Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsMicrosoft WindowsWindows 10 Security
ronw

1222 posts

Uber Geek


#270338 5-May-2020 10:04
Send private message

I am trying to lock down a PC that is used away from Home. I thought of using bitlocker but it seems to rely on the windows password which considering some of the passwords people use seems a little unsafe. I realise that I can tighten password rules a little (it is not active directory controlled) so should I consider an alternative eg veracrypt or stick with Bitlocker and the Windows password




Nokia 7 Plus
Nexus 6P 32Gb
Nexus 6 Phone
Nexus 5 Phone
Nexus 7 2013 Tablet
Samsung TAB A 8"
Samsung TAB A 10"

 

& many Windows laptops, Desktops etc

 

 

 

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
nathan
5695 posts

Uber Geek
Inactive user


  #2476750 5-May-2020 10:05
Send private message

What threats are you most concerned about?



freitasm
BDFL - Memuneh
79320 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2476821 5-May-2020 11:04
Send private message

As above. Also note that Bitlocker can use the PC's TPM to generate the keys - this is completely independent of the user password.

 

If the PC doesn't have a TPM chip you can configure Bitlocker to store the encryption key on a USB stick and use it to automatically unlock the drive. Obviously if someone steals the PC or drive plus the USB stick then the drive can be decrypted.

 

The safest way to secure the drive is obviously the TPM and if you use a third party as mentioned then you will find the same problems as Bitlocker.




Please support Geekzone by subscribing, or using one of our referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSync 

ronw

1222 posts

Uber Geek


  #2476822 5-May-2020 11:07
Send private message

Possible loss of laptop and someone being able to access data. Data is a large database of an organization which would be most upset if data got into wrong hands.




Nokia 7 Plus
Nexus 6P 32Gb
Nexus 6 Phone
Nexus 5 Phone
Nexus 7 2013 Tablet
Samsung TAB A 8"
Samsung TAB A 10"

 

& many Windows laptops, Desktops etc

 

 

 



freitasm
BDFL - Memuneh
79320 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2476823 5-May-2020 11:10
Send private message

ronw: Possible loss of laptop and someone being able to access data. Data is a large database of an organization which would be most upset if data got into wrong hands.

 

 

In this case you have to make sure the laptop where this data resides is protected with a TPM chip. The domain (or Administrator) account must ensure strong password is enforced.




Please support Geekzone by subscribing, or using one of our referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSync 

fearandloathing
504 posts

Ultimate Geek

ID Verified
Lifetime subscriber

  #2476830 5-May-2020 11:24
Send private message

Is the device AD joined, or Azure AD joined? If so the Bitlocker recovery key can be backed up to the corresponding directory.

ronw

1222 posts

Uber Geek


  #2476833 5-May-2020 11:31
Send private message

NO It is not in Active Directory it is a privately owned stand alone Laptop. I have used Bitlocker before and once the Windows password is entered all data is accessible. Whereas if I opt for Veracrypt I can use long passwords and it doesn't care about TPM




Nokia 7 Plus
Nexus 6P 32Gb
Nexus 6 Phone
Nexus 5 Phone
Nexus 7 2013 Tablet
Samsung TAB A 8"
Samsung TAB A 10"

 

& many Windows laptops, Desktops etc

 

 

 

freitasm
BDFL - Memuneh
79320 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2476834 5-May-2020 11:36
Send private message

There are a couple of things that could happen. Someone steal/find a lost laptop. 

 

1. The Windows password is not known so the person moves the storage device to an external drive. Because it's encrypted with Bitlocker and the encryption key is stored in the laptop TPM there's no way for the data to be read from there.

 

2. The Windows password is weak/known so the person uses that to login and access the data that's encrypted with Bitlocker and automatically unlocked because the key is available on said laptop upon login.

 

Obviously your worry is #2. In this case I'd say your problem is not the encryption but the password management. 

 

Yes, you could use a third party tool and do a full disc encryption - also requiring a second, stronger password to be known by the laptop user. Which, again might defeat the purpose. If it's too hard to memorise the person will store the password somewhere - possibly written down on a piece of paper, which is not secure enough.

 

So back to #1. Bitlocker plus a good, strong password in place.  




