Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1048 posts

Uber Geek


#270338 5-May-2020 10:04
Send private message quote this post

I am trying to lock down a PC that is used away from Home. I thought of using bitlocker but it seems to rely on the windows password which considering some of the passwords people use seems a little unsafe. I realise that I can tighten password rules a little (it is not active directory controlled) so should I consider an alternative eg veracrypt or stick with Bitlocker and the Windows password





Nokia 7 Plus
Nexus 6P 32Gb
Nexus 6 Phone
Nexus 5 Phone
Nexus 7 2013 Tablet
Samsung TAB A 8"
Samsung TAB A 10"

 

& many Windows laptops, Desktops etc

 

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
5330 posts

Uber Geek

Trusted
Microsoft

  #2476750 5-May-2020 10:05
Send private message quote this post

What threats are you most concerned about?

BDFL - Memuneh
67461 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #2476821 5-May-2020 11:04
Send private message quote this post

As above. Also note that Bitlocker can use the PC's TPM to generate the keys - this is completely independent of the user password.

 

If the PC doesn't have a TPM chip you can configure Bitlocker to store the encryption key on a USB stick and use it to automatically unlock the drive. Obviously if someone steals the PC or drive plus the USB stick then the drive can be decrypted.

 

The safest way to secure the drive is obviously the TPM and if you use a third party as mentioned then you will find the same problems as Bitlocker.





 

 

These links are referral codes

 

Geekzone broadband switch | Eletricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Amazon | My technology disclosure 


 
 
 
 




1048 posts

Uber Geek


  #2476822 5-May-2020 11:07
Send private message quote this post

Possible loss of laptop and someone being able to access data. Data is a large database of an organization which would be most upset if data got into wrong hands.




Nokia 7 Plus
Nexus 6P 32Gb
Nexus 6 Phone
Nexus 5 Phone
Nexus 7 2013 Tablet
Samsung TAB A 8"
Samsung TAB A 10"

 

& many Windows laptops, Desktops etc

 

 

 


BDFL - Memuneh
67461 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #2476823 5-May-2020 11:10
Send private message quote this post

ronw: Possible loss of laptop and someone being able to access data. Data is a large database of an organization which would be most upset if data got into wrong hands.

 

 

In this case you have to make sure the laptop where this data resides is protected with a TPM chip. The domain (or Administrator) account must ensure strong password is enforced.





 

 

These links are referral codes

 

Geekzone broadband switch | Eletricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Amazon | My technology disclosure 


222 posts

Master Geek

Lifetime subscriber

  #2476830 5-May-2020 11:24
Send private message quote this post

Is the device AD joined, or Azure AD joined? If so the Bitlocker recovery key can be backed up to the corresponding directory.




1048 posts

Uber Geek


  #2476833 5-May-2020 11:31
Send private message quote this post

NO It is not in Active Directory it is a privately owned stand alone Laptop. I have used Bitlocker before and once the Windows password is entered all data is accessible. Whereas if I opt for Veracrypt I can use long passwords and it doesn't care about TPM





Nokia 7 Plus
Nexus 6P 32Gb
Nexus 6 Phone
Nexus 5 Phone
Nexus 7 2013 Tablet
Samsung TAB A 8"
Samsung TAB A 10"

 

& many Windows laptops, Desktops etc

 

 

 


BDFL - Memuneh
67461 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #2476834 5-May-2020 11:36
Send private message quote this post

There are a couple of things that could happen. Someone steal/find a lost laptop. 

 

1. The Windows password is not known so the person moves the storage device to an external drive. Because it's encrypted with Bitlocker and the encryption key is stored in the laptop TPM there's no way for the data to be read from there.

 

2. The Windows password is weak/known so the person uses that to login and access the data that's encrypted with Bitlocker and automatically unlocked because the key is available on said laptop upon login.

 

Obviously your worry is #2. In this case I'd say your problem is not the encryption but the password management. 

 

Yes, you could use a third party tool and do a full disc encryption - also requiring a second, stronger password to be known by the laptop user. Which, again might defeat the purpose. If it's too hard to memorise the person will store the password somewhere - possibly written down on a piece of paper, which is not secure enough.

 

So back to #1. Bitlocker plus a good, strong password in place.  





 

 

These links are referral codes

 

Geekzone broadband switch | Eletricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Amazon | My technology disclosure 


 
 
 
 




1048 posts

Uber Geek


  #2476843 5-May-2020 11:48
Send private message quote this post

Thanks Guys Will talk to user about passwords etc

 

 





Nokia 7 Plus
Nexus 6P 32Gb
Nexus 6 Phone
Nexus 5 Phone
Nexus 7 2013 Tablet
Samsung TAB A 8"
Samsung TAB A 10"

 

& many Windows laptops, Desktops etc

 

 

 


222 posts

Master Geek

Lifetime subscriber

  #2476850 5-May-2020 12:00
Send private message quote this post

To be honest, if the data is that important, it shouldn't be allowed on a personal device. Purchase hardware that you can enforce security standards on, remote wipe etc.

