Re: Securing your Windows computer from data theft

Interesting post!

On Thu, 26 Jan 2006 16:55:16 +0000 (GMT), Anonymous wrote:

> You often read in the newspapers that someone has found an old computer
> and managed to retrieve valuable corporate information from it. What's
> even more common is that a laptop is stolen which contains corporate
> information (like credit card information) or even classified information
> from a law-enforcement agency. Or you thought you wiped your computer but
> somehow your colleague was still able to retrieve sensitive or
> embarrassing information from it (such as porn pictures, your email or
> your webbrowser links). The problem is that when Windows is reinstalled on
> a computer, all the files which were previously only visible to the user
> (and Administrator) can now seen by the person who reinstalled Windows
> (you can reinstall Windows without having to erase the hard disk) on that
> computer!
>
> What really frustrates me is that all these cases are trivially easy to
> avoid and have almost no impact on performance or 'user experience.' Both
> Windows 2000 and XP (the most common desktop and laptop operating systems)
> have built-in encryption which is very easy to use and requires almost no
> effort on the part of the user.
>
> What you merely do is select a folder in the Windows Explorer and then
> right-click this folder and select 'Properties.' A dialog will pop up
> showing the some folder information. Press the 'Advanced...' button and
> then in the dialog that pops up select the bottom checkbox with the label:
> 'Encrypt contents to secure data.' Windows will now ask if you want to
> 'Apply changes to this folder only' or 'Apply changes to this folder,
> subfolders and files.' In most cases you will want to select the latter
> because you want to encrypt all the files in the folder right away. If you
> select the former, only files added to the folder will be encrypted, not
> the ones already in the folder.
>
> And that's it! From that point on only the user that encrypted the file
> (i.e. the user which is logged in at the time of encrypting the files)
> will be able to access the files in that directory. Not even the computer
> Administrator will be able to access the files. One drawback is that
> Microsoft didn't exactly do a good job implementing this feature because
> people can still look inside the folder and see the *names* of the files
> that are there, they just can't open them. But this will not do them any
> good in most cases so it's not a big issue.
>
> So what folders to encrypt? Well, the most important folder you will want
> to encrypt is your 'user' folder. If you open Windows Explorer, you will
> see (if you are in the c:\ folder) the folder named 'Documents and
> Settings.' If you enter that folder you will see folders with the names of
> the users. If you are logged in as 'John Doe' there should be a folder
> named 'John Doe' there. That's the folder you would want to encrypt. Why?
> Aside from your documents (most Windows applications, such as Word, store
> documents saved by default to the folder 'My Documents' which is located
> under 'c:\Documents and Settings\John Doe', if you are logged in as John
> Doe). As an added bonus, it happens to be that your email is also stored
> in that folder (although you won't be able to see it since it's in a
> 'hidden' folder). So if you encrypt your 'user' folder your email too is
> safe from prying eyes. And so are your browser bookmarks and passwords
> your entered there, they are safe too!
>
> Aside from the user folder you may also want to encrypt c:\temp, c:\tmp,
> c:\windows\temp and c:\winnt\temp (this is recommended by Microsoft).
> Also, you may encrypt any other folder on the disk that no other people
> need access to. If you're a computer programmer you could also encrypt
> your valuable source code. The way I do this is that I encrypt the entire
> directory with source code and folders with binaries below it and then I
> turn the encryption back off for the folder which contains intermediate
> files, such as .obj to speedup compilation (the compression has a slight
> impact on performance). This folder also usually contains the compiled
> executable so I turn the encryption back on for this one file since you
> don't want the resulting binary to fall in the hands of your competitor.
>
> Note that you can *not* use this encryption on removable storage such as
> CD's, USB flash disk's etc. As soon as you copy a file from an encrypted
> folder to the USB flash disk it's unencrypted on the flash disk and can be
> read by anyone, so be careful here. If you want to encrypt contents on a
> flash disk you should use an add-on program such as TrueCrypt, which is
> extremely safe (probably can't be cracked even by the government, I'm
> pretty sure the government can crack the Microsoft encryption if they need
> to, so be mindful of that), but also somewhat more difficult and
> cumbersome to use.
>
> Well, I hope this little tutorial will make the world a somewhat safer
> place. Please tell your friends and family about this too, or do the
> encryption for them.
.