Please support Geekzone by subscribing, or using one of our referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSync 

 
 
 
 

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.
ronw

1222 posts

Uber Geek


  #2476843 5-May-2020 11:48
Send private message

Thanks Guys Will talk to user about passwords etc

 

 




Nokia 7 Plus
Nexus 6P 32Gb
Nexus 6 Phone
Nexus 5 Phone
Nexus 7 2013 Tablet
Samsung TAB A 8"
Samsung TAB A 10"

 

& many Windows laptops, Desktops etc

 

 

 

fearandloathing
504 posts

Ultimate Geek

ID Verified
Lifetime subscriber

  #2476850 5-May-2020 12:00
Send private message

To be honest, if the data is that important, it shouldn't be allowed on a personal device. Purchase hardware that you can enforce security standards on, remote wipe etc.

 

Edit:grammar 

ronw

1222 posts

Uber Geek


  #2476877 5-May-2020 12:29
Send private message

Unfortunately we don't live in that sort of world. We have to use computers we can afford and as the users are just ordinary Kiwis, the laptops have to be reasonably usable.

 

Just of interest for those into Security have a look at this site that sells some interesting gear 

 

https://blog.elcomsoft.com/2016/07/breaking-bitlocker-encryption-brute-forcing-the-backdoor-part-ii/

 

Not suggesting the average laptop thief would be capable of doing this but worth knowing about

 

 

 

 

 

 

 

 




Nokia 7 Plus
Nexus 6P 32Gb
Nexus 6 Phone
Nexus 5 Phone
Nexus 7 2013 Tablet
Samsung TAB A 8"
Samsung TAB A 10"

 

& many Windows laptops, Desktops etc

 

 

 

jaymz
1133 posts

Uber Geek


  #2476895 5-May-2020 12:56
Send private message

This might be at the far end of the scale, but worth a mention and consideration.

 

I recently rolled out device management for 200 HP laptops with the requirement to have Geo Fencing enabled on the units to prevent theft from site.

 

https://www.absolute.com/security/

 

I used the above product, as they have the most comprehensive set of features. 

 

Super easy to setup, and if a device is stolen/lost you can implement a range of things to either recover or wipe the data.

 

 

 

It even uses really cool tech for location services without the need for a GPS unit via means of triangulating the device location from known WiFi (thanks to Google)

 

 

fearandloathing
504 posts

Ultimate Geek

ID Verified
Lifetime subscriber

  #2476898 5-May-2020 13:06
Send private message

ronw:

 

Unfortunately we don't live in that sort of world. We have to use computers we can afford and as the users are just ordinary Kiwis, the laptops have to be reasonably usable.

 

 

I'm not sure what you are saying there.

 

Devices can be secure and usable.

 

You need to consider the value of the data against the cost of controlling it.

 

If you are putting data that needs protection on a device that you don't control, then you should take some personal responsibility for that data. Don't be the person having to defend your decision that contributed to the data being lost. Especially if someone above or below you has the ability to throw you under a bus if the data goes into the wild.

 

The answer can be 'We are not going to allow this'

 

 

Beccara
1469 posts

Uber Geek

ID Verified

  #2476901 5-May-2020 13:12
Send private message

If it's important then:

 

 

 

Enforce Password Policy

 

Set account to lock on 3 password failures

 

Set Bitlocker to requre the recovery key after 6 password failures

 

In future/If possible use laptop with built in 4g, Tablet sim card and https://homeoffice.absolute.com/product-comparison/

 

 

 

Speaking from experience if you give users hardware tokens to use instead of passwords then the token WILL live in the PC, A hardware token is not enough to ensure security in a mobile space




Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

PolicyGuy
1731 posts

Uber Geek

ID Verified
Lifetime subscriber

  #2476912 5-May-2020 13:41
Send private message

fearandloathing:

 

To be honest, if the data is that important, it shouldn't be allowed on a personal device. 

 

 

This.

 

Rather than using a device that is employer-provided and suitably locked down, you could hold the database centrally on a properly secured server, and allow user access through thin client type processes - Citrix, RAS, RDP, etc. - over a VPN and configured so that the user can't copy data to their local (remote / at home) network

 

 

Beccara
1469 posts

Uber Geek

ID Verified

  #2477093 5-May-2020 15:58
Send private message

Whilst that's ideal there are valid use cases where you can't do that




Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Gen Threat Report Reveals Rise in Crypto, Sextortion and Tech Support Scams
Posted 7-Aug-2025 13:09

Logitech G and McLaren Racing Sign New, Expanded Multi-Year Partnership
Posted 7-Aug-2025 13:00

A Third of New Zealanders Fall for Online Scams Says Trend Micro
Posted 7-Aug-2025 12:43

OPPO Releases Its Most Stylish and Compact Smartwatch Yet, the Watch X2 Mini.
Posted 7-Aug-2025 12:37

Epson Launches New High-End EH-LS9000B Home Theatre Laser Projector
Posted 7-Aug-2025 12:34

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright