Hello,<\/p>\n
any body have an idea how to protect the HDD from the computer user to take it at home and copy the work files ?<\/p>\n
the pc usb is protected but the user can open the pc case and take the HDD and use it on another computer , and if i encrypt it he should has the password to do his daily work , so how i can make him work normal and also prevent him from use or copy it outside or it just use a physical lock for the case is the only solution ?<\/p>","upvoteCount":7,"answerCount":22,"datePublished":"2024-12-12T12:15:18.250Z","author":{"@type":"Person","name":"Magical_falcon","url":"https://community.spiceworks.com/u/Magical_falcon"},"acceptedAnswer":{"@type":"Answer","text":"
So you BitLocker the drive(s) your concerned with in the users system. If the user pulls the drive and put it into another system it will request the BitLocker key (which the user should not have).<\/p>","upvoteCount":19,"datePublished":"2024-12-12T12:34:11.087Z","url":"https://community.spiceworks.com/t/how-to-prevent-user-from-taking-the-pc-hard-disk-at-home/1153010/2","author":{"@type":"Person","name":"SomewhereinSC","url":"https://community.spiceworks.com/u/SomewhereinSC"}},"suggestedAnswer":[{"@type":"Answer","text":"
Hello,<\/p>\n
any body have an idea how to protect the HDD from the computer user to take it at home and copy the work files ?<\/p>\n
the pc usb is protected but the user can open the pc case and take the HDD and use it on another computer , and if i encrypt it he should has the password to do his daily work , so how i can make him work normal and also prevent him from use or copy it outside or it just use a physical lock for the case is the only solution ?<\/p>","upvoteCount":7,"datePublished":"2024-12-12T12:15:18.332Z","url":"https://community.spiceworks.com/t/how-to-prevent-user-from-taking-the-pc-hard-disk-at-home/1153010/1","author":{"@type":"Person","name":"Magical_falcon","url":"https://community.spiceworks.com/u/Magical_falcon"}},{"@type":"Answer","text":"
but if he boot from this HDD from another computer , will it ask for the bitlocker password ?<\/p>","upvoteCount":2,"datePublished":"2024-12-12T12:46:44.590Z","url":"https://community.spiceworks.com/t/how-to-prevent-user-from-taking-the-pc-hard-disk-at-home/1153010/3","author":{"@type":"Person","name":"Magical_falcon","url":"https://community.spiceworks.com/u/Magical_falcon"}},{"@type":"Answer","text":"
100% yes, BitLocker will pop on any hardware type changes…<\/p>","upvoteCount":7,"datePublished":"2024-12-12T13:05:58.497Z","url":"https://community.spiceworks.com/t/how-to-prevent-user-from-taking-the-pc-hard-disk-at-home/1153010/4","author":{"@type":"Person","name":"SomewhereinSC","url":"https://community.spiceworks.com/u/SomewhereinSC"}},{"@type":"Answer","text":"
he should have the password as he is already the user of the computer so he can decrypt it , plus not all computers has tpm to use bitlocker<\/p>","upvoteCount":2,"datePublished":"2024-12-12T13:12:23.168Z","url":"https://community.spiceworks.com/t/how-to-prevent-user-from-taking-the-pc-hard-disk-at-home/1153010/5","author":{"@type":"Person","name":"Magical_falcon","url":"https://community.spiceworks.com/u/Magical_falcon"}},{"@type":"Answer","text":"
The user would not have the BitLocker key (only you should have that if these are managed systems). The user knowing his own BitLocker code to start the system is different than the key needed to active the drive if hardware is changed.<\/p>","upvoteCount":7,"datePublished":"2024-12-12T13:56:46.567Z","url":"https://community.spiceworks.com/t/how-to-prevent-user-from-taking-the-pc-hard-disk-at-home/1153010/6","author":{"@type":"Person","name":"SomewhereinSC","url":"https://community.spiceworks.com/u/SomewhereinSC"}},{"@type":"Answer","text":"
sorry , you mean there will be two keys one for manage user to login and the other key for me if something changed ?<\/p>","upvoteCount":2,"datePublished":"2024-12-12T14:03:36.779Z","url":"https://community.spiceworks.com/t/how-to-prevent-user-from-taking-the-pc-hard-disk-at-home/1153010/7","author":{"@type":"Person","name":"Magical_falcon","url":"https://community.spiceworks.com/u/Magical_falcon"}},{"@type":"Answer","text":"\n\n
<\/div>\n
Magical_falcon:<\/div>\n
\nsorry , you mean there will be two keys one for manage user to login and the other key for me if something changed ?<\/p>\n<\/blockquote>\n<\/aside>\n
no. Bitlocker stores the keys in the computers TPM (that chip that is always in the news because MS now requires it for Win 11) the user never knows the Bitlocker Key. You don’t know the Key either. You would configure your systems to the key is backed up (AD, Entra ID, etc) so you can get it if needed.<\/p>\n
