At work, all our computers are connected to a LAN, to an exchange server, with another server connected with specialist software loaded. The LAN has access to the WWW and third parties can dial in [specialist software company to fix problems] using PC Anywhere and VNC.

My computer has a lot of commercially confidential company info on the hard drive which I want to isolate and ensure security against anyone dialling in getting a look-see.

Has anyone got any ideas how I can achieve the isolation, or am I down to running a stand-alone PC separate from the workstation?

If I have to run the second stand-alone, presumably there is a switching device that I can install to allow me to have just the 1 monitor, KB and mouse that I can use with either machine?

Your ideas would be most welcome...

FJJP

FJJP,

If you want to be 100% safe, then go with a stand alone comp and use a KBM Switch so you can use the same keyboard, mouse, and monitor.

Now if you are running WinXP and you do not share any directories, you are reasonably safe, but anything connected to a network is not ever going to be 100% safe.

Take Care,

Richard

Running an agressively configured firewall on your machine might help too.

Thanks for the replies, guys. Looks like a stand-alone is the best option.

Richard, you mention a KBM switch. I'm using a Logitech wireless KB and trackball. Is there a switch that I can use for them? And how does it work - is it software or hardware or both?

An alternative approach is to encrypt the confidential data, so that it can only be meaningfully accessed by someone in possession of a password or passphrase. If you're using Windows 2000 or XP (not home edition) encryption facilities are built in.

I assume firstly that your company has no policy regarding data encryption, since it sounds like they have no policy regarding network security :rolleyes: . Given that, you presumably have a free hand to play with this on your PC, but BEWARE: you run the risk of ending up with encrypted data which cannot be decrypted, resulting in an information loss to your company.

The easiest approach under XP (and I think it's essentially the same in Windows 2000) is to mark the relevant folder as encrypted. Right-click folder, Properties, on "General" tab click Advanced. click "Encrypt contents..". Any files stored in that folder will now be encrypted using an encryption key specific to your login ID, and accessible only by use of your login password. Check this by defining another user on your PC, and confirming that they cannot access the data.

An alternative approach for the paranoid is to purchase a package such as DriveCrypt (http://www.securstar.com/) , which enables you to define an encrypted pseudo-drive or partition on 32-bit Windows systems, and provides (a) control of what encryption algorithm is used, and (b) the ability to define a passphrase, rather than just a shortish password.

In any case, it's vital to consider what happens to the data (be it on your PC or on backup media) if the encryption key is lost. With XP encryption, the best approach may be to define a certificate for yourself using the "Certificates" snap-in to the management console, and make a copy of it on diskette or some other external media. With DriveCrypt, you can use what it calls a "keyfile" in very much the same way as an exported certificate.

This is a tricky area, with pitfalls for the unwary - for instance, under some circumstances you may find that data you thought was encrypted, isn't.
If others here have come across significant "gotchas" which I ought to have mentioned, or if I've got any of the details wrong, I hope they'll mention it.

Note that I've carefully restricted myself to considering your PC as constituting a standalone security environment. If any question arises of implementing encryption across your company network, I would advise getting consultancy in to achieve it, as there are not only technical but also management issues involved.

Thanks TM - I'm the only one around with any level of computer knowledge, so I don't feel the need for an encryption solution. I can keep the stand-alone secure without sophisticated encryption; it is the dialling-in aspect by outside software contractors that I am concerned about. I want to keep casual or intentional eyes out of the company business files, which are only on my machine. I am happy to go standalone for that, but I do need to use the LAN, too, on a routine basis - hence the question about common monitor, KB and mouse. My desk is cluttered enough without 2 sets of hardware!

And as you rightly point out, there are dangers associated with encryption and loss or corruption of the keys.

FJJP,

The switch Richard is refering to is a Keyboard/Video/Mouse switch or KVM. They come in a variety of styles but generally switch 1 video and 2 ps/2 connections. Ideal for what you want I would imagine. You can use wireless systems with them...Just plug the transmitter in place of the "normal" KB/Mouse. You can use USB mice as well but need to use the USB>PS2 adaptor.

I have a 4 port which has both manual pushbutton switching and keyboard operated switching. Generally the KB switch uses the scroll lock key as the switching key. It is MUCH better using my 20" monitor/ full KB and wireless mouse than the 12.1" screen mini KB and worthless pointing device that is on my laptop!

Depends on how they're "dialling in".

If this is a connection via the Internet to your LAN, that's a bit more problematic - but providing a username and password specific to each person who is likely to dial in means a) you can log/audit the connections and b) pin down the access those people have to only those areas they require.

If dialling in via a modem to a specific PC - disconnect it from the LAN (if it's not the one with the confidential data) or see above.