Securing your Windows computer from data theft


You often read in the newspapers that someone has found an old computer
and managed to retrieve valuable corporate information from it. What's
even more common is that a laptop is stolen which contains corporate
information (like credit card information) or even classified information
from a law-enforcement agency. Or you thought you wiped your computer but
somehow your colleague was still able to retrieve sensitive or
embarrassing information from it (such as porn pictures, your email or
your webbrowser links). The problem is that when Windows is reinstalled on
a computer, all the files which were previously only visible to the user
(and Administrator) can now seen by the person who reinstalled Windows
(you can reinstall Windows without having to erase the hard disk) on that
computer!

What really frustrates me is that all these cases are trivially easy to
avoid and have almost no impact on performance or 'user experience.' Both
Windows 2000 and XP (the most common desktop and laptop operating systems)
have built-in encryption which is very easy to use and requires almost no
effort on the part of the user.

What you merely do is select a folder in the Windows Explorer and then
right-click this folder and select 'Properties.' A dialog will pop up
showing the some folder information. Press the 'Advanced...' button and
then in the dialog that pops up select the bottom checkbox with the label:
'Encrypt contents to secure data.' Windows will now ask if you want to
'Apply changes to this folder only' or 'Apply changes to this folder,
subfolders and files.' In most cases you will want to select the latter
because you want to encrypt all the files in the folder right away. If you
select the former, only files added to the folder will be encrypted, not
the ones already in the folder.

And that's it! From that point on only the user that encrypted the file
(i.e. the user which is logged in at the time of encrypting the files)
will be able to access the files in that directory. Not even the computer
Administrator will be able to access the files. One drawback is that
Microsoft didn't exactly do a good job implementing this feature because
people can still look inside the folder and see the *names* of the files
that are there, they just can't open them. But this will not do them any
good in most cases so it's not a big issue.

So what folders to encrypt? Well, the most important folder you will want
to encrypt is your 'user' folder. If you open Windows Explorer, you will
see (if you are in the c:\ folder) the folder named 'Documents and
Settings.' If you enter that folder you will see folders with the names of
the users. If you are logged in as 'John Doe' there should be a folder
named 'John Doe' there. That's the folder you would want to encrypt. Why?
Aside from your documents (most Windows applications, such as Word, store
documents saved by default to the folder 'My Documents' which is located
under 'c:\Documents and Settings\John Doe', if you are logged in as John
Doe). As an added bonus, it happens to be that your email is also stored
in that folder (although you won't be able to see it since it's in a
'hidden' folder). So if you encrypt your 'user' folder your email too is
safe from prying eyes. And so are your browser bookmarks and passwords
your entered there, they are safe too!

Aside from the user folder you may also want to encrypt c:\temp, c:\tmp,
c:\windows\temp and c:\winnt\temp (this is recommended by Microsoft).
Also, you may encrypt any other folder on the disk that no other people
need access to. If you're a computer programmer you could also encrypt
your valuable source code. The way I do this is that I encrypt the entire
directory with source code and folders with binaries below it and then I
turn the encryption back off for the folder which contains intermediate
files, such as .obj to speedup compilation (the compression has a slight
impact on performance). This folder also usually contains the compiled
executable so I turn the encryption back on for this one file since you
don't want the resulting binary to fall in the hands of your competitor.

Note that you can *not* use this encryption on removable storage such as
CD's, USB flash disk's etc. As soon as you copy a file from an encrypted
folder to the USB flash disk it's unencrypted on the flash disk and can be
read by anyone, so be careful here. If you want to encrypt contents on a
flash disk you should use an add-on program such as TrueCrypt, which is
extremely safe (probably can't be cracked even by the government, I'm
pretty sure the government can crack the Microsoft encryption if they need
to, so be mindful of that), but also somewhat more difficult and
cumbersome to use.

Well, I hope this little tutorial will make the world a somewhat safer
place. Please tell your friends and family about this too, or do the
encryption for them.














.