Solved supporting an office of computers with full drive encryption
-
The requirement is that temporary files from using the web based software are not left unencrypted. In the suggestion that the drive is not encrypted so that OS patches can happen I don't think that will work. If the user can launch IE without decrypting the secure drive, it fails the requirement.
-
You're asking for full drive encryption while the computer is running?
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
The requirement is that temporary files from using the web based software are not left unencrypted. In the suggestion that the drive is not encrypted so that OS patches can happen I don't think that will work. If the user can launch IE without decrypting the secure drive, it fails the requirement
Why? Does IE store local files in a shared space? That sounds very unlikely. You've tested that?
-
If the computer is stolen, they don't want confidential files left unencrypted on the drive.
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
If the computer is stolen, they don't want confidential files left unencrypted on the drive.
No one has questioned that. We are questioning why you think files would be written to that part of the drive.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
You can include the program files on the D drive. It's not too hard to look at the apps that you will be using and see where they store data.
We're going back to this. My thought is that Internet Explorer is not movable and you can't force it to store temp files on an encrypted drive unless you encrypt the entire drive.
-
There is an assumption that IE, and ergo Windows, is inherently insecure and cannot be trusted. Yet you will deploy it where you don't trust it, then use encryption running on top of it in the hopes that that fixes the problem you are assigning to the system itself. This seems like a strange set of things based on an assumption that I don't believe has foundation.
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
You can include the program files on the D drive. It's not too hard to look at the apps that you will be using and see where they store data.
We're going back to this. My thought is that Internet Explorer is not movable and you can't force it to store temp files on an encrypted drive unless you encrypt the entire drive.
We never left this. We KNOW that IE is not moveable. And we know that it stores files on the encrypted drive. The question remains... why do YOU feel that this is incorrect? You have avoided the one question the entire time.
Why do you feel that IE would ever write to the C drive?
-
We know that in Windows XP, there was a condition where IE could write to public space instead of private space under specific failure conditions. My understanding is that this was fixed after XP and that Vista and later have no possibility of this. If you have information contrary to this, you should say so because I've asked repeatedly and you've answered other things that aren't really relevant.
-
I'm not saying that IE can't have a security vulnerability here, I'm just asking if you know something that we don't. Because I've researched this and found nothing about it. So I'm wondering where you've come up with this vulnerability that is not supposed to be there.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
Why do you feel that IE would ever write to the C drive?
Why wouldn't It? The C drive is the default for everything Windows.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
Standard method is to have all user accessible space on a different volume. Like a D drive (partition.) That way the system can fire up, get patched and be used like a normal system but the data you need to protect can only be accessed with a password (or something) to allow it to decrypt.
I assumed the entire drive had to be encrypted, but you suggested I didn't have to encrypt the entire drive.
-
@DustinB3403 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
Why do you feel that IE would ever write to the C drive?
Why wouldn't It? The C drive is the default for everything Windows.
No, it certainly is not. IE files always go to the user directory. They are user files. Same as with any normal application. The user processes don't even have permission to write to the public space.
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
Standard method is to have all user accessible space on a different volume. Like a D drive (partition.) That way the system can fire up, get patched and be used like a normal system but the data you need to protect can only be accessed with a password (or something) to allow it to decrypt.
I assumed the entire drive had to be encrypted, but you suggested I didn't have to encrypt the entire drive.
Correct. And you've come up with no reason yet as to why that would not be true. So given that, I would assume that it is correct... the C drive does not need to be encrypted as no user data goes there. Just encrypt the drive with the user data.
-
Just a general note about all operating systems made today and as long as I can remember... none of them would care WHERE a binary is run from, that does not affect to where it would write temporary files. IE being moveable or not is certainly not a factor in Windows. Nor would it be in Linux, BSD, Solaris, AIX, Mac OSX, etc. The location of a binary does not have that kind of influence. That's simply the space on disk that it comes from.
-
The requirement from the security policy reads:
*Any devices connected to your computer or network containing or accessing Confidential Information must use encryption software. In addition, any device that is used to login to (application name) or other web based software containing Confidential Information must use encryption software.
Encryption is necessary even if you only access (application name) or other websites. When accessing various types of data, such as viewing a PDF or accessing certain websites, a temporary file containing hidden data from the sources could be saved to your hard drive without your knowledge. Because temporary files are often saved to your computer in these scenarios, the most prudent assumption is that your hard dive WILL include some element of Confidential Information. This is the underlying reason the breach notification laws in some states require you to notify clients when an unencrypted device is stolen.*
This is why I think I need to encrypt the entire drive.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
Just a general note about all operating systems made today and as long as I can remember... none of them would care WHERE a binary is run from, that does not affect to where it would write temporary files. IE being moveable or not is certainly not a factor in Windows. Nor would it be in Linux, BSD, Solaris, AIX, Mac OSX, etc. The location of a binary does not have that kind of influence. That's simply the space on disk that it comes from.
no, but in a two drive scenario if IE was on the encrypted drive, there would be no way for the user to launch it unless they decrypted the secure drive.
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
The requirement from the security policy reads:
*Any devices connected to your computer or network containing or accessing Confidential Information must use encryption software. In addition, any device that is used to login to (application name) or other web based software containing Confidential Information must use encryption software.
Encryption is necessary even if you only access (application name) or other websites. When accessing various types of data, such as viewing a PDF or accessing certain websites, a temporary file containing hidden data from the sources could be saved to your hard drive without your knowledge. Because temporary files are often saved to your computer in these scenarios, the most prudent assumption is that your hard dive WILL include some element of Confidential Information. This is the underlying reason the breach notification laws in some states require you to notify clients when an unencrypted device is stolen.*
This is why I think I need to encrypt the entire drive.
And, as I think I've made very clear, doesn't apply here for the reasons I've outlined. I've asked over and over why you think that this applies. Repeating the information we already know and believe says that it doesn't need to be encrypted doesn't answer the question, it just avoids it.
We KNOW that you need to encrypt any confidential temp files. No one has questioned that. It's why do you think there is anything to encrypt that I keep asking.
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
Just a general note about all operating systems made today and as long as I can remember... none of them would care WHERE a binary is run from, that does not affect to where it would write temporary files. IE being moveable or not is certainly not a factor in Windows. Nor would it be in Linux, BSD, Solaris, AIX, Mac OSX, etc. The location of a binary does not have that kind of influence. That's simply the space on disk that it comes from.
no, but in a two drive scenario if IE was on the encrypted drive, there would be no way for the user to launch it unless they decrypted the secure drive.
What difference does it make if they can launch it, if it can't write temp files?
-
You can always just block IE, too. No reason for someone to be using that, this isn't 2005. It's not all that secure and it is deprecated. So in a company worried about security, I'd assume that that wouldn't be allowed anyway, right?