Windows 10 Security

Forums › Microsoft Windows › Windows 10 Security

ronw

1222 posts

Uber Geek

#270338 5-May-2020 10:04

I am trying to lock down a PC that is used away from Home. I thought of using bitlocker but it seems to rely on the windows password which considering some of the passwords people use seems a little unsafe. I realise that I can tighten password rules a little (it is not active directory controlled) so should I consider an alternative eg veracrypt or stick with Bitlocker and the Windows password

Nokia 7 Plus
Nexus 6P 32Gb
Nexus 6 Phone
Nexus 5 Phone
Nexus 7 2013 Tablet
Samsung TAB A 8"
Samsung TAB A 10"

& many Windows laptops, Desktops etc

1 | 2

5695 posts

Uber Geek
Inactive user

#2476750 5-May-2020 10:05

What threats are you most concerned about?

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

freitasm

BDFL - Memuneh
76369 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2476821 5-May-2020 11:04

As above. Also note that Bitlocker can use the PC's TPM to generate the keys - this is completely independent of the user password.

If the PC doesn't have a TPM chip you can configure Bitlocker to store the encryption key on a USB stick and use it to automatically unlock the drive. Obviously if someone steals the PC or drive plus the USB stick then the drive can be decrypted.

The safest way to secure the drive is obviously the TPM and if you use a third party as mentioned then you will find the same problems as Bitlocker.

Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

freitasm on Keybase | My technology disclosure

ronw

1222 posts

Uber Geek

#2476822 5-May-2020 11:07

Possible loss of laptop and someone being able to access data. Data is a large database of an organization which would be most upset if data got into wrong hands.

Nokia 7 Plus
Nexus 6P 32Gb
Nexus 6 Phone
Nexus 5 Phone
Nexus 7 2013 Tablet
Samsung TAB A 8"
Samsung TAB A 10"

& many Windows laptops, Desktops etc

freitasm

BDFL - Memuneh
76369 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2476823 5-May-2020 11:10

ronw: Possible loss of laptop and someone being able to access data. Data is a large database of an organization which would be most upset if data got into wrong hands.

In this case you have to make sure the laptop where this data resides is protected with a TPM chip. The domain (or Administrator) account must ensure strong password is enforced.

Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

freitasm on Keybase | My technology disclosure

fearandloathing

421 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#2476830 5-May-2020 11:24

Is the device AD joined, or Azure AD joined? If so the Bitlocker recovery key can be backed up to the corresponding directory.

ronw

1222 posts

Uber Geek

#2476833 5-May-2020 11:31

NO It is not in Active Directory it is a privately owned stand alone Laptop. I have used Bitlocker before and once the Windows password is entered all data is accessible. Whereas if I opt for Veracrypt I can use long passwords and it doesn't care about TPM

Nokia 7 Plus
Nexus 6P 32Gb
Nexus 6 Phone
Nexus 5 Phone
Nexus 7 2013 Tablet
Samsung TAB A 8"
Samsung TAB A 10"

& many Windows laptops, Desktops etc

freitasm

BDFL - Memuneh
76369 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2476834 5-May-2020 11:36

There are a couple of things that could happen. Someone steal/find a lost laptop.

1. The Windows password is not known so the person moves the storage device to an external drive. Because it's encrypted with Bitlocker and the encryption key is stored in the laptop TPM there's no way for the data to be read from there.

2. The Windows password is weak/known so the person uses that to login and access the data that's encrypted with Bitlocker and automatically unlocked because the key is available on said laptop upon login.

Obviously your worry is #2. In this case I'd say your problem is not the encryption but the password management.

Yes, you could use a third party tool and do a full disc encryption - also requiring a second, stronger password to be known by the laptop user. Which, again might defeat the purpose. If it's too hard to memorise the person will store the password somewhere - possibly written down on a piece of paper, which is not secure enough.

So back to #1. Bitlocker plus a good, strong password in place.

Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

freitasm on Keybase | My technology disclosure

ronw

1222 posts

Uber Geek

#2476843 5-May-2020 11:48

Thanks Guys Will talk to user about passwords etc

Nokia 7 Plus
Nexus 6P 32Gb
Nexus 6 Phone
Nexus 5 Phone
Nexus 7 2013 Tablet
Samsung TAB A 8"
Samsung TAB A 10"

& many Windows laptops, Desktops etc

fearandloathing

421 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#2476850 5-May-2020 12:00

To be honest, if the data is that important, it shouldn't be allowed on a personal device. Purchase hardware that you can enforce security standards on, remote wipe etc.

Edit:grammar

ronw

1222 posts

Uber Geek

#2476877 5-May-2020 12:29

Unfortunately we don't live in that sort of world. We have to use computers we can afford and as the users are just ordinary Kiwis, the laptops have to be reasonably usable.

Just of interest for those into Security have a look at this site that sells some interesting gear

https://blog.elcomsoft.com/2016/07/breaking-bitlocker-encryption-brute-forcing-the-backdoor-part-ii/

Not suggesting the average laptop thief would be capable of doing this but worth knowing about

Nokia 7 Plus
Nexus 6P 32Gb
Nexus 6 Phone
Nexus 5 Phone
Nexus 7 2013 Tablet
Samsung TAB A 8"
Samsung TAB A 10"

& many Windows laptops, Desktops etc

jaymz

1132 posts

Uber Geek

#2476895 5-May-2020 12:56

This might be at the far end of the scale, but worth a mention and consideration.

I recently rolled out device management for 200 HP laptops with the requirement to have Geo Fencing enabled on the units to prevent theft from site.

https://www.absolute.com/security/

I used the above product, as they have the most comprehensive set of features.

Super easy to setup, and if a device is stolen/lost you can implement a range of things to either recover or wipe the data.

It even uses really cool tech for location services without the need for a GPS unit via means of triangulating the device location from known WiFi (thanks to Google)

fearandloathing

421 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#2476898 5-May-2020 13:06

ronw:

Unfortunately we don't live in that sort of world. We have to use computers we can afford and as the users are just ordinary Kiwis, the laptops have to be reasonably usable.

I'm not sure what you are saying there.

Devices can be secure and usable.

You need to consider the value of the data against the cost of controlling it.

If you are putting data that needs protection on a device that you don't control, then you should take some personal responsibility for that data. Don't be the person having to defend your decision that contributed to the data being lost. Especially if someone above or below you has the ability to throw you under a bus if the data goes into the wild.

The answer can be 'We are not going to allow this'

Beccara

1467 posts

Uber Geek

ID Verified

#2476901 5-May-2020 13:12

If it's important then:

Enforce Password Policy

Set account to lock on 3 password failures

Set Bitlocker to requre the recovery key after 6 password failures

In future/If possible use laptop with built in 4g, Tablet sim card and https://homeoffice.absolute.com/product-comparison/

Speaking from experience if you give users hardware tokens to use instead of passwords then the token WILL live in the PC, A hardware token is not enough to ensure security in a mobile space

Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated

PolicyGuy

1542 posts

Uber Geek

ID Verified

Lifetime subscriber

#2476912 5-May-2020 13:41

fearandloathing:

To be honest, if the data is that important, it shouldn't be allowed on a personal device.

This.

Rather than using a device that is employer-provided and suitably locked down, you could hold the database centrally on a properly secured server, and allow user access through thin client type processes - Citrix, RAS, RDP, etc. - over a VPN and configured so that the user can't copy data to their local (remote / at home) network

Beccara

1467 posts

Uber Geek

ID Verified

#2477093 5-May-2020 15:58

Whilst that's ideal there are valid use cases where you can't do that

1 | 2