Force user to remove USB token

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








46















I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.



I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?



One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.



Is there a solution or standard approach for this that can actually force the removal of the device?










share|improve this question



















  • 32





    You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)

    – SeeYouInDisneyland
    Mar 12 at 7:12






  • 41





    Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.

    – forest
    Mar 12 at 7:27







  • 40





    What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.

    – schroeder
    Mar 12 at 13:05







  • 7





    You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)

    – Baldrickk
    Mar 12 at 14:20






  • 13





    @IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.

    – schroeder
    Mar 12 at 14:41

















46















I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.



I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?



One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.



Is there a solution or standard approach for this that can actually force the removal of the device?










share|improve this question



















  • 32





    You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)

    – SeeYouInDisneyland
    Mar 12 at 7:12






  • 41





    Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.

    – forest
    Mar 12 at 7:27







  • 40





    What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.

    – schroeder
    Mar 12 at 13:05







  • 7





    You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)

    – Baldrickk
    Mar 12 at 14:20






  • 13





    @IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.

    – schroeder
    Mar 12 at 14:41













46












46








46


3






I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.



I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?



One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.



Is there a solution or standard approach for this that can actually force the removal of the device?










share|improve this question
















I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.



I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?



One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.



Is there a solution or standard approach for this that can actually force the removal of the device?







multi-factor usb bitlocker






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 12 at 14:38









schroeder

78.8k30175211




78.8k30175211










asked Mar 12 at 6:59









IamNaNIamNaN

4801513




4801513







  • 32





    You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)

    – SeeYouInDisneyland
    Mar 12 at 7:12






  • 41





    Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.

    – forest
    Mar 12 at 7:27







  • 40





    What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.

    – schroeder
    Mar 12 at 13:05







  • 7





    You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)

    – Baldrickk
    Mar 12 at 14:20






  • 13





    @IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.

    – schroeder
    Mar 12 at 14:41












  • 32





    You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)

    – SeeYouInDisneyland
    Mar 12 at 7:12






  • 41





    Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.

    – forest
    Mar 12 at 7:27







  • 40





    What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.

    – schroeder
    Mar 12 at 13:05







  • 7





    You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)

    – Baldrickk
    Mar 12 at 14:20






  • 13





    @IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.

    – schroeder
    Mar 12 at 14:41







32




32





You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)

– SeeYouInDisneyland
Mar 12 at 7:12





You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)

– SeeYouInDisneyland
Mar 12 at 7:12




41




41





Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.

– forest
Mar 12 at 7:27






Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.

– forest
Mar 12 at 7:27





40




40





What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.

– schroeder
Mar 12 at 13:05






What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.

– schroeder
Mar 12 at 13:05





7




7





You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)

– Baldrickk
Mar 12 at 14:20





You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)

– Baldrickk
Mar 12 at 14:20




13




13





@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.

– schroeder
Mar 12 at 14:41





@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.

– schroeder
Mar 12 at 14:41










8 Answers
8






active

oldest

votes


















78














You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.



Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.



The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...






share|improve this answer




















  • 7





    Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.

    – IamNaN
    Mar 12 at 13:39






  • 4





    I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.

    – user71659
    Mar 12 at 21:47












  • It's the same reason that complicated password schemes can't stop you from taping a post-it note to your monitor.

    – corsiKa
    Mar 13 at 19:15











  • @corsiKa, in fact, they encourage it.

    – prl
    Mar 14 at 4:45











  • @IamNaN as long as the token and the laptop are in possession of the same person at any time, there's a risk that both fall into the wrong hands at the same time as well. To prevent the token and laptop both being compromised together, the only way is for the token to unlock each laptop to not ever be in the hands of the person using the laptop, which is clearly utterly impractical.

    – jwenting
    Mar 15 at 7:07


















16














It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.



A simple polling function could check for new USBs connected.



All this is possible in Powershell.



This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.






share|improve this answer

























  • Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.

    – IamNaN
    Mar 12 at 14:52






  • 1





    @IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).

    – schroeder
    Mar 12 at 14:55











  • Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org

    – schroeder
    Mar 12 at 14:56











  • schtasks has ONSTART to exec the script on startup. Could use ONLOGON to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.

    – user2320464
    Mar 12 at 19:45


















13














This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:



You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.



If enforced, you can be sure this policy will be very unpopular, but effective.



Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.






share|improve this answer




















  • 1





    This should do indeed as a last resort.

    – Overmind
    Mar 12 at 13:38






  • 10





    At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.

    – Matthieu M.
    Mar 12 at 14:13






  • 13





    Make the reprimands reflect badly on their paycheck is illegal in most cultures I know of.

    – Flater
    Mar 12 at 15:14






  • 11





    @Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.

    – A. Hersean
    Mar 12 at 16:27











  • It can be made softer if first-time-offender's key is not removed, but just has a paper note attached to it. Second time = USB key removed + oral (non-official) reprimand; third time = official reprimand (but no paycheck decrease), then a nominal (e.g. $1) paycheck decrease and so on.

    – Vi.
    Mar 13 at 18:12



















1














I'm not that technical, but this seems possible:



The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:



  • If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.


  • If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.


  • If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.






share|improve this answer






























    1














    Why do you think this USB token alone is securing the laptop?



    This is a two-factor authorisation situation. For those who've not met the concept before, 2FA is described as "something you know, and something you have". The USB dongle is the "something you have", but the laptop is still protected by the "something you know", i.e. a password. 2FA is intended to add a layer which allows one factor to be redundant, so it doesn't make the system insecure if the attacker gets the security token, so long as the user doesn't also have the password written down. Of course it's better that they don't break one arm of the security, but the laptop should still be secure if they do.



