Windows 10 Security

Forums › Microsoft Windows › Windows 10 Security

1 | 2

MadEngineer

4274 posts

Uber Geek

Trusted

#2477944 6-May-2020 15:39

^ it’s trivial to setup however and I can’t see why you wouldn’t. If data is important, don’t save it to a device that can be stolen.

You're not on Atlantis anymore, Duncan Idaho.

Beccara

1469 posts

Uber Geek

ID Verified

#2478039 6-May-2020 17:11

How about events where your not in network coverage or wifi coverage and need access to the data? It's a legit use case in use today by many professions, Software even has builtin support for it in alot of cases "briefcasing".

Not everything can be put on the cloud/central server and remotely accessed

Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated

MadEngineer

4274 posts

Uber Geek

Trusted

#2478561 7-May-2020 12:56

In those cases I'd temporarily copy the data locally then remove it once finished with. Then you've at least both reduced and minimized the risk of data loss.

You're not on Atlantis anymore, Duncan Idaho.

Beccara

1469 posts

Uber Geek

ID Verified

#2478584 7-May-2020 13:34

That's just the tip of the iceberg, Like I said not everything can be put remotely or kept in the cloud in which case FDE and a lojack should be used. Security has to be practical otherwise users and groups will find an easier way around whatever measures you've put in place

1101

3122 posts

Uber Geek

#2481018 11-May-2020 11:28

Beccara:

Security has to be practical otherwise users and groups will find an easier way around whatever measures you've put in place

This :-)

Security measures are worthless when the user puts a sticky note with the password on the laptop/PC .

IT makes passwords too complex & forced pass change every 6weeks, users cant remember so every user writes the pass on a sticky note ( as per where I used to work)
Or the user decides to use that password for everything , even using their work password for their own many
personal logins to webpages etc (that happens far too often)

MadEngineer

4274 posts

Uber Geek

Trusted

#2481373 11-May-2020 17:05

Even MS recommends against that crap

https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide

...
Don't require mandatory periodic password resets for user accounts
Don't require character composition requirements. For example, *&(^%$
...

You're not on Atlantis anymore, Duncan Idaho.

chevrolux

4962 posts

Uber Geek
Inactive user

#2481382 11-May-2020 17:12

I feel like "access offline is required" must be mostly irrelevant these days. Sure there are always going to be some industries that are constantly working in remote areas, but for the most part we always have some kind of connectivity available via mobile hotspots.

I would agree that it sounds mad to keep "a large database of an organization" on a mobile device like a laptop. And that central storage should be seriously looked in to without the bias of "but I need it on my local drive".

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Note that to use Quic Broadband you must be comfortable with configuring your own router.

Beccara

1469 posts

Uber Geek

ID Verified

#2482108 12-May-2020 18:06

It's very much still a thing, You are underestimating the number of places in NZ that either have no Internet/Mobile or have such poor connections that working in a remote application is not viable.

freitasm

BDFL - Memuneh
79263 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2482490 13-May-2020 08:40

Then, going to the problem. If local data is needed and there is a worry about the security of this data, safeguards should be in place - encrypted drives (backed by hardware-based TPM), perhaps something like the security key I have been using for a couple of months now (Gatekeeper Halberder review) and so on.

You can't have security but not want to invest in security, at least a little bit.

Beccara

1469 posts

Uber Geek

ID Verified

#2482495 13-May-2020 08:52

Absolutely, Bitlocker is perfect for this purpose if the computer has a TPM chip. Other solutions that allow tracking/remote wiping are also a good idea if you have a laptop that can do it.

That gatekeeper seems to be more of an authentication token than a FDE solution?

freitasm

BDFL - Memuneh
79263 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2482497 13-May-2020 08:54

Beccara:

That gatekeeper seems to be more of an authentication token than a FDE solution?

Authentication token but you can enforce it to require a PIN plus the token, token + PIN plus Windows credentials or require the token only - so not even Windows login screen shows up. Paired with encryption you could easily render a laptop useless and data inaccessible - in this last case anyone stealing the laptop would have no way to access contents or login.

Beccara

1469 posts

Uber Geek

ID Verified

#2482499 13-May-2020 08:55

Good solution :)

fearandloathing

503 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#2482720 13-May-2020 13:25

freitasm:

Then, going to the problem. If local data is needed and there is a worry about the security of this data, safeguards should be in place - encrypted drives (backed by hardware-based TPM), perhaps something like the security key I have been using for a couple of months now (Gatekeeper Halberder review) and so on.

You can't have security but not want to invest in security, at least a little bit.

Looks interesting, I brought one.

Jogre

182 posts

Master Geek

#2486084 19-May-2020 09:22

The assumption should be that if you lose the device, that data will be compromised so that is the first thing.

Bitlocker is good but the weakpoint is the Windows account. As mentioned in thread, set password to not expire and require a longer passphrase that can be remembered.

Have a look at locking down USB boot and securing the BIOS as well as I think something like NT Offline would allow enabling of in-built admin accounts and passwords to be blanked so someone could bypass all your Windows account protection and access that data.

You're not going to have that device fully protected without spending some $$$ on a more appropriate solution, and you have to assume that data is breached when you lose control of the device so plan accordingly.

ronw

1222 posts

Uber Geek

#2486232 19-May-2020 11:46

Thanks everyone for information and suggestions about protecting Windows 10 Desktops and Laptops. Unfortunately not all the devices had TP/M and rather than use Bitlocker on some and other ways on other devices in the end I decided on Veracrypt. It is pretty easy to install, doesn't require TPM and just works. The drawback of course is that you need a good password for the Veracrypt. I came up with a system to create the encryption password that works with all the people using the device that works and I think will be secure enough for the users.

I get a Macrium backup each weekend and can live with the possibility that some data might get lost over the five working days if anything happened like losing the laptops or if the desktops self destruct or something. I keep all the Veracrypt encryption key backup on USB keys but without the password the keys are useless.

For my needs this will work and keep the data reasonably safe and the good part if that it costs me nothing but time.

I am pretty happy with this

Nokia 7 Plus
Nexus 6P 32Gb
Nexus 6 Phone
Nexus 5 Phone
Nexus 7 2013 Tablet
Samsung TAB A 8"
Samsung TAB A 10"

& many Windows laptops, Desktops etc

1 | 2