What are the risks of turning off pre-boot authentication?

BROWSE BY TAG Identity Management and Access Control,   Enterprise Data Protection,   Disk Encryption and File Encryption,   Enterprise Single Sign-On (SSO),   User Authentication Services,   Enterprise Identity and Access Management,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Is Identity Management as a Service (IDaaS) a good idea? How to log in to multiple servers with federated single sign-on (SSO) How to confirm the receipt of an email with security protocols Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Can any firm or organization get a digital signature certificate? Should the CTO have domain administrator access? Disk Encryption and File Encryption Health Net healthcare data breach affects1.5 million Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? Enterprise Single Sign-On (SSO) How to log in to multiple servers with federated single sign-on (SSO) Security on a budget: How to make the most of authentication tools Best Identity and Access Management Products Changing times for identity management Kerberos configuration as an authentication system for single sign-on How to use single sign-on for Web access control to prevent malware Learn about enterprise strategy for server virtualization single sign-on Enterprise single sign-on: Easing the authentication process Exploring authentication methods: How to develop secure systems User provisioning and SSO for PeopleSoft- and Unix-based products Enterprise Single Sign-On (SSO) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) encryption  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com) Twofish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

The risks associated with turning off pre-boot authentication (PBA) are actually quite high, and it's not a recommended best practice. Pre-boot authentication is the whole point of full-disk encryption (FDE) and, in fact, is what makes FDE such a powerful tool for protecting data.

First, let's briefly explain what pre-boot authentication is and its role in FDE. Pre-boot authentication is a process that requires a user to authenticate prior to the operating system loading. In other words, on a system with pre-boot authentication installed, the user is prompted for a user ID and password before the system boots up. Once the user successfully logs in, then the operating system starts. If the user enters the wrong user ID and password, the operating system won't load and the computer locks up.

Pre-boot authentication prevents the common hacker trick of using a Linux boot disk, like Knoppix, to bypass the operating system authentication and enter the system without login credentials. Pre-boot authentication operates at a lower level than the operating system. If the OS doesn't load, then the tools that try to bypass it won't work and attackers won't even get a chance to maliciously enter the system.

Pre-boot authentication is also cross-platform. It not only blocks Linux CDs but also blocks Windows emergency disks that might be used to gain access to Microsoft systems.

Pre-boot authentication doesn't operate alone; it works hand-in-hand with FDE, operating as a front-end to FDE applications. Products such as SafeBoot, SafeGuard and SafeNet, which offer FDE, encrypt the hard drive silently in the background. The pre-boot authentication generates the key needed to encrypt the hard drive and then decrypt it later when the system is booted up again.

FDE tools are great for protecting data loss from stolen laptops. If a thief -- or malicious user, for that matter -- tries to turn on the computer, he or she will be blocked by the pre-boot authentication – and a boot disk won't help them get in either. The attacker will be stuck with an encrypted hard drive.

With PBA turned off, not only could the attacker possibly get access to the machine, but the hard drive might also not be encrypted. It's not necessary to turn off pre-boot authentication to enable single sign-on (SSO) or patch management.The commercial FDE products mentioned above can be adapted to SSO, and fully integrated with common authentication systems like Active Directory and LDAP.

Finally, if something stronger than just a plain old user ID and password is required for higher-risk data, pre-boot authentication can be integrated into two-factor authentication systems such as smart cards or biometrics.

For more information: