If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
How to secure a Windows lap top
I'm trying to secure the public access laptops we have at the community
centre. I have all accounts password protected *including* the hidden Administrator account. I'm sure you don't need me to point you at a certain iso available on the intertubes that effectively bypasses any attempt at securing Windows by booting to a lightweight XP and allowing all passwords to be changed or removed. (tested with 7, 8, 8.1, 10) To date the only way I can see of securing these devices is to configure the hardware to boot from the hard disk (as opposed the CD drive) and then password protect the interface to the hardware configuration (BIOS, UEFI whatever) Is this really the only way to secure Windows given that we do not have a credentials server? -- Laughing Spam Fritter |
Ads |
#2
|
|||
|
|||
How to secure a Windows lap top
On 09/16/2015 12:16 AM, Eternal Hope wrote:
I'm trying to secure the public access laptops we have at the community centre. I have all accounts password protected *including* the hidden Administrator account. I'm sure you don't need me to point you at a certain iso available on the intertubes that effectively bypasses any attempt at securing Windows by booting to a lightweight XP and allowing all passwords to be changed or removed. (tested with 7, 8, 8.1, 10) To date the only way I can see of securing these devices is to configure the hardware to boot from the hard disk (as opposed the CD drive) and then password protect the interface to the hardware configuration (BIOS, UEFI whatever) You can get around that by discharging the CMOS. You can also remove the hard drive and read it on a Linux system, no problem. Is this really the only way to secure Windows given that we do not have a credentials server? You can boot off a live CD and read everything off it. You can "try" to encrypt the hard drive, but that is a super pain in the ass with Windows. Fedora Linux is very, very easy to encrypt the whole hard drive at install time, if that is a option for you. You can have Libre Office and Firefox installed on it. A lot of other stuff won't work though. Windows is just not secure. Don't forget physical security. |
#3
|
|||
|
|||
How to secure a Windows lap top
Eternal Hope wrote:
I'm trying to secure the public access laptops we have at the community centre. I have all accounts password protected *including* the hidden Administrator account. I'm sure you don't need me to point you at a certain iso available on the intertubes that effectively bypasses any attempt at securing Windows by booting to a lightweight XP and allowing all passwords to be changed or removed. (tested with 7, 8, 8.1, 10) To date the only way I can see of securing these devices is to configure the hardware to boot from the hard disk (as opposed the CD drive) and then password protect the interface to the hardware configuration (BIOS, UEFI whatever) Is this really the only way to secure Windows given that we do not have a credentials server? https://en.wikipedia.org/wiki/Windows_steadystate http://www.instantfundas.com/2010/09...eadystate.html So there are schemes for protecting the machine, assuming you don't use a BIOS feature to boot other media. With regard to laptops, there are a couple ways to protect the BIOS via password. With the intention of changing the boot order. A consumer laptop, the CMOS memory in the Southbridge holds the password. A user gaining access to the circular coin cell (CR2032) can clear the password, and then change the boot order or whatever. Whereas a business class laptop, the two passwords are stored in a 24C02 EEPROM. You can drain the batteries all you want, and the password will remain present. https://upload.wikimedia.org/wikiped...R_Enhancer.jpg And because it's so effective, the owner must immediately assign their own passwords, to prevent others from "locking them out". There is a guy in Romania selling an EEPROM clip and communications cable, who claims to be able to reset the EEPROM, so there may be ways around it. Even in the case of the coin cell scheme, it isn't always that easy to get to the coin cell and drain it. In one case, the entire laptop must be taken apart, as there is no convenient door on the bottom of the laptop giving access. If you talk to a public librarian, they will have experience with SteadyState or one of the commercial alternatives. Our public library machines are protected that way, and once you "exit" from your session, all state info is lost. The machine effectively comes back in "like new" condition. To whatever state the installer person wanted for it. Paul |
#4
|
|||
|
|||
How to secure a Windows lap top
Eternal Hope wrote:
I'm trying to secure the public access laptops we have at the community centre. I have all accounts password protected *including* the hidden Administrator account. I'm sure you don't need me to point you at a certain iso available on the intertubes that effectively bypasses any attempt at securing Windows by booting to a lightweight XP and allowing all passwords to be changed or removed. (tested with 7, 8, 8.1, 10) To date the only way I can see of securing these devices is to configure the hardware to boot from the hard disk (as opposed the CD drive) and then password protect the interface to the hardware configuration (BIOS, UEFI whatever) Is this really the only way to secure Windows given that we do not have a credentials server? I'm new to all this but I've just secured (I hope) my new, first, laptop using BitLocker with TPM. Should I do anything more? -- Mike Barnes Cheshire, England |
#5
|
|||
|
|||
How to secure a Windows lap top
Il giorno Wed 16 Sep 2015 09:23:53a, *T* inviava su alt.windows7.general il
messaggio . Vediamo cosa scrisse: To date the only way I can see of securing these devices is to configure the hardware to boot from the hard disk (as opposed the CD drive) and then password protect the interface to the hardware configuration (BIOS, UEFI whatever) You can get around that by discharging the CMOS. You can also remove the hard drive and read it on a Linux system, no problem. Is this really the only way to secure Windows given that we do not have a credentials server? You can boot off a live CD and read everything off it. he wrote "configure the hardware to boot from the hard disk (as opposed the CD drive) and then password protect the interface to the hardware configuration" so your "tip" is valid only discharging the CMOS how can he prevent the opening of the case? -- /-\ /\/\ /\/\ /-\ /\/\ /\/\ /-\ T /-\ -=- -=- -=- -=- -=- -=- -=- -=- - -=- http://www.bb2002.it ............ [ al lavoro ] ........... |
#6
|
|||
|
|||
How to secure a Windows lap top
Ammammata wrote:
Il giorno Wed 16 Sep 2015 09:23:53a, *T* inviava su alt.windows7.general il messaggio . Vediamo cosa scrisse: To date the only way I can see of securing these devices is to configure the hardware to boot from the hard disk (as opposed the CD drive) and then password protect the interface to the hardware configuration (BIOS, UEFI whatever) You can get around that by discharging the CMOS. You can also remove the hard drive and read it on a Linux system, no problem. Is this really the only way to secure Windows given that we do not have a credentials server? You can boot off a live CD and read everything off it. he wrote "configure the hardware to boot from the hard disk (as opposed the CD drive) and then password protect the interface to the hardware configuration" so your "tip" is valid only discharging the CMOS how can he prevent the opening of the case? If you purchase the right kind of business laptop, opening the case won't help you. And the manufacturer of such laptops will tell you, if you want the password reset, you have to send the laptop back to the manufacturer. They do not provide an at-home solution to resetting the password. Other ways to secure the laptop against a boot attack would include removing the optical drive (unplug it), as well as pouring epoxy into the USB connectors. That reduces the means of booting the thing. Paul |
#7
|
|||
|
|||
How to secure a Windows lap top
On 16/09/2015 08:16, Eternal Hope wrote:
I'm trying to secure the public access laptops we have at the community centre. I have all accounts password protected *including* the hidden Administrator account. I'm sure you don't need me to point you at a certain iso available on the intertubes that effectively bypasses any attempt at securing Windows by booting to a lightweight XP and allowing all passwords to be changed or removed. (tested with 7, 8, 8.1, 10) To date the only way I can see of securing these devices is to configure the hardware to boot from the hard disk (as opposed the CD drive) and then password protect the interface to the hardware configuration (BIOS, UEFI whatever) Is this really the only way to secure Windows given that we do not have a credentials server? Thanks for all the replies. All our machines are donated so we have no control over what we get. I think the whole 'opening the case' thing would be more of an issue if we allowed the laptops offsite. The problem is more along the lines of what people get up to when the place is manned by volunteers who are not particularly computer savvy. They would certainly notice if someone started to take a lap top to bits, less likley to notice if some spotty oick has rebooted from a CD. Some of them do it 'just because they can' Banning them is a poor response, every time they try some new nonsense I learn something else, so bring it on spotty youth :-) I guess protecting the hardware configuration interface is my best bet Thanks again A volunteer -- Laughing Spam Fritter |
Thread Tools | |
Display Modes | Rate This Thread |
|
|