|
|
Welcome to Vista Banter. You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact support. |
|
|||||||
| Security and Windows Vista A forum for discussion on security issues with Windows Vista. (microsoft.public.windows.vista.security) |
|
|
LinkBack | Thread Tools | Display Modes |
September 5th 06, 08:52 PM
posted to microsoft.public.windows.vista.security
|
|||
|
|||
Using bitlocker to isolate users' data
I have a machine that has no TPM hardware. The machine needs to run Vista.
Multiple users each need to be able to power up and shut down the computer by themselves, and store their data on the machine's hard drive. Also, each user wants assurance that if any other user pulls the hard drive and reads it in another machine, then that latter user can't read the former user's data. If a user forgets his password (and loses his backup recovery keys, etc), all of the data which he has stored on the machine should be unrecoverable. The problem of a user pulling the hard drive, installing a trojan horse into Vista, and then putting the hard drive back in the machine for other users to continue using is a threat which I'm explicitly _not_ trying to solve at the moment. Neither am I trying to solve the problem of other users planting any kind of hardware bugs in/on the machine. If I use bitlocker to encrypt everything, then all users need to know the bootup password, so all users have the ability to pull the hard drive and read all data, which is unacceptable. If each user uses EFS, then all users would have the ability to pull the hard drive and at least get directory listings of other users' data even if users' private EFS keys weren't stored on the hard drive, which is also unacceptable. So how do I accomplish this user isolation? 
|
|
September 8th 06, 06:02 AM
posted to microsoft.public.windows.vista.security
|
|||
|
|||
|
Using bitlocker to isolate users' data
This would be achievable if you had TPM hardware on the machine. We can
hopefully address this scenario in the near future, but pondering over this, I can't see a BitLocker and/or EFS combination that would address all of the requirements below. - Jamie Hunter [MS] --- "Roof Fiddler" wrote in message ... I have a machine that has no TPM hardware. The machine needs to run Vista. Multiple users each need to be able to power up and shut down the computer by themselves, and store their data on the machine's hard drive. Also, each user wants assurance that if any other user pulls the hard drive and reads it in another machine, then that latter user can't read the former user's data. If a user forgets his password (and loses his backup recovery keys, etc), all of the data which he has stored on the machine should be unrecoverable. The problem of a user pulling the hard drive, installing a trojan horse into Vista, and then putting the hard drive back in the machine for other users to continue using is a threat which I'm explicitly _not_ trying to solve at the moment. Neither am I trying to solve the problem of other users planting any kind of hardware bugs in/on the machine. If I use bitlocker to encrypt everything, then all users need to know the bootup password, so all users have the ability to pull the hard drive and read all data, which is unacceptable. If each user uses EFS, then all users would have the ability to pull the hard drive and at least get directory listings of other users' data even if users' private EFS keys weren't stored on the hard drive, which is also unacceptable. So how do I accomplish this user isolation?
|
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
