<A title=3Dmailto:maxwelli@nospam.postalias=20
=
href=3D"mailto:maxwelli@nospam.postalias">maxwelli@nospam.postalias</A>&g=
t;=20
wrote in message <A title=3Dnews:ex7sBt0AHHA.3396@TK2MSFTNGP02.phx.gbl =

=
href=3D"news:ex7sBt0AHHA.3396@TK2MSFTNGP02.phx.gbl">news:ex7sBt0AHHA.3396=
@TK2MSFTNGP02.phx.gbl</A>...</DIV>I=20
am trying to weigh the pros and cons of allowing a set of users in my=20
<BR>enviroment to use public wireless (hotel etc).&nbsp; These users =
are s=20
specific <BR>group (politicians).&nbsp; They are travelling to hotels =
with=20
their laptops.&nbsp; The <BR>laptops could contain sensitive data and =
do not=20
currently have any form of <BR>encryption etc.&nbsp; Does anyone have =
any=20
recommendations on where to start or <BR>what to implement before =
allowing=20
wireless? <BR><BR></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_0027_01C70377.285243E0--

Roger
Wed Nov 08 22:55:48 CST 2006

Forget the use of wireless question, at least until you have resolved
the more immediate issue. If laptops with sensitive information in
the clear are off-site, out of physical control, then something is wrong
with the policies that are in place to control sensitive data.
If you solve that one, so that such as a stole laptop is not so tramatic,
then wireless use would also become less of a concern (depending on
if sensitive data is still allowed then how it is secured, that is, would
a keylogger be sufficient to subvert the protections?)

"Bad Beagle" <maxwelli@nospam.postalias> wrote in message
news:ex7sBt0AHHA.3396@TK2MSFTNGP02.phx.gbl...
>I am trying to weigh the pros and cons of allowing a set of users in my
>enviroment to use public wireless (hotel etc). These users are s specific
>group (politicians). They are travelling to hotels with their laptops.
>The laptops could contain sensitive data and do not currently have any form
>of encryption etc. Does anyone have any recommendations on where to start
>or what to implement before allowing wireless?
>

S
Thu Nov 09 01:53:44 CST 2006

G'day:

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:OruYMt7AHHA.3540@TK2MSFTNGP03.phx.gbl...
> Forget the use of wireless question, at least until you have resolved
> the more immediate issue. If laptops with sensitive information in
> the clear are off-site, out of physical control, then something is wrong
> with the policies that are in place to control sensitive data.

In practical terms, full laptop encryption is required. Politicians, execs,
consultants - nowadays many lost laptop incidents go public, and sometimes
documents pop up in press (hapened recently in Australia).

Vista is RTM today. Use Bitlocker. Or any of the 3rd-party products.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

S
Thu Nov 09 01:58:35 CST 2006

G'day:

"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
news:34070A30-3557-4714-A18F-D16F2A4ED5ED@microsoft.com...

> If the former, then there are two important steps required for mitigating
> the risk: enable the Windows firewall and make sure the computer is always
> kept current with all security updates.

I've done a PoC test of a reasonably hardened system and compromised it
using rogue wireless access point - combination of permissive settings for
the trusted sites and domain-aware Windows Firewall did the trick. Details
here:

http://sl.mvps.org/docs/RogueAP.htm

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

Roger
Thu Nov 09 09:08:33 CST 2006

Hi Slav,

I agree entirely that full-disk encryption is a great solution to
the stolen mobile device problem, assuming valid, unbreakable
encryption. However, this does nothing for the scenario:
"sensitive data, in clear available within login to running system,
and running system compromised and network active"

It seems the only valid approaches encompass:
1. do not allow sensitive data on the devices (not realistic?)
2. do not allow compromise (note: this is also in the flavor
of compromise of the user account, either its credentials
compromised or a user-level malware compromise)
This one is much more simply claimed than it is done
(as it includes user behavior, not just maintaining health
and protection of system/application binaries)
3. do not allow connectivity (again, not realistic)

Perhaps only some combination of active health maintanance
softwares, digital rights management control of the sensitive
data with required two-factor authN, and user "training" (that
both Steve and yourself noted as not likely possible for this
specific user set) is available today to address the scenario.

Roger

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:%239K%23yQ9AHHA.3928@TK2MSFTNGP03.phx.gbl...
> G'day:
>
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> news:OruYMt7AHHA.3540@TK2MSFTNGP03.phx.gbl...
>> Forget the use of wireless question, at least until you have resolved
>> the more immediate issue. If laptops with sensitive information in
>> the clear are off-site, out of physical control, then something is wrong
>> with the policies that are in place to control sensitive data.
>
> In practical terms, full laptop encryption is required. Politicians,
> execs, consultants - nowadays many lost laptop incidents go public, and
> sometimes documents pop up in press (hapened recently in Australia).
>
> Vista is RTM today. Use Bitlocker. Or any of the 3rd-party products.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
>

Roger
Thu Nov 09 09:21:21 CST 2006

Hi Steve,

As I see it the challenges that remain, not covered by your good advise,
are largely "stupid user behavior" risk factors, but they are very real.
EFS or not, well-patched and without zero-day issues, the user can
(hence will with some statistical significance) invite a compromise
of the data from within their active login. In my view, if one cannot
get the users to take ownership of the problem then one only has an
unending trail of partial efforts, much like a big-daddy legal system
that attempts to protect its citizens with ever pickier, less-generalized,
rules and regulations.

Roger

"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
news:34070A30-3557-4714-A18F-D16F2A4ED5ED@microsoft.com...
What risks are you trying to mitigate? Someone attempting to attack the
computer while it's online and connected to the hotel network? Or someone
stealing the computer?

If the former, then there are two important steps required for mitigating
the risk: enable the Windows firewall and make sure the computer is always
kept current with all security updates.

If the latter, then you can use EFS to encrypt the files. But since these
are politicians, who generally aren't tech-savvy, EFS presents an
operational challenge -- you have to remember to store the files in the
folders that you've enabled EFS on. If you can, maybe consider using Windows
Vista (Ultimate or Enterprise editions) for the politicians. Those editions
include a technology called BitLocker than can encrypt the entire volume
transparently.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Bad Beagle" <maxwelli@nospam.postalias> wrote in message
news:ex7sBt0AHHA.3396@TK2MSFTNGP02.phx.gbl...
I am trying to weigh the pros and cons of allowing a set of users in my
enviroment to use public wireless (hotel etc). These users are s specific
group (politicians). They are travelling to hotels with their laptops.
The
laptops could contain sensitive data and do not currently have any form of
encryption etc. Does anyone have any recommendations on where to start or
what to implement before allowing wireless?

Gary
Thu Nov 09 09:45:56 CST 2006

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:OVx74KBBHHA.4428@TK2MSFTNGP04.phx.gbl...

> much like a big-daddy legal system
> that attempts to protect its citizens with ever pickier, less-generalized,
> rules and regulations.
>

Love that line! Gonna steal it, <g>.

--

Gary S. Terhune
MS-MVP Shell/User
http://grystmill.org/articles/cleanboot.htm
http://grystmill.org/articles/security.htm

Roger
Fri Nov 10 01:21:52 CST 2006

"Gary S. Terhune" <grystnews@mvps.org> wrote in message
news:OXm2mYBBHHA.5060@TK2MSFTNGP02.phx.gbl...
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> news:OVx74KBBHHA.4428@TK2MSFTNGP04.phx.gbl...
>
>> much like a big-daddy legal system
>> that attempts to protect its citizens with ever pickier,
>> less-generalized,
>> rules and regulations.
>>
>
> Love that line! Gonna steal it, <g>.
>

Perhaps I just need become more rural once again :-)

Roger

v-xuwen
Thu Nov 16 03:43:49 CST 2006

Hi Maxwelli,

I checked this thread and I think lots people provided right suggestion. I
wonder if the suggestions helped you? Feel free to post back if you still
need assistance.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
>>From: "Bad Beagle" <maxwelli@nospam.postalias>
>>Subject: General Recommendation
>>Date: Wed, 8 Nov 2006 08:33:34 -0700
>>Lines: 8
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
>>X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
>>X-RFC2646: Format=Flowed; Original
>>Message-ID: <ex7sBt0AHHA.3396@TK2MSFTNGP02.phx.gbl>
>>Newsgroups: microsoft.public.security
>>NNTP-Posting-Host: 199.213.91.1
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.security:91416
>>X-Tomcat-NG: microsoft.public.security
>>
>>I am trying to weigh the pros and cons of allowing a set of users in my
>>enviroment to use public wireless (hotel etc). These users are s
specific
>>group (politicians). They are travelling to hotels with their laptops.
The
>>laptops could contain sensitive data and do not currently have any form
of
>>encryption etc. Does anyone have any recommendations on where to start
or
>>what to implement before allowing wireless?
>>
>>
>>