They would prevent an attacker from even booting the device, severely limiting his attack surface. This is where pre-boot PINs come into play. If it's stolen, it's gone and the thief can do pretty much anything with it. Laptops: once the device leaves company premises, it's basically out of your reach in case something happens to it.Laptops which will leave company premises have a different threat model than stationary desktops. Generally, using PINs vs not using PINs depends on your threat model and a few other factors/considerations.Ĭonsider the external factors like the location and portability of the specific devices in question, as well as the physical security level of your company premises. No sensitive data, backed up, other controls, etc then OK to remove the PIN Yes, a risk based approach is always a good idea. Is risk a good way to approach this situation? Lastly I don't have much to stand on, our company is worried about compliance and encrypting hard drives meets that, even if you remove the PIN. Is risk a good way to approach this situation?.I said that if the hosts are not storing sensitive or confidential data and are backed up, removing the PIN is rather low risk because it requires a more advanced attacker (usually) and it's probably not worth it (yes, generalities are bad). Network unlock turned them off because it requires infrastructure. If the PIN is removed, they will be vulnerable to side channel attacks. I have informed management that requiring a pre-boot PIN stops the OS from loading the BitLocker encryption keys into memory before a valid PIN is entered (halts the boot process). Management wants to remove the PIN because users are complaining that they have to type a PIN and then be presented to the login screen. We are deciding which one to go with at my company. Network unlock = more security and usability but requires management and infrastructure.
No PIN = less security but it’s not a hassle to the user to type it in every time.In my understanding, there are trade offs with each of these. Network unlock (basically no PIN but the second authentication is grabbing a key over the network).TPM chip (those that support it) without Pre-Boot PIN,.Microsoft's implementation of BitLocker for hard drive encryption/protection and integrity supports multiple ways to boot into the system.
0 kommentar(er)