    For forcing the user to remove the key, that also has a major issue. Securing the laptop is an afterthought, to protect any local files the user might have hanging around, which is a small subset of your company data. The critically important part is securing the user's access to your network. Networks, especially VPNs, are only as good as their login security. So if you're concerned about security, your VPN should be checking that the Bitlocker token is present when the user logs into the VPN and that it never leaves the machine during that login session. Otherwise the user could have accidentally left themselves logged in when they closed the lid and thought the computer was shut down, or various similar scenarios. You can't make the assumption "they logged in OK at some point in the past, therefore that is still them using the machine".



    In short, I think you're over-thinking one area and not considering the bigger picture of how it helps company data security.



    The simplest answer for USB dongles of course is to insist that they live on the user's keyring with their house or car keys. More than one keyring? No problem - they can have as many dongles as they need. But this ensures the dongle is always removed from the laptop when the user leaves it, because they need the keyring to get home.






    share|improve this answer


















    • 3





      Thank you, but I never said that this was the only security measure and it most certainly isn't. I was simply exploring the possibility of adding another layer of security for the pre-boot authentication.If this was the sole measure to secure the laptops I'd wholeheartedly agree with what you say here.

      – IamNaN
      Mar 13 at 8:49











    • @graham I think you are missing the whole point of what controls are involved and what they protect. The control in question is endpoint encryption. This has nothing to do with account or network controls.

      – schroeder
      Mar 13 at 16:26


















    0














    I come from Manufacturing technology world and using little jigs to enforce a certain manual behavior for both quality and safety is a standard accepted method. I disagree with the perspective that one cannot engineer human behavior by placing certain impediments, this is done for human safety and is taken as seriously as network security. One common approach is to use a Poka-yoke, but one also sees interlocks, and dead man's switch when lives are on the line.



    The challenge is how to adapt these concepts to security. While I agree it would be difficult to code your way out of this in a reliable way, if you broaden your perspective to include hardware development it is certainly achievable.



    If it is important to you or your employer, a custom dongle can be designed that would force this behavior, spit-balling one approach would be a timed cutoff where the dongle disables itself after a certain amount of time under power. Requiring re-plugging.



    If you have a degree of control over the laptop users and policy, but you do not wish to play police, any number of other impediments can be employed to encourage compliance with your security policy.




    Of course, to an enterprising user this is by-passable, so if you are designing a security product sold to customers it would not be enough.



    But I believe the analogy to poka-yoke is appropriate as bypassing the engineering control by a co-worker would go against policy/procedure and subject to reprimand or warning.






    share|improve this answer
































      0














      You can make the USB multipurpose making it impossible to leave it on the PC. For example, they need to plug it in another device in order to begin their workday. You can say you want to know when they come to work and the start of their workday is marked by the USB connecting to this second device.



      This is not applicable to every case, but I'm writing it with the hope that it might give a good idea to someone.






      share|improve this answer






























        -2














        OK, so now you've ensured somehow that the owner of the laptop does not leave their token plugged in.



        However they now take that laptop and token with them when going home, and get mugged by an industrial spy on the parking lot. Result is both token and laptop are how in the hands of an unauthorised person and worse, the same unauthorised person.



        Result of course is exactly the same as it would be were the token plugged into the laptop, as the bad guy can just plug in the token.



        Congratulations, you've just shifted the security boundary a little bit for no real gain whatsoever.



        What you could do is install some software on the laptops that blocks the screen or even shuts them down if the token is found installed on the laptop after the operating system is done booting. Say something that's started as part of the OS startup and checks for the token every few minutes.
        Would ensure that the token is removed after booting the machine, but wouldn't prevent both token and machine being stolen.



        The only way to ensure that is a 4-eye principle, where the machine cannot be booted up without at least 2 people being present, one with the token and another with the password.



        And that is a major PITA and, especially for remote workers, often impossible (as remote workers tend to be alone at a site).






        share|improve this answer























        • This has already been hashed out in the comments to the question. As written, it is not an answer to the question but a tangent. Your software suggestion is already covered by other answers, and your 4-eye suggestion is not workable for the scenario in the question.

          – schroeder
          Mar 15 at 10:03











        Your Answer








        StackExchange.ready(function()
        var channelOptions =
        tags: "".split(" "),
        id: "162"
        ;
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function()
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled)
        StackExchange.using("snippets", function()
        createEditor();
        );

        else
        createEditor();

        );

        function createEditor()
        StackExchange.prepareEditor(
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: false,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: null,
        bindNavPrevention: true,
        postfix: "",
        imageUploader:
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        ,
        noCode: true, onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        );



        );













        draft saved

        draft discarded


















        StackExchange.ready(
        function ()
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205200%2fforce-user-to-remove-usb-token%23new-answer', 'question_page');

        );

        Post as a guest















        Required, but never shown

























        8 Answers
        8






        active

        oldest

        votes








        8 Answers
        8






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        78














        You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.



        Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.



        The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...






        share|improve this answer




















        • 7





          Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.

          – IamNaN
          Mar 12 at 13:39






        • 4





          I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.

          – user71659
          Mar 12 at 21:47












        • It's the same reason that complicated password schemes can't stop you from taping a post-it note to your monitor.

          – corsiKa
          Mar 13 at 19:15











        • @corsiKa, in fact, they encourage it.

          – prl
          Mar 14 at 4:45











        • @IamNaN as long as the token and the laptop are in possession of the same person at any time, there's a risk that both fall into the wrong hands at the same time as well. To prevent the token and laptop both being compromised together, the only way is for the token to unlock each laptop to not ever be in the hands of the person using the laptop, which is clearly utterly impractical.

          – jwenting
          Mar 15 at 7:07















        78














        You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.



        Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.



        The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...






        share|improve this answer




















        • 7





          Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.

          – IamNaN
          Mar 12 at 13:39






        • 4





          I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.

          – user71659
          Mar 12 at 21:47












        • It's the same reason that complicated password schemes can't stop you from taping a post-it note to your monitor.

          – corsiKa
          Mar 13 at 19:15











        • @corsiKa, in fact, they encourage it.

          – prl
          Mar 14 at 4:45











        • @IamNaN as long as the token and the laptop are in possession of the same person at any time, there's a risk that both fall into the wrong hands at the same time as well. To prevent the token and laptop both being compromised together, the only way is for the token to unlock each laptop to not ever be in the hands of the person using the laptop, which is clearly utterly impractical.

          – jwenting
          Mar 15 at 7:07













        78












        78








        78







        You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.



        Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.



        The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...






        share|improve this answer















        You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.



        Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.



        The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Mar 12 at 18:37









        Community

        1




        1










        answered Mar 12 at 11:32









        Serge BallestaSerge Ballesta

        17.6k33062




        17.6k33062







        • 7





          Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.

          – IamNaN
          Mar 12 at 13:39






        • 4





          I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.

          – user71659
          Mar 12 at 21:47












        • It's the same reason that complicated password schemes can't stop you from taping a post-it note to your monitor.

          – corsiKa
          Mar 13 at 19:15











        • @corsiKa, in fact, they encourage it.

          – prl
          Mar 14 at 4:45











        • @IamNaN as long as the token and the laptop are in possession of the same person at any time, there's a risk that both fall into the wrong hands at the same time as well. To prevent the token and laptop both being compromised together, the only way is for the token to unlock each laptop to not ever be in the hands of the person using the laptop, which is clearly utterly impractical.

          – jwenting
          Mar 15 at 7:07












        • 7





          Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.

          – IamNaN
          Mar 12 at 13:39






        • 4





          I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.

          – user71659
          Mar 12 at 21:47












        • It's the same reason that complicated password schemes can't stop you from taping a post-it note to your monitor.

          – corsiKa
          Mar 13 at 19:15











        • @corsiKa, in fact, they encourage it.

          – prl
          Mar 14 at 4:45











        • @IamNaN as long as the token and the laptop are in possession of the same person at any time, there's a risk that both fall into the wrong hands at the same time as well. To prevent the token and laptop both being compromised together, the only way is for the token to unlock each laptop to not ever be in the hands of the person using the laptop, which is clearly utterly impractical.

          – jwenting
          Mar 15 at 7:07







        7




        7





        Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.

        – IamNaN
        Mar 12 at 13:39





        Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.

        – IamNaN
        Mar 12 at 13:39




        4




        4





        I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.

        – user71659
        Mar 12 at 21:47






        I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.

        – user71659
        Mar 12 at 21:47














        It's the same reason that complicated password schemes can't stop you from taping a post-it note to your monitor.

        – corsiKa
        Mar 13 at 19:15





        It's the same reason that complicated password schemes can't stop you from taping a post-it note to your monitor.

        – corsiKa
        Mar 13 at 19:15













        @corsiKa, in fact, they encourage it.

        – prl
        Mar 14 at 4:45





        @corsiKa, in fact, they encourage it.

        – prl
        Mar 14 at 4:45













        @IamNaN as long as the token and the laptop are in possession of the same person at any time, there's a risk that both fall into the wrong hands at the same time as well. To prevent the token and laptop both being compromised together, the only way is for the token to unlock each laptop to not ever be in the hands of the person using the laptop, which is clearly utterly impractical.

        – jwenting
        Mar 15 at 7:07





        @IamNaN as long as the token and the laptop are in possession of the same person at any time, there's a risk that both fall into the wrong hands at the same time as well. To prevent the token and laptop both being compromised together, the only way is for the token to unlock each laptop to not ever be in the hands of the person using the laptop, which is clearly utterly impractical.

        – jwenting
        Mar 15 at 7:07













        16














        It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.



        A simple polling function could check for new USBs connected.



        All this is possible in Powershell.



        This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.






        share|improve this answer

























        • Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.

          – IamNaN
          Mar 12 at 14:52






        • 1





          @IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).

          – schroeder
          Mar 12 at 14:55











        • Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org

          – schroeder
          Mar 12 at 14:56











        • schtasks has ONSTART to exec the script on startup. Could use ONLOGON to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.

          – user2320464
          Mar 12 at 19:45















        16














        It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.



        A simple polling function could check for new USBs connected.



        All this is possible in Powershell.



        This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.






        share|improve this answer

























        • Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.

          – IamNaN
          Mar 12 at 14:52






        • 1





          @IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).

          – schroeder
          Mar 12 at 14:55











        • Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org

          – schroeder
          Mar 12 at 14:56











        • schtasks has ONSTART to exec the script on startup. Could use ONLOGON to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.

          – user2320464
          Mar 12 at 19:45













        16












        16








        16







        It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.



        A simple polling function could check for new USBs connected.



        All this is possible in Powershell.



        This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.






        share|improve this answer















        It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.



        A simple polling function could check for new USBs connected.



        All this is possible in Powershell.



        This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Mar 12 at 14:57

























        answered Mar 12 at 14:47









        schroederschroeder

        78.8k30175211




        78.8k30175211












        • Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.

          – IamNaN
          Mar 12 at 14:52






        • 1





          @IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).

          – schroeder
          Mar 12 at 14:55











        • Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org

          – schroeder
          Mar 12 at 14:56











        • schtasks has ONSTART to exec the script on startup. Could use ONLOGON to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.

          – user2320464
          Mar 12 at 19:45

















        • Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.

          – IamNaN
          Mar 12 at 14:52






        • 1





          @IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).

          – schroeder
          Mar 12 at 14:55











        • Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org

          – schroeder
          Mar 12 at 14:56











        • schtasks has ONSTART to exec the script on startup. Could use ONLOGON to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.

          – user2320464
          Mar 12 at 19:45
















        Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.

        – IamNaN
        Mar 12 at 14:52





        Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.

        – IamNaN
        Mar 12 at 14:52




        1




        1





        @IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).

        – schroeder
        Mar 12 at 14:55





        @IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).

        – schroeder
        Mar 12 at 14:55













        Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org

        – schroeder
        Mar 12 at 14:56





        Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org

        – schroeder
        Mar 12 at 14:56













        schtasks has ONSTART to exec the script on startup. Could use ONLOGON to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.

        – user2320464
        Mar 12 at 19:45





        schtasks has ONSTART to exec the script on startup. Could use ONLOGON to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.

        – user2320464
        Mar 12 at 19:45











        13














        This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:



        You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.



        If enforced, you can be sure this policy will be very unpopular, but effective.



        Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.






        share|improve this answer




















        • 1





          This should do indeed as a last resort.

          – Overmind
          Mar 12 at 13:38






        • 10





          At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.

          – Matthieu M.
          Mar 12 at 14:13






        • 13





          Make the reprimands reflect badly on their paycheck is illegal in most cultures I know of.

          – Flater
          Mar 12 at 15:14






        • 11





          @Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.

          – A. Hersean
          Mar 12 at 16:27











        • It can be made softer if first-time-offender's key is not removed, but just has a paper note attached to it. Second time = USB key removed + oral (non-official) reprimand; third time = official reprimand (but no paycheck decrease), then a nominal (e.g. $1) paycheck decrease and so on.

          – Vi.
          Mar 13 at 18:12
















        13














        This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:



        You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.



        If enforced, you can be sure this policy will be very unpopular, but effective.



        Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.






        share|improve this answer




















        • 1





          This should do indeed as a last resort.

          – Overmind
          Mar 12 at 13:38






        • 10





          At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.

          – Matthieu M.
          Mar 12 at 14:13






        • 13





          Make the reprimands reflect badly on their paycheck is illegal in most cultures I know of.

          – Flater
          Mar 12 at 15:14






        • 11





          @Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.

          – A. Hersean
          Mar 12 at 16:27











        • It can be made softer if first-time-offender's key is not removed, but just has a paper note attached to it. Second time = USB key removed + oral (non-official) reprimand; third time = official reprimand (but no paycheck decrease), then a nominal (e.g. $1) paycheck decrease and so on.

          – Vi.
          Mar 13 at 18:12














        13












        13








        13







        This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:



        You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.



        If enforced, you can be sure this policy will be very unpopular, but effective.



        Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.






        share|improve this answer















        This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:



        You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.



        If enforced, you can be sure this policy will be very unpopular, but effective.



        Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Mar 12 at 14:14

























        answered Mar 12 at 12:49









        A. HerseanA. Hersean

        4,84931022




        4,84931022







        • 1





          This should do indeed as a last resort.

          – Overmind
          Mar 12 at 13:38






        • 10





          At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.

          – Matthieu M.
          Mar 12 at 14:13






        • 13





          Make the reprimands reflect badly on their paycheck is illegal in most cultures I know of.

          – Flater
          Mar 12 at 15:14






        • 11





          @Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.

          – A. Hersean
          Mar 12 at 16:27











        • It can be made softer if first-time-offender's key is not removed, but just has a paper note attached to it. Second time = USB key removed + oral (non-official) reprimand; third time = official reprimand (but no paycheck decrease), then a nominal (e.g. $1) paycheck decrease and so on.

          – Vi.
          Mar 13 at 18:12













        • 1





          This should do indeed as a last resort.

          – Overmind
          Mar 12 at 13:38






        • 10





          At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.

          – Matthieu M.
          Mar 12 at 14:13






        • 13





          Make the reprimands reflect badly on their paycheck is illegal in most cultures I know of.

          – Flater
          Mar 12 at 15:14






        • 11





          @Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.

          – A. Hersean
          Mar 12 at 16:27











        • It can be made softer if first-time-offender's key is not removed, but just has a paper note attached to it. Second time = USB key removed + oral (non-official) reprimand; third time = official reprimand (but no paycheck decrease), then a nominal (e.g. $1) paycheck decrease and so on.

          – Vi.
          Mar 13 at 18:12








        1




        1





        This should do indeed as a last resort.

        – Overmind
        Mar 12 at 13:38





        This should do indeed as a last resort.

        – Overmind
        Mar 12 at 13:38




        10




        10





        At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.

        – Matthieu M.
        Mar 12 at 14:13





        At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.

        – Matthieu M.
        Mar 12 at 14:13




        13




        13





        Make the reprimands reflect badly on their paycheck is illegal in most cultures I know of.

        – Flater
        Mar 12 at 15:14





        Make the reprimands reflect badly on their paycheck is illegal in most cultures I know of.

        – Flater
        Mar 12 at 15:14




        11




        11





        @Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.

        – A. Hersean
        Mar 12 at 16:27





        @Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.

        – A. Hersean
        Mar 12 at 16:27













        It can be made softer if first-time-offender's key is not removed, but just has a paper note attached to it. Second time = USB key removed + oral (non-official) reprimand; third time = official reprimand (but no paycheck decrease), then a nominal (e.g. $1) paycheck decrease and so on.

        – Vi.
        Mar 13 at 18:12






        It can be made softer if first-time-offender's key is not removed, but just has a paper note attached to it. Second time = USB key removed + oral (non-official) reprimand; third time = official reprimand (but no paycheck decrease), then a nominal (e.g. $1) paycheck decrease and so on.

        – Vi.
        Mar 13 at 18:12












        1














        I'm not that technical, but this seems possible:



        The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:



        • If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.


        • If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.


        • If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.






        share|improve this answer



























          1














          I'm not that technical, but this seems possible:



          The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:



          • If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.


          • If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.


          • If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.






          share|improve this answer

























            1












            1








            1







            I'm not that technical, but this seems possible:



            The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:



            • If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.


            • If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.


            • If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.






            share|improve this answer













            I'm not that technical, but this seems possible:



            The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:



            • If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.


            • If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.


            • If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Mar 12 at 19:26









            StilezStilez

            1,056410




            1,056410





















                1














                Why do you think this USB token alone is securing the laptop?



                This is a two-factor authorisation situation. For those who've not met the concept before, 2FA is described as "something you know, and something you have". The USB dongle is the "something you have", but the laptop is still protected by the "something you know", i.e. a password. 2FA is intended to add a layer which allows one factor to be redundant, so it doesn't make the system insecure if the attacker gets the security token, so long as the user doesn't also have the password written down. Of course it's better that they don't break one arm of the security, but the laptop should still be secure if they do.



                For forcing the user to remove the key, that also has a major issue. Securing the laptop is an afterthought, to protect any local files the user might have hanging around, which is a small subset of your company data. The critically important part is securing the user's access to your network. Networks, especially VPNs, are only as good as their login security. So if you're concerned about security, your VPN should be checking that the Bitlocker token is present when the user logs into the VPN and that it never leaves the machine during that login session. Otherwise the user could have accidentally left themselves logged in when they closed the lid and thought the computer was shut down, or various similar scenarios. You can't make the assumption "they logged in OK at some point in the past, therefore that is still them using the machine".



                In short, I think you're over-thinking one area and not considering the bigger picture of how it helps company data security.



                The simplest answer for USB dongles of course is to insist that they live on the user's keyring with their house or car keys. More than one keyring? No problem - they can have as many dongles as they need. But this ensures the dongle is always removed from the laptop when the user leaves it, because they need the keyring to get home.






                share|improve this answer


















                • 3





                  Thank you, but I never said that this was the only security measure and it most certainly isn't. I was simply exploring the possibility of adding another layer of security for the pre-boot authentication.If this was the sole measure to secure the laptops I'd wholeheartedly agree with what you say here.

                  – IamNaN
                  Mar 13 at 8:49











                • @graham I think you are missing the whole point of what controls are involved and what they protect. The control in question is endpoint encryption. This has nothing to do with account or network controls.

                  – schroeder
                  Mar 13 at 16:26















                1














                Why do you think this USB token alone is securing the laptop?



                This is a two-factor authorisation situation. For those who've not met the concept before, 2FA is described as "something you know, and something you have". The USB dongle is the "something you have", but the laptop is still protected by the "something you know", i.e. a password. 2FA is intended to add a layer which allows one factor to be redundant, so it doesn't make the system insecure if the attacker gets the security token, so long as the user doesn't also have the password written down. Of course it's better that they don't break one arm of the security, but the laptop should still be secure if they do.



                For forcing the user to remove the key, that also has a major issue. Securing the laptop is an afterthought, to protect any local files the user might have hanging around, which is a small subset of your company data. The critically important part is securing the user's access to your network. Networks, especially VPNs, are only as good as their login security. So if you're concerned about security, your VPN should be checking that the Bitlocker token is present when the user logs into the VPN and that it never leaves the machine during that login session. Otherwise the user could have accidentally left themselves logged in when they closed the lid and thought the computer was shut down, or various similar scenarios. You can't make the assumption "they logged in OK at some point in the past, therefore that is still them using the machine".



                In short, I think you're over-thinking one area and not considering the bigger picture of how it helps company data security.



                The simplest answer for USB dongles of course is to insist that they live on the user's keyring with their house or car keys. More than one keyring? No problem - they can have as many dongles as they need. But this ensures the dongle is always removed from the laptop when the user leaves it, because they need the keyring to get home.






                share|improve this answer


















                • 3





                  Thank you, but I never said that this was the only security measure and it most certainly isn't. I was simply exploring the possibility of adding another layer of security for the pre-boot authentication.If this was the sole measure to secure the laptops I'd wholeheartedly agree with what you say here.

                  – IamNaN
                  Mar 13 at 8:49











                • @graham I think you are missing the whole point of what controls are involved and what they protect. The control in question is endpoint encryption. This has nothing to do with account or network controls.

                  – schroeder
                  Mar 13 at 16:26













                1












                1








                1







                Why do you think this USB token alone is securing the laptop?



                This is a two-factor authorisation situation. For those who've not met the concept before, 2FA is described as "something you know, and something you have". The USB dongle is the "something you have", but the laptop is still protected by the "something you know", i.e. a password. 2FA is intended to add a layer which allows one factor to be redundant, so it doesn't make the system insecure if the attacker gets the security token, so long as the user doesn't also have the password written down. Of course it's better that they don't break one arm of the security, but the laptop should still be secure if they do.



                For forcing the user to remove the key, that also has a major issue. Securing the laptop is an afterthought, to protect any local files the user might have hanging around, which is a small subset of your company data. The critically important part is securing the user's access to your network. Networks, especially VPNs, are only as good as their login security. So if you're concerned about security, your VPN should be checking that the Bitlocker token is present when the user logs into the VPN and that it never leaves the machine during that login session. Otherwise the user could have accidentally left themselves logged in when they closed the lid and thought the computer was shut down, or various similar scenarios. You can't make the assumption "they logged in OK at some point in the past, therefore that is still them using the machine".



                In short, I think you're over-thinking one area and not considering the bigger picture of how it helps company data security.



                The simplest answer for USB dongles of course is to insist that they live on the user's keyring with their house or car keys. More than one keyring? No problem - they can have as many dongles as they need. But this ensures the dongle is always removed from the laptop when the user leaves it, because they need the keyring to get home.






                share|improve this answer













                Why do you think this USB token alone is securing the laptop?



                This is a two-factor authorisation situation. For those who've not met the concept before, 2FA is described as "something you know, and something you have". The USB dongle is the "something you have", but the laptop is still protected by the "something you know", i.e. a password. 2FA is intended to add a layer which allows one factor to be redundant, so it doesn't make the system insecure if the attacker gets the security token, so long as the user doesn't also have the password written down. Of course it's better that they don't break one arm of the security, but the laptop should still be secure if they do.



                For forcing the user to remove the key, that also has a major issue. Securing the laptop is an afterthought, to protect any local files the user might have hanging around, which is a small subset of your company data. The critically important part is securing the user's access to your network. Networks, especially VPNs, are only as good as their login security. So if you're concerned about security, your VPN should be checking that the Bitlocker token is present when the user logs into the VPN and that it never leaves the machine during that login session. Otherwise the user could have accidentally left themselves logged in when they closed the lid and thought the computer was shut down, or various similar scenarios. You can't make the assumption "they logged in OK at some point in the past, therefore that is still them using the machine".



                In short, I think you're over-thinking one area and not considering the bigger picture of how it helps company data security.



                The simplest answer for USB dongles of course is to insist that they live on the user's keyring with their house or car keys. More than one keyring? No problem - they can have as many dongles as they need. But this ensures the dongle is always removed from the laptop when the user leaves it, because they need the keyring to get home.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Mar 13 at 8:07









                GrahamGraham

                35925




                35925







                • 3





                  Thank you, but I never said that this was the only security measure and it most certainly isn't. I was simply exploring the possibility of adding another layer of security for the pre-boot authentication.If this was the sole measure to secure the laptops I'd wholeheartedly agree with what you say here.

                  – IamNaN
                  Mar 13 at 8:49











                • @graham I think you are missing the whole point of what controls are involved and what they protect. The control in question is endpoint encryption. This has nothing to do with account or network controls.

                  – schroeder
                  Mar 13 at 16:26












                • 3





                  Thank you, but I never said that this was the only security measure and it most certainly isn't. I was simply exploring the possibility of adding another layer of security for the pre-boot authentication.If this was the sole measure to secure the laptops I'd wholeheartedly agree with what you say here.

                  – IamNaN
                  Mar 13 at 8:49











                • @graham I think you are missing the whole point of what controls are involved and what they protect. The control in question is endpoint encryption. This has nothing to do with account or network controls.

                  – schroeder
                  Mar 13 at 16:26







                3




                3





                Thank you, but I never said that this was the only security measure and it most certainly isn't. I was simply exploring the possibility of adding another layer of security for the pre-boot authentication.If this was the sole measure to secure the laptops I'd wholeheartedly agree with what you say here.

                – IamNaN
                Mar 13 at 8:49





                Thank you, but I never said that this was the only security measure and it most certainly isn't. I was simply exploring the possibility of adding another layer of security for the pre-boot authentication.If this was the sole measure to secure the laptops I'd wholeheartedly agree with what you say here.

                – IamNaN
                Mar 13 at 8:49













                @graham I think you are missing the whole point of what controls are involved and what they protect. The control in question is endpoint encryption. This has nothing to do with account or network controls.

                – schroeder
                Mar 13 at 16:26





                @graham I think you are missing the whole point of what controls are involved and what they protect. The control in question is endpoint encryption. This has nothing to do with account or network controls.

                – schroeder
                Mar 13 at 16:26











                0














                I come from Manufacturing technology world and using little jigs to enforce a certain manual behavior for both quality and safety is a standard accepted method. I disagree with the perspective that one cannot engineer human behavior by placing certain impediments, this is done for human safety and is taken as seriously as network security. One common approach is to use a Poka-yoke, but one also sees interlocks, and dead man's switch when lives are on the line.



                The challenge is how to adapt these concepts to security. While I agree it would be difficult to code your way out of this in a reliable way, if you broaden your perspective to include hardware development it is certainly achievable.



                If it is important to you or your employer, a custom dongle can be designed that would force this behavior, spit-balling one approach would be a timed cutoff where the dongle disables itself after a certain amount of time under power. Requiring re-plugging.



                If you have a degree of control over the laptop users and policy, but you do not wish to play police, any number of other impediments can be employed to encourage compliance with your security policy.




                Of course, to an enterprising user this is by-passable, so if you are designing a security product sold to customers it would not be enough.



                But I believe the analogy to poka-yoke is appropriate as bypassing the engineering control by a co-worker would go against policy/procedure and subject to reprimand or warning.






                share|improve this answer





























                  0














                  I come from Manufacturing technology world and using little jigs to enforce a certain manual behavior for both quality and safety is a standard accepted method. I disagree with the perspective that one cannot engineer human behavior by placing certain impediments, this is done for human safety and is taken as seriously as network security. One common approach is to use a Poka-yoke, but one also sees interlocks, and dead man's switch when lives are on the line.



                  The challenge is how to adapt these concepts to security. While I agree it would be difficult to code your way out of this in a reliable way, if you broaden your perspective to include hardware development it is certainly achievable.



                  If it is important to you or your employer, a custom dongle can be designed that would force this behavior, spit-balling one approach would be a timed cutoff where the dongle disables itself after a certain amount of time under power. Requiring re-plugging.



                  If you have a degree of control over the laptop users and policy, but you do not wish to play police, any number of other impediments can be employed to encourage compliance with your security policy.




                  Of course, to an enterprising user this is by-passable, so if you are designing a security product sold to customers it would not be enough.



                  But I believe the analogy to poka-yoke is appropriate as bypassing the engineering control by a co-worker would go against policy/procedure and subject to reprimand or warning.






                  share|improve this answer



























                    0












                    0








                    0







                    I come from Manufacturing technology world and using little jigs to enforce a certain manual behavior for both quality and safety is a standard accepted method. I disagree with the perspective that one cannot engineer human behavior by placing certain impediments, this is done for human safety and is taken as seriously as network security. One common approach is to use a Poka-yoke, but one also sees interlocks, and dead man's switch when lives are on the line.



                    The challenge is how to adapt these concepts to security. While I agree it would be difficult to code your way out of this in a reliable way, if you broaden your perspective to include hardware development it is certainly achievable.



                    If it is important to you or your employer, a custom dongle can be designed that would force this behavior, spit-balling one approach would be a timed cutoff where the dongle disables itself after a certain amount of time under power. Requiring re-plugging.



                    If you have a degree of control over the laptop users and policy, but you do not wish to play police, any number of other impediments can be employed to encourage compliance with your security policy.




                    Of course, to an enterprising user this is by-passable, so if you are designing a security product sold to customers it would not be enough.



                    But I believe the analogy to poka-yoke is appropriate as bypassing the engineering control by a co-worker would go against policy/procedure and subject to reprimand or warning.






                    share|improve this answer















                    I come from Manufacturing technology world and using little jigs to enforce a certain manual behavior for both quality and safety is a standard accepted method. I disagree with the perspective that one cannot engineer human behavior by placing certain impediments, this is done for human safety and is taken as seriously as network security. One common approach is to use a Poka-yoke, but one also sees interlocks, and dead man's switch when lives are on the line.



                    The challenge is how to adapt these concepts to security. While I agree it would be difficult to code your way out of this in a reliable way, if you broaden your perspective to include hardware development it is certainly achievable.



                    If it is important to you or your employer, a custom dongle can be designed that would force this behavior, spit-balling one approach would be a timed cutoff where the dongle disables itself after a certain amount of time under power. Requiring re-plugging.



                    If you have a degree of control over the laptop users and policy, but you do not wish to play police, any number of other impediments can be employed to encourage compliance with your security policy.




                    Of course, to an enterprising user this is by-passable, so if you are designing a security product sold to customers it would not be enough.



                    But I believe the analogy to poka-yoke is appropriate as bypassing the engineering control by a co-worker would go against policy/procedure and subject to reprimand or warning.







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited Mar 15 at 7:01

























                    answered Mar 15 at 6:42









                    crasiccrasic

                    1413




                    1413





















                        0














                        You can make the USB multipurpose making it impossible to leave it on the PC. For example, they need to plug it in another device in order to begin their workday. You can say you want to know when they come to work and the start of their workday is marked by the USB connecting to this second device.



                        This is not applicable to every case, but I'm writing it with the hope that it might give a good idea to someone.






                        share|improve this answer



























                          0














                          You can make the USB multipurpose making it impossible to leave it on the PC. For example, they need to plug it in another device in order to begin their workday. You can say you want to know when they come to work and the start of their workday is marked by the USB connecting to this second device.



                          This is not applicable to every case, but I'm writing it with the hope that it might give a good idea to someone.






                          share|improve this answer

























                            0












                            0








                            0







                            You can make the USB multipurpose making it impossible to leave it on the PC. For example, they need to plug it in another device in order to begin their workday. You can say you want to know when they come to work and the start of their workday is marked by the USB connecting to this second device.



                            This is not applicable to every case, but I'm writing it with the hope that it might give a good idea to someone.






                            share|improve this answer













                            You can make the USB multipurpose making it impossible to leave it on the PC. For example, they need to plug it in another device in order to begin their workday. You can say you want to know when they come to work and the start of their workday is marked by the USB connecting to this second device.



                            This is not applicable to every case, but I'm writing it with the hope that it might give a good idea to someone.







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Mar 15 at 13:17









                            Bojidar StanchevBojidar Stanchev

                            11




                            11





















                                -2














                                OK, so now you've ensured somehow that the owner of the laptop does not leave their token plugged in.



                                However they now take that laptop and token with them when going home, and get mugged by an industrial spy on the parking lot. Result is both token and laptop are how in the hands of an unauthorised person and worse, the same unauthorised person.



                                Result of course is exactly the same as it would be were the token plugged into the laptop, as the bad guy can just plug in the token.



                                Congratulations, you've just shifted the security boundary a little bit for no real gain whatsoever.



                                What you could do is install some software on the laptops that blocks the screen or even shuts them down if the token is found installed on the laptop after the operating system is done booting. Say something that's started as part of the OS startup and checks for the token every few minutes.
                                Would ensure that the token is removed after booting the machine, but wouldn't prevent both token and machine being stolen.



                                The only way to ensure that is a 4-eye principle, where the machine cannot be booted up without at least 2 people being present, one with the token and another with the password.



                                And that is a major PITA and, especially for remote workers, often impossible (as remote workers tend to be alone at a site).






                                share|improve this answer























                                • This has already been hashed out in the comments to the question. As written, it is not an answer to the question but a tangent. Your software suggestion is already covered by other answers, and your 4-eye suggestion is not workable for the scenario in the question.

                                  – schroeder
                                  Mar 15 at 10:03















                                -2














                                OK, so now you've ensured somehow that the owner of the laptop does not leave their token plugged in.



                                However they now take that laptop and token with them when going home, and get mugged by an industrial spy on the parking lot. Result is both token and laptop are how in the hands of an unauthorised person and worse, the same unauthorised person.



                                Result of course is exactly the same as it would be were the token plugged into the laptop, as the bad guy can just plug in the token.



                                Congratulations, you've just shifted the security boundary a little bit for no real gain whatsoever.



                                What you could do is install some software on the laptops that blocks the screen or even shuts them down if the token is found installed on the laptop after the operating system is done booting. Say something that's started as part of the OS startup and checks for the token every few minutes.
                                Would ensure that the token is removed after booting the machine, but wouldn't prevent both token and machine being stolen.



                                The only way to ensure that is a 4-eye principle, where the machine cannot be booted up without at least 2 people being present, one with the token and another with the password.



                                And that is a major PITA and, especially for remote workers, often impossible (as remote workers tend to be alone at a site).






                                share|improve this answer























                                • This has already been hashed out in the comments to the question. As written, it is not an answer to the question but a tangent. Your software suggestion is already covered by other answers, and your 4-eye suggestion is not workable for the scenario in the question.

                                  – schroeder
                                  Mar 15 at 10:03













                                -2












                                -2








                                -2







                                OK, so now you've ensured somehow that the owner of the laptop does not leave their token plugged in.



                                However they now take that laptop and token with them when going home, and get mugged by an industrial spy on the parking lot. Result is both token and laptop are how in the hands of an unauthorised person and worse, the same unauthorised person.



                                Result of course is exactly the same as it would be were the token plugged into the laptop, as the bad guy can just plug in the token.



                                Congratulations, you've just shifted the security boundary a little bit for no real gain whatsoever.



                                What you could do is install some software on the laptops that blocks the screen or even shuts them down if the token is found installed on the laptop after the operating system is done booting. Say something that's started as part of the OS startup and checks for the token every few minutes.
                                Would ensure that the token is removed after booting the machine, but wouldn't prevent both token and machine being stolen.



                                The only way to ensure that is a 4-eye principle, where the machine cannot be booted up without at least 2 people being present, one with the token and another with the password.



                                And that is a major PITA and, especially for remote workers, often impossible (as remote workers tend to be alone at a site).






                                share|improve this answer













                                OK, so now you've ensured somehow that the owner of the laptop does not leave their token plugged in.



                                However they now take that laptop and token with them when going home, and get mugged by an industrial spy on the parking lot. Result is both token and laptop are how in the hands of an unauthorised person and worse, the same unauthorised person.



                                Result of course is exactly the same as it would be were the token plugged into the laptop, as the bad guy can just plug in the token.



                                Congratulations, you've just shifted the security boundary a little bit for no real gain whatsoever.



                                What you could do is install some software on the laptops that blocks the screen or even shuts them down if the token is found installed on the laptop after the operating system is done booting. Say something that's started as part of the OS startup and checks for the token every few minutes.
                                Would ensure that the token is removed after booting the machine, but wouldn't prevent both token and machine being stolen.



                                The only way to ensure that is a 4-eye principle, where the machine cannot be booted up without at least 2 people being present, one with the token and another with the password.



                                And that is a major PITA and, especially for remote workers, often impossible (as remote workers tend to be alone at a site).







                                share|improve this answer












                                share|improve this answer



                                share|improve this answer










                                answered Mar 15 at 7:14









                                jwentingjwenting

                                1572




                                1572












                                • This has already been hashed out in the comments to the question. As written, it is not an answer to the question but a tangent. Your software suggestion is already covered by other answers, and your 4-eye suggestion is not workable for the scenario in the question.

                                  – schroeder
                                  Mar 15 at 10:03

















                                • This has already been hashed out in the comments to the question. As written, it is not an answer to the question but a tangent. Your software suggestion is already covered by other answers, and your 4-eye suggestion is not workable for the scenario in the question.

                                  – schroeder
                                  Mar 15 at 10:03
















                                This has already been hashed out in the comments to the question. As written, it is not an answer to the question but a tangent. Your software suggestion is already covered by other answers, and your 4-eye suggestion is not workable for the scenario in the question.

                                – schroeder
                                Mar 15 at 10:03





                                This has already been hashed out in the comments to the question. As written, it is not an answer to the question but a tangent. Your software suggestion is already covered by other answers, and your 4-eye suggestion is not workable for the scenario in the question.

                                – schroeder
                                Mar 15 at 10:03

















                                draft saved

                                draft discarded
















































                                Thanks for contributing an answer to Information Security Stack Exchange!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid


                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.

                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function ()
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205200%2fforce-user-to-remove-usb-token%23new-answer', 'question_page');

                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown






                                Popular posts from this blog

                                How to check contact read email or not when send email to Individual?

                                Displaying single band from multi-band raster using QGIS

                                How many registers does an x86_64 CPU actually have?