iblackwood Absent Member.
Absent Member.
2007 views

FDE and multi-user laptops

Looking at deploying Full Disk Encryption on our laptops.

Ideally we use the PBA and have UserID / Password prompt at boot and then SSO for Windows Domain login (straight AD, no Novell Network client)

Some laptops have multiple users, which seems to present a challenge. First user is easy - user capture seems to cover that. Some questions on logistics and architecture beyond that...

Q1. Can we provision the "extra" users on a laptop *without* knowing their password ?

Q2. What happens when user changes AD password on a different computer - not this one - or the AD password is changed administratively by IT staff - how does the PBA handle this ?

Q3. As per Q2, but the laptop was off / disconnected / away from the network when the user password was changed on the network - what will the PBA prompt for on next startup ?

Q4. Does the PBA purely using a locally cached (and presumably encrypted) hash of the user password or is it actually query the Domain Controller for the Auth, or is it a combination based on whether the DC is available ?

Q5. Does the Zenworks Agent insert itself as a password filter in Windows so it can grab the password changes ?

Unfortunately our usage model isn't a tidy 1-1 relationship so I am trying to determine the scenarios here. I don't imagine any product will be 100% no touch, and 100% secure. 🙂

Cheers
Ian
0 Likes
4 Replies
Micro Focus Expert
Micro Focus Expert

Re: FDE and multi-user laptops

The PBA is all Local.....
It is a small Linux Environment prior to having Windows Boot.
So users will need to know their PBA User name and Password.


However, I'm not sure why you believe the PBA is required for the device to be "Secure".
Without the PBA.....
Someone cannot pull the HDD and put it in another to access the files.
Someone cannot gain access to the files on the PC until they log into Windows....

PBA Security is much more useful in a 1-1 style environment.....
Only Bob (and perhaps an administrative account) are setup in the PBA.
No other Domain User...Even a Forest Admin....would be able to get access to Bob's Files...Fully Secure.
Forest Admin is free to reset Bob's domain password....Bob's files are still Secure....

If the security is going to be domain based, in my mind at least...the PBA would not add much.....the PBA would be more for adding an additional layer of security that is fully separate from AD.


iblackwood;2478958 wrote:
Looking at deploying Full Disk Encryption on our laptops.

Ideally we use the PBA and have UserID / Password prompt at boot and then SSO for Windows Domain login (straight AD, no Novell Network client)

Some laptops have multiple users, which seems to present a challenge. First user is easy - user capture seems to cover that. Some questions on logistics and architecture beyond that...

Q1. Can we provision the "extra" users on a laptop *without* knowing their password ?

Q2. What happens when user changes AD password on a different computer - not this one - or the AD password is changed administratively by IT staff - how does the PBA handle this ?

Q3. As per Q2, but the laptop was off / disconnected / away from the network when the user password was changed on the network - what will the PBA prompt for on next startup ?

Q4. Does the PBA purely using a locally cached (and presumably encrypted) hash of the user password or is it actually query the Domain Controller for the Auth, or is it a combination based on whether the DC is available ?

Q5. Does the Zenworks Agent insert itself as a password filter in Windows so it can grab the password changes ?

Unfortunately our usage model isn't a tidy 1-1 relationship so I am trying to determine the scenarios here. I don't imagine any product will be 100% no touch, and 100% secure. 🙂

Cheers
Ian
0 Likes
iblackwood Absent Member.
Absent Member.

Re: FDE and multi-user laptops

Hi Craig,

Thanks for the response. Still around hey ? 🙂

Basically I want to guard against the laptop being allowed to boot (assuming no Pre boot request for auth), unlocking the drive, loading Windows, then being attacked over the Ethernet connection.

The documentation says (without PBA) the files stay encrypted until Windows authentication takes place, but the Windows OS has managed to load which seems to be at odds with that ?

We would be doing the SSO with the PBA hence my questions on how password changes are handled.

Cheers
Ian
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: FDE and multi-user laptops

Just to keep it simple....

Yes, the Accounts and Passwords are stored locally.
If the User's AD password happens to get changed elsewhere, the user will need to logon to the PBA with the locally stored password.
Since the password does not match AD, the user will be prompted for an AD logon....at which point the new password will be captured and synched back to the PBA.
0 Likes
iblackwood Absent Member.
Absent Member.

Re: FDE and multi-user laptops

CRAIGDWILSON;2479677 wrote:
Just to keep it simple....

Yes, the Accounts and Passwords are stored locally.
If the User's AD password happens to get changed elsewhere, the user will need to logon to the PBA with the locally stored password.
Since the password does not match AD, the user will be prompted for an AD logon....at which point the new password will be captured and synched back to the PBA.


Thanks Craig. That explains it well.

Cheers
Ian
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.