to the end user nothing changes. they use the computer as normal and login with their credentials. but if they tamper with the computer the drive the computer will stop booting until the bitlocker key is provided. If they remove the drive its encrypted and that can’t read it unless they know the bitlocker key.<\/p>\n
Bit locker has been around a long time and has been best practice for almost 2 decades. This is a solved problem and very easy to implement and manage.<\/p>","upvoteCount":8,"datePublished":"2024-12-12T14:13:49.873Z","url":"https://community.spiceworks.com/t/how-to-prevent-user-from-taking-the-pc-hard-disk-at-home/1153010/8","author":{"@type":"Person","name":"molan","url":"https://community.spiceworks.com/u/molan"}},{"@type":"Answer","text":"
Bitlocker protects drives by using “protectors”. A bitlockered drive typically stores a protector in the system’s TPM (trusted platform module) chip and unlocks the drive automatically on boot. You can also optionally use an additional PIN protector which prompts for the PIN at boot time - this also requires the presence of a TPM.<\/p>\n
Then there’s the recovery password protector - in a managed AD/Azure environment, this should be stored in AD/Azure and only sysadmins should have access to this - this lets a sysadmin get at the data in the event the original TPM is not available.<\/p>\n
Once you take the drive out of that system with the original TPM, it’ll prompt for the full bitlocker recovery key.<\/p>\n
If the system doesn’t have a TPM, you have no choice but to allow the user access to the unlock code, as the system wouldn’t be able to boot otherwise. That said, TPMs are standard issue and have been for a long time - if you’re running endpoints without one, you really need to consider replacing them.<\/p>","upvoteCount":5,"datePublished":"2024-12-12T14:15:45.990Z","url":"https://community.spiceworks.com/t/how-to-prevent-user-from-taking-the-pc-hard-disk-at-home/1153010/9","author":{"@type":"Person","name":"chris-kelly","url":"https://community.spiceworks.com/u/chris-kelly"}},{"@type":"Answer","text":"\n\n
<\/div>\n
Chris Kelly:<\/div>\n
\nIf the system doesn’t have a TPM, you have no choice but to allow the user access to the unlock code, as the system wouldn’t be able to boot otherwise. That said, TPMs are standard issue and have been for a long time - if you’re running endpoints without one, you really need to consider replacing them.<\/p>\n<\/blockquote>\n<\/aside>\n
you could still use at USB dongle with the key stored on it to auto unlock on boot without TPM and just not tell the user about it, Kind of like one of those annoying hardware License keys some CAD programs used to use. but if the user was smart they could figure out how to bypass by simply moving the dongle to another computer if they pulled the drive.<\/p>\n
But TPM is definitely the way to go. Any Computer built since win 11 that came with a win 11 compatibility sticker has TPM. Basically any business grade computer made in the last 20 years should have a TPM 1.2 at least, but you want TPM 2 for Win 11 compatibility.<\/p>\n
Its really only cheap consumer PC gear pre-win 11 that probably didn’t have a TPM<\/p>","upvoteCount":5,"datePublished":"2024-12-12T14:26:55.804Z","url":"https://community.spiceworks.com/t/how-to-prevent-user-from-taking-the-pc-hard-disk-at-home/1153010/10","author":{"@type":"Person","name":"molan","url":"https://community.spiceworks.com/u/molan"}},{"@type":"Answer","text":"\n\n
<\/div>\n
Magical_falcon:<\/div>\n
\nhe should have the password as he is already the user of the computer so he can decrypt it , plus not all computers has tpm to use bitlocker<\/p>\n<\/blockquote>\n<\/aside>\n
You need to use devices with TPMs and a suitable encryption system that uses the TPM so that it cannot be accessed in another system.<\/p>\n
Any other form of encryption is going to require just a password or hardware dongle etc which the user will need to have/know to use the computer - so they can work round it. TPM ties it to the physical device.<\/p>\n
Also non technical measures:
Where I live I would be sacked (through formal process) for doing this. And the company within their right to prosecute for theft.\n\n
<\/div>\n
Magical_falcon:<\/div>\n
\nso how i can make him work normal and also prevent him from use or copy it outside or it just use a physical lock for the case is the only solution ?<\/p>\n<\/blockquote>\n<\/aside>\n
If you have someone in your company doing this, refer them to HR, this isn’t a technical problem, though there are technical solutions, this is a people problem.<\/p>\n
Essentially the user is stealing company data.<\/p>\n
You can use products like DLP to prevent copy/move/duplicate etc, but these are often expensive and cumbersome to setup.<\/p>","upvoteCount":3,"datePublished":"2024-12-12T19:43:44.625Z","url":"https://community.spiceworks.com/t/how-to-prevent-user-from-taking-the-pc-hard-disk-at-home/1153010/12","author":{"@type":"Person","name":"Rod-IT","url":"https://community.spiceworks.com/u/Rod-IT"}},{"@type":"Answer","text":"
BitLocker and don’t give local admin. If they have local admin then they can retrieve the BitLocker recovery key.<\/p>\n
I’d think emailing, cloud storage, or SMB to another machine would be more likely.<\/p>","upvoteCount":2,"datePublished":"2024-12-12T23:41:32.610Z","url":"https://community.spiceworks.com/t/how-to-prevent-user-from-taking-the-pc-hard-disk-at-home/1153010/13","author":{"@type":"Person","name":"matthew-martin","url":"https://community.spiceworks.com/u/matthew-martin"}},{"@type":"Answer","text":"
This is exactly what Bitlocker is for…if your corporate workstations are not being ordered with Windows PRO at the least and TPM chips, you should start ordering them that way.<\/p>","upvoteCount":2,"datePublished":"2024-12-13T13:15:54.605Z","url":"https://community.spiceworks.com/t/how-to-prevent-user-from-taking-the-pc-hard-disk-at-home/1153010/15","author":{"@type":"Person","name":"general-tsao","url":"https://community.spiceworks.com/u/general-tsao"}},{"@type":"Answer","text":"
And then there is the old failsafe lockable HHD caddy … ?<\/p>\n
HDD locked into the caddy that it sits in ?<\/p>\n
PC side door locked too ?<\/p>\n
if removed in any other way than the key that admin support - i suggest you follow Rods advice ;0)<\/p>\n
Sackable<\/p>","upvoteCount":2,"datePublished":"2024-12-13T21:39:06.867Z","url":"https://community.spiceworks.com/t/how-to-prevent-user-from-taking-the-pc-hard-disk-at-home/1153010/16","author":{"@type":"Person","name":"fuzzywuzzy","url":"https://community.spiceworks.com/u/fuzzywuzzy"}},{"@type":"Answer","text":"
Fire the user and have them arrested for theft and espionage. No, I’m not joking. If you are that worried then you have an HR and security problem.
Thank you for everyone who reply and game me great ideas
ah btw about telling the HR about this employee , the Head of HR was the employee who did that
This would require a huge shift in how things are done but, you could move to a server/remote desktop setup where employees log into a thin client. Physically secure the server(s).<\/p>","upvoteCount":0,"datePublished":"2024-12-18T13:56:35.859Z","url":"https://community.spiceworks.com/t/how-to-prevent-user-from-taking-the-pc-hard-disk-at-home/1153010/19","author":{"@type":"Person","name":"jarmbrister","url":"https://community.spiceworks.com/u/jarmbrister"}},{"@type":"Answer","text":"
As many people have already addressed possible resolutions to this, I will simply add slap the user with a fish until they get the message.<\/p>","upvoteCount":0,"datePublished":"2024-12-18T14:08:33.280Z","url":"https://community.spiceworks.com/t/how-to-prevent-user-from-taking-the-pc-hard-disk-at-home/1153010/20","author":{"@type":"Person","name":"randomparts","url":"https://community.spiceworks.com/u/randomparts"}},{"@type":"Answer","text":"
Said fish should be a wet trout.<\/p>","upvoteCount":0,"datePublished":"2024-12-19T16:05:27.554Z","url":"https://community.spiceworks.com/t/how-to-prevent-user-from-taking-the-pc-hard-disk-at-home/1153010/21","author":{"@type":"Person","name":"James9006","url":"https://community.spiceworks.com/u/James9006"}}]}}
Hello,
any body have an idea how to protect the HDD from the computer user to take it at home and copy the work files ?
the pc usb is protected but the user can open the pc case and take the HDD and use it on another computer , and if i encrypt it he should has the password to do his daily work , so how i can make him work normal and also prevent him from use or copy it outside or it just use a physical lock for the case is the only solution ?
7 Spice ups
So you BitLocker the drive(s) your concerned with in the users system. If the user pulls the drive and put it into another system it will request the BitLocker key (which the user should not have).
19 Spice ups
but if he boot from this HDD from another computer , will it ask for the bitlocker password ?
2 Spice ups
100% yes, BitLocker will pop on any hardware type changes…
7 Spice ups
he should have the password as he is already the user of the computer so he can decrypt it , plus not all computers has tpm to use bitlocker
2 Spice ups
The user would not have the BitLocker key (only you should have that if these are managed systems). The user knowing his own BitLocker code to start the system is different than the key needed to active the drive if hardware is changed.
7 Spice ups
sorry , you mean there will be two keys one for manage user to login and the other key for me if something changed ?
2 Spice ups
molan
December 12, 2024, 2:13pm
8
no. Bitlocker stores the keys in the computers TPM (that chip that is always in the news because MS now requires it for Win 11) the user never knows the Bitlocker Key. You don’t know the Key either. You would configure your systems to the key is backed up (AD, Entra ID, etc) so you can get it if needed.
to the end user nothing changes. they use the computer as normal and login with their credentials. but if they tamper with the computer the drive the computer will stop booting until the bitlocker key is provided. If they remove the drive its encrypted and that can’t read it unless they know the bitlocker key.
Bit locker has been around a long time and has been best practice for almost 2 decades. This is a solved problem and very easy to implement and manage.
8 Spice ups
Bitlocker protects drives by using “protectors”. A bitlockered drive typically stores a protector in the system’s TPM (trusted platform module) chip and unlocks the drive automatically on boot. You can also optionally use an additional PIN protector which prompts for the PIN at boot time - this also requires the presence of a TPM.
Then there’s the recovery password protector - in a managed AD/Azure environment, this should be stored in AD/Azure and only sysadmins should have access to this - this lets a sysadmin get at the data in the event the original TPM is not available.
Once you take the drive out of that system with the original TPM, it’ll prompt for the full bitlocker recovery key.
If the system doesn’t have a TPM, you have no choice but to allow the user access to the unlock code, as the system wouldn’t be able to boot otherwise. That said, TPMs are standard issue and have been for a long time - if you’re running endpoints without one, you really need to consider replacing them.
5 Spice ups
molan
December 12, 2024, 2:26pm
10
Chris Kelly:
If the system doesn’t have a TPM, you have no choice but to allow the user access to the unlock code, as the system wouldn’t be able to boot otherwise. That said, TPMs are standard issue and have been for a long time - if you’re running endpoints without one, you really need to consider replacing them.
you could still use at USB dongle with the key stored on it to auto unlock on boot without TPM and just not tell the user about it, Kind of like one of those annoying hardware License keys some CAD programs used to use. but if the user was smart they could figure out how to bypass by simply moving the dongle to another computer if they pulled the drive.
But TPM is definitely the way to go. Any Computer built since win 11 that came with a win 11 compatibility sticker has TPM. Basically any business grade computer made in the last 20 years should have a TPM 1.2 at least, but you want TPM 2 for Win 11 compatibility.
Its really only cheap consumer PC gear pre-win 11 that probably didn’t have a TPM
5 Spice ups
matt7863
December 12, 2024, 6:49pm
11
You need to use devices with TPMs and a suitable encryption system that uses the TPM so that it cannot be accessed in another system.
Any other form of encryption is going to require just a password or hardware dongle etc which the user will need to have/know to use the computer - so they can work round it. TPM ties it to the physical device.
Also non technical measures:
Where I live I would be sacked (through formal process) for doing this. And the company within their right to prosecute for theft.
6 Spice ups
Rod-IT
December 12, 2024, 7:43pm
12
If you have someone in your company doing this, refer them to HR, this isn’t a technical problem, though there are technical solutions, this is a people problem.
Essentially the user is stealing company data.
You can use products like DLP to prevent copy/move/duplicate etc, but these are often expensive and cumbersome to setup.
3 Spice ups
BitLocker and don’t give local admin. If they have local admin then they can retrieve the BitLocker recovery key.
I’d think emailing, cloud storage, or SMB to another machine would be more likely.
2 Spice ups
This is exactly what Bitlocker is for…if your corporate workstations are not being ordered with Windows PRO at the least and TPM chips, you should start ordering them that way.
2 Spice ups
fuzzywuzzy
December 13, 2024, 9:39pm
16
And then there is the old failsafe lockable HHD caddy … ?
HDD locked into the caddy that it sits in ?
PC side door locked too ?
if removed in any other way than the key that admin support - i suggest you follow Rods advice ;0)
Sackable
2 Spice ups
egp_dave
December 17, 2024, 2:04pm
17
Fire the user and have them arrested for theft and espionage. No, I’m not joking. If you are that worried then you have an HR and security problem.
1 Spice up
Thank you for everyone who reply and game me great ideas
ah btw about telling the HR about this employee , the Head of HR was the employee who did that
1 Spice up
This would require a huge shift in how things are done but, you could move to a server/remote desktop setup where employees log into a thin client. Physically secure the server(s).
randomparts
December 18, 2024, 2:08pm
20
As many people have already addressed possible resolutions to this, I will simply add slap the user with a fish until they get the message.
James9006
December 19, 2024, 4:05pm
21
Said fish should be a wet trout.
