I recently read about full-disk encryption (FDE) products that turn off pre-boot authentication to provide transparent...
single sign-on and help with patch management. What are the risks of turning off PBA.
The risks associated with turning off pre-boot authentication (PBA) are actually quite high, and it's not a recommended best practice. Pre-boot authentication is the whole point of full-disk encryption (FDE) and, in fact, is what makes FDE such a powerful tool for protecting data.
First, let's briefly explain what pre-boot authentication is and its role in FDE. Pre-boot authentication is a process that requires a user to authenticate prior to the operating system loading. In other words, on a system with pre-boot authentication installed, the user is prompted for a user ID and password before the system boots up. Once the user successfully logs in, then the operating system starts. If the user enters the wrong user ID and password, the operating system won't load and the computer locks up.
Pre-boot authentication prevents the common hacker trick of using a Linux boot disk, like Knoppix, to bypass the operating system authentication and enter the system without login credentials. Pre-boot authentication operates at a lower level than the operating system. If the OS doesn't load, then the tools that try to bypass it won't work and attackers won't even get a chance to maliciously enter the system.
Pre-boot authentication is also cross-platform. It not only blocks Linux CDs but also blocks Windows emergency disks that might be used to gain access to Microsoft systems.
Pre-boot authentication doesn't operate alone; it works hand-in-hand with FDE, operating as a front-end to FDE applications. Products such as SafeBoot, SafeGuard and SafeNet, which offer FDE, encrypt the hard drive silently in the background. The pre-boot authentication generates the key needed to encrypt the hard drive and then decrypt it later when the system is booted up again.
FDE tools are great for protecting data loss from stolen laptops. If a thief -- or malicious user, for that matter -- tries to turn on the computer, he or she will be blocked by the pre-boot authentication – and a boot disk won't help them get in either. The attacker will be stuck with an encrypted hard drive.
With PBA turned off, not only could the attacker possibly get access to the machine, but the hard drive might also not be encrypted. It's not necessary to turn off pre-boot authentication to enable single sign-on (SSO) or patch management.The commercial FDE products mentioned above can be adapted to SSO, and fully integrated with common authentication systems like Active Directory and LDAP.
Finally, if something stronger than just a plain old user ID and password is required for higher-risk data, pre-boot authentication can be integrated into two-factor authentication systems such as smart cards or biometrics.
For more information:
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ...continue reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ...continue reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.