 

Edit:grammar 




1048 posts

Uber Geek


  #2476877 5-May-2020 12:29
Send private message quote this post

Unfortunately we don't live in that sort of world. We have to use computers we can afford and as the users are just ordinary Kiwis, the laptops have to be reasonably usable.

 

Just of interest for those into Security have a look at this site that sells some interesting gear 

 

https://blog.elcomsoft.com/2016/07/breaking-bitlocker-encryption-brute-forcing-the-backdoor-part-ii/

 

Not suggesting the average laptop thief would be capable of doing this but worth knowing about

 

 

 

 

 

 

 

 





Nokia 7 Plus
Nexus 6P 32Gb
Nexus 6 Phone
Nexus 5 Phone
Nexus 7 2013 Tablet
Samsung TAB A 8"
Samsung TAB A 10"

 

& many Windows laptops, Desktops etc

 

 

 


1096 posts

Uber Geek


  #2476895 5-May-2020 12:56
Send private message quote this post

This might be at the far end of the scale, but worth a mention and consideration.

 

I recently rolled out device management for 200 HP laptops with the requirement to have Geo Fencing enabled on the units to prevent theft from site.

 

https://www.absolute.com/security/

 

I used the above product, as they have the most comprehensive set of features. 

 

Super easy to setup, and if a device is stolen/lost you can implement a range of things to either recover or wipe the data.

 

 

 

It even uses really cool tech for location services without the need for a GPS unit via means of triangulating the device location from known WiFi (thanks to Google)

 

 


222 posts

Master Geek

Lifetime subscriber

  #2476898 5-May-2020 13:06
Send private message quote this post

ronw:

 

Unfortunately we don't live in that sort of world. We have to use computers we can afford and as the users are just ordinary Kiwis, the laptops have to be reasonably usable.

 

 

I'm not sure what you are saying there.

 

Devices can be secure and usable.

 

You need to consider the value of the data against the cost of controlling it.

 

If you are putting data that needs protection on a device that you don't control, then you should take some personal responsibility for that data. Don't be the person having to defend your decision that contributed to the data being lost. Especially if someone above or below you has the ability to throw you under a bus if the data goes into the wild.

 

The answer can be 'We are not going to allow this'

 

 


1284 posts

Uber Geek


  #2476901 5-May-2020 13:12
Send private message quote this post

If it's important then:

 

 

 

Enforce Password Policy

 

Set account to lock on 3 password failures

 

Set Bitlocker to requre the recovery key after 6 password failures

 

In future/If possible use laptop with built in 4g, Tablet sim card and https://homeoffice.absolute.com/product-comparison/

 

 

 

Speaking from experience if you give users hardware tokens to use instead of passwords then the token WILL live in the PC, A hardware token is not enough to ensure security in a mobile space





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

752 posts

Ultimate Geek

Lifetime subscriber

  #2476912 5-May-2020 13:41
Send private message quote this post

fearandloathing:

 

To be honest, if the data is that important, it shouldn't be allowed on a personal device. 

 

 

This.

 

Rather than using a device that is employer-provided and suitably locked down, you could hold the database centrally on a properly secured server, and allow user access through thin client type processes - Citrix, RAS, RDP, etc. - over a VPN and configured so that the user can't copy data to their local (remote / at home) network

 

 


1284 posts

Uber Geek


  #2477093 5-May-2020 15:58
Send private message quote this post

Whilst that's ideal there are valid use cases where you can't do that





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Chorus completes the build and commissioning of two new core Ethernet switches
Posted 8-Jul-2020 09:48


National Institute for Health Innovation develops treatment app for gambling
Posted 6-Jul-2020 16:25


Nokia 2.3 to be available in New Zealand
Posted 6-Jul-2020 12:30


Menulog change colours as parent company merges with Dutch food delivery service
Posted 2-Jul-2020 07:53


Techweek2020 goes digital to make it easier for Kiwis to connect and learn
Posted 2-Jul-2020 07:48


Catalyst Cloud launches new Solutions Hub to support their kiwi Partners and Customers
Posted 2-Jul-2020 07:44


Microsoft to help New Zealand job seekers acquire new digital skills needed for the COVID-19 economy
Posted 2-Jul-2020 07:41


Hewlett Packard Enterprise introduces new HPE GreenLake cloud services
Posted 24-Jun-2020 08:07


New cloud data protection services from Hewlett Packard Enterprise
Posted 24-Jun-2020 07:58


Hewlett Packard Enterprise unveils HPE Ezmeral, new software portfolio and brand
Posted 24-Jun-2020 07:10


Apple reveals new developer technologies to foster the next generation of apps
Posted 23-Jun-2020 15:30


Poly introduces solutions for Microsoft Teams Rooms
Posted 23-Jun-2020 15:14


Lenovo launches new ThinkPad P Series mobile workstations
Posted 23-Jun-2020 09:17


Lenovo brings Linux certification to ThinkPad and ThinkStation Workstation portfolio
Posted 23-Jun-2020 08:56


Apple introduces new features for iPhone iOS14 and iPadOS 14
Posted 23-Jun-2020 08:28



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.