Problem solve Get help with specific problems with your technologies, process and projects.

Laptop security essentials: Protecting device data, even from admins?

In this ITKnowledge Exchange thread, information security pros explain how to prevent unauthorized access, but question whether measures should be put in place to protect data from admins.

The following question and answer thread is excerpted from ITKnowledge Exchange. Click here to read the entire thread or to start a new one.

ITKE member Black Magic posed this question:
I am a department head, and by the nature of the job, I have plenty of confidential information on my laptop and I want to ensure this information is protected. Therefore, I would like to learn what I can do to ensure that these files cannot be accessed from the LAN or the Internet, keep these files from system admins, and determine who the culprit is, should they bypass my security controls.

ITKE member Shalom C advised:
Here's what I would do to minimize these risks:

  • Get disk encryption tools like SafeGuard. Encrypted disks cannot be read by removing the physical disk.
  • Install a personal firewall on your laptop that is fully managed by you - ZoneAlarm is a good candidate. Block all shared folders, shared printers and remote management tools.
  • Create encrypted volumes where you store your sensitive material. Windows has an Encrypting File System (EFS) which may be sufficient, however there are commercial products available, like PGP disks
  • .

ITKE member Luis Hernández advised:
While avoiding unauthorized access to an Internet-connected (or network-connected) laptop will require some software, more importantly it will require that rules are followed. Additionally, before you implement the software and/or guidelines to satisfy your needs, an administrator should be consulted.

More information
on laptop security

Weigh the pros and cons of laptop encryption.'s network security expert Mike Chapple weighs in on the laptop security debate.

However, with that said, I believe the most appropriate question to ask is, "What would I have to do if someone else accessed to my laptop to avoid access to critical information?" What's the answer? In my opinion, it would be [to] use encryption software. Since there's always possibility that someone can break into the firewall or steal your laptop, it would be wise to use it at all times.

ITKE member JohnBF advised:
Assuming the files you wish to protect are work files and not private ones, I wouldn't want you to use anything other than the built in Windows Encapsulated PostScript (EPS). Using the built-in EPS will protect your files from casual access, but should a disaster occur, your company will would be able to recover them.

Additionally, any and all security features on your work machine should be created and administered by your system administrators. You should ask them to enable file and object access auditing on your laptop and tell them that the file system should be set to NTFS. If you're using a private or personal laptop -- or you keeping private files on it -- these files should be kept away from the work domain.

Finally, a system administrator must be able to access anything on the domain and be responsible for security, which includes auditing what is stored on your machine. Therefore, the company should hire someone that it trusts.

ITKE member Preytell advised:
While all of the above responses highlight one very important point -- that your administrators must be trusted -- I also believe a company must have a clearly defined data protection policy, to protect these files and perhaps, more importantly, their interest. It's also important to remind you that the files on your laptop are not yours, you are a trustee for the company, and should you leave, the company must have the ability to your files.

ITKE member INeedHelp61 advised:
It sounds like you are more concerned with internal threats than external. This may be valid, but I would not ignore the external threat, such as theft of your laptop. I would recommend that you store confidential data on your network (with appropriate access controls) rather than on the laptop, until you have set up proper encryption protection.

ITKE member ELPUEBLO advised:
Remember if the systems administrator is at all versed, he may be able to get in no matter what you do to the laptop. Therefore, BlackMagic, if you're asking system admins if we think a department head should stop all file access, the answer is most likely going to be no. However, if you want to make a few files inaccessible, it is easy and many of us would love to point you in the right direction.

This was last published in October 2006

Dig Deeper on Disk and file encryption tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.