I work at an organization that is federally regulated, this means that we are basically under constant audit. One of our audit issues, that seems to result in a write up every audit, is the vulnerability of our machines against someone using a password and/or registry editor loaded on boot from disk or similar option. A prime example of this is the Offline NT Password and Registry Editor that you can find all over the internet with extreme ease. I could put a lock on every case and a password on every BIOS but that is easily defeated, not to mention that all of our machines have the option to press F9 on boot for the Boot Menu. Now I should mention that, yes, I am aware that physical security is the first barrier against this sort of attack. However, when I mention this to our auditors their answer is always But what if they get past that? Well, what if? What if they get past the doors that require you to swipe a badge and sit at a desk or and plop in their disk? What if no one notices a stranger in the building or just fails to report them? What if the attacker is an employee? Well my auditor friend, I hate to say this but, I dont know. Ive posed this same question to vendors whove contacted us to use their security appliances and such. Some give the same answer I do; others say I should purchase a whole disk encryption product. Im looking for suggestions (preferably not whole disk encryption) and I know this is one of the best places to get them.

Hello, Yes. As you describe, security is very important to an organization. To achieve your goal, you may consider Windows Bitlocker Drive Encryption which is provided in Windows Vista and Windows Server 2008 although it is a drive encryption solution. BitLocker provides enhanced protection against data theft or exposure on computers that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned. BitLocker helps mitigate unauthorized data access on lost or stolen computers by combining two major data-protection procedures: 1. Encrypting the entire Windows operating system volume on the hard disk. BitLocker encrypts all user files and system files in the operating system volume, including the swap and hibernation files. 2. Checking the integrity of early boot components and boot configuration data. On computers that have a Trusted Platform Module (TPM) version 1.2, BitLocker leverages the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer's boot components appear unaltered and the encrypted disk is located in the original computer. For more information about BitLocker, you may refer to the following links: BitLocker Drive Encryption http://technet.microsoft.com/en-us/windows/aa905065.aspx Windows BitLocker Drive Encryption Frequently Asked Questions http://technet2.microsoft.com/WindowsVista/en/library/58358421-a7f5-4c97-ab41-2bcc61a58a701033.mspx?mfr=true Description of the BitLocker Drive Preparation Tool http://support.microsoft.com/default.aspx?scid=kb;EN-US;933246 Hope it helps.Your potential. Our passion.