> Adding all users (or lot of users) makes it hard to ensure the > confidentiality of the FDE protected computer. If "one" user's > password is compromised then "all" FDE protected computers are > vulnerable to unauthorized access. Plus it creates all kinds of audit > issues. >
to be exact, all computers where that user's account is valid, true - but not all computers. As for audit, why would that be an issue? each user has their own audit log, as does each computer - so telling who did what where is no issue. The audit logs are encrypted with each users personal key so there's no chance of one editing another's.. > > Does Safeboot has its own user database or does it rely on Active > Directory? It has its own separate ID management system (award winning if I may say so). BUT, we appreciate practicality so it will sync with AD, PKI, Novell etc if desired. I personally believe in separation of infrastructure and security - It scares me that the windows admins have full rights to all data, but, I also accept that systems have to be real world practical and usable. > If it uses AD how does it syncs password for "all" users? It can't of course. AD doesn't have a clue what your password is. Luckily though (and obviously) we can sync up passwords when the user logs into windows. Then we can change the FDE pre-boot password to match what the user types for their windows password. > What about the remote computers that rarely connect to corporate > network. Their accounts will remain out of sync, and the computer will > be vulnerable to unauthorized access in case a password is > compromised. Indeed, but there's no magic so nothing we can do about that. Of course, accounts which are offline for x days can expire to prevent this getting too out of control. That would be true whether the account was linked or not - if it's a real concern, give the user a token such as an RSA SID800 or a smart card. The greatest advantage, and also drawback of FDE is that the auth happens offline. Another way to mitigate this attack would be to use online auth prior to access to data, we support it of course, but it means users have to be connected say by hardwire or VPN before they can access certain files. _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
