[FDE] IT support accounts on FDE secured computers

SafeBoot Simon hunt.simon at gmail.com
Tue Aug 21 06:55:37 MDT 2007 

I disagree with John (it's not uncommon for John and I to have
different opinions as we've approached FDE from different but mostly
equally valid angles for many years. John works for Utimaco, I work
for SafeBoot).

In my experience most admin one time overrides are handled by the
admin simply having their own account. One-time access, C/R etc is
usually only required when:

1.	The admin doesn't have an account on the machine
2.	The FDE solution doesn't have the capability to support enough
users in the pre-boot environment.

If you imagine a product which for example only supports 10 or so pre-
boot users, you can see that having a general shared key override is
necessary. Luckily most vendors seem to be moving away from this
limited style environment.

I particularly hate the idea of shared keys/passwords - it reminds me
too much of common BIOS passwords which within days, everyone from the
cleaner up seems to know.


On Aug 20, 3:27 pm, "john.veldhuis" <john.veldh... at universal.nl>
wrote:
> Hi Saqib,
>
> There are several ways of doing this, ranging from logon tokens for IT staff, via C/R to allow a technician one-time access to a drive, to seflhelp websites/voice recognition systems. In my experience, the C/R is most used.
>
> Regards,
>  John
>
> ________________________________
>
> Van: Ali, Saqib [mailto:docbook.... at gmail.com]
> Verzonden: vr 17-8-2007 17:09
> Aan: F... at www.xml-dev.com
> Onderwerp: [FDE] IT support accounts on FDE secured computers
>
> As it turns out, deploying FDE to users is not the most complex task -
> providing day-2-day IT support is.
>
> My cousin works for a medium sized financial institution which
> recently deployed FDE. Providing day-to-day IT support to the users is
> becoming a hassle. Every time the IT support person has to work on
> laptop the owner must be present to enter their credentials into the
> pre-boot authentication.
>
> Can anyone give me some real-word examples of how other institutions
> have tackled this issue? How do they the allow the IT support person
> to work on the laptop if the user is not present and laptop is
> turn-off?
>
> saqibhttp://www.linkedin.com/in/encryption
>
> _______________________________________________
> FDE mailing list
> F... at www.xml-dev.comhttp://www.xml-dev.com/mailman/listinfo/fde

More information about the FDE mailing list