Locking down Win PC

[Collider]

I'd like to know what is the conventional wisdom for password protecting your PC besides windows login. Basically I'm looking to add an additional layer on top of Active Directory login. Any 3rd party tools around that do a better job?

 

[masteryoda34]

Full Disk encryption would be the strongest option. Truecrypt works well on Windows and is free.

 

[Collider]

Well I'm not looking to encrypt my files, just restrict login.

 

[Chiefcrowe]

I guess you could also setup a boot password in the BIOS

 

[Fardringle]

If your AD password is secure, then logins on your system are secure. If not, change your password.

I honestly can't think of a reason why you would want/need a secondary login requirement unless you're afraid that a domain admin might log in and find something you don't want them to see. If that's the case, stop doing whatever it is you are doing that is against company policy.

 

[seepy83]

Well I'm not looking to encrypt my files, just restrict login.

If you're just talking about AD/Windows authentication and want to go past username and password, you can look into two-factor authentication... smartcard/usb-token and PIN.

 

[VinylxScratches]

turn on complex passwords in AD.

 

[pcunite]

Use standard LUA accounts along with Software Restriction Policies.

 

[Collider]

If you're just talking about AD/Windows authentication and want to go past username and password, you can look into two-factor authentication... smartcard/usb-token and PIN.

Can you give me some info on how to set this up, I'm assuming this would function kind of like a usb key right?

 

[Collider]

If your AD password is secure, then logins on your system are secure. If not, change your password.

I honestly can't think of a reason why you would want/need a secondary login requirement unless you're afraid that a domain admin might log in and find something you don't want them to see. If that's the case, stop doing whatever it is you are doing that is against company policy.

Not really, I also know that windows stores the hash (I may have the terminology wrong) of the password somewhere locally, so it could be bypassed.

 

[seepy83]

Can you give me some info on how to set this up, I'm assuming this would function kind of like a usb key right?

This document is probably a good starting point:
http://www.microsoft.com/en-us/download/details.aspx?id=4184

Edit: I realize that the doc linked is written in reference to server 2003. Basically, all of the concepts still apply in 2008, but there might be slight differences in specifics. There may be an updated one available for 2k8.

 

[Oyeve]

BIOS PW or HD encryption. Only downside is if the HD dies its a bitch to grab data off the drive. Thats why I use roaming profiles for my users.