A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows 7 » Windows 7 Forum
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

How to secure a Windows lap top



 
 
Thread Tools Rate Thread Display Modes
  #1  
Old September 16th 15, 08:16 AM posted to alt.windows7.general
Eternal Hope
external usenet poster
 
Posts: 38
Default How to secure a Windows lap top

I'm trying to secure the public access laptops we have at the community
centre. I have all accounts password protected *including* the hidden
Administrator account.

I'm sure you don't need me to point you at a certain iso available on
the intertubes that effectively bypasses any attempt at securing Windows
by booting to a lightweight XP and allowing all passwords to be changed
or removed. (tested with 7, 8, 8.1, 10)

To date the only way I can see of securing these devices is to configure
the hardware to boot from the hard disk (as opposed the CD drive) and
then password protect the interface to the hardware configuration (BIOS,
UEFI whatever)

Is this really the only way to secure Windows given that we do not have
a credentials server?


--
Laughing Spam Fritter
Ads
  #2  
Old September 16th 15, 08:23 AM posted to alt.windows7.general
T
external usenet poster
 
Posts: 4,600
Default How to secure a Windows lap top

On 09/16/2015 12:16 AM, Eternal Hope wrote:
I'm trying to secure the public access laptops we have at the community
centre. I have all accounts password protected *including* the hidden
Administrator account.

I'm sure you don't need me to point you at a certain iso available on
the intertubes that effectively bypasses any attempt at securing Windows
by booting to a lightweight XP and allowing all passwords to be changed
or removed. (tested with 7, 8, 8.1, 10)

To date the only way I can see of securing these devices is to configure
the hardware to boot from the hard disk (as opposed the CD drive) and
then password protect the interface to the hardware configuration (BIOS,
UEFI whatever)


You can get around that by discharging the CMOS. You can also
remove the hard drive and read it on a Linux system, no problem.

Is this really the only way to secure Windows given that we do not have
a credentials server?


You can boot off a live CD and read everything off it.

You can "try" to encrypt the hard drive, but that is
a super pain in the ass with Windows.

Fedora Linux is very, very easy to encrypt the whole
hard drive at install time, if that is a option for you.
You can have Libre Office and Firefox installed on it.
A lot of other stuff won't work though.

Windows is just not secure.

Don't forget physical security.

  #3  
Old September 16th 15, 08:39 AM posted to alt.windows7.general
Paul
external usenet poster
 
Posts: 18,275
Default How to secure a Windows lap top

Eternal Hope wrote:
I'm trying to secure the public access laptops we have at the community
centre. I have all accounts password protected *including* the hidden
Administrator account.

I'm sure you don't need me to point you at a certain iso available on
the intertubes that effectively bypasses any attempt at securing Windows
by booting to a lightweight XP and allowing all passwords to be changed
or removed. (tested with 7, 8, 8.1, 10)

To date the only way I can see of securing these devices is to configure
the hardware to boot from the hard disk (as opposed the CD drive) and
then password protect the interface to the hardware configuration (BIOS,
UEFI whatever)

Is this really the only way to secure Windows given that we do not have
a credentials server?



https://en.wikipedia.org/wiki/Windows_steadystate

http://www.instantfundas.com/2010/09...eadystate.html

So there are schemes for protecting the machine, assuming
you don't use a BIOS feature to boot other media.

With regard to laptops, there are a couple ways to
protect the BIOS via password. With the intention of
changing the boot order.

A consumer laptop, the CMOS memory in the Southbridge holds
the password. A user gaining access to the circular coin cell
(CR2032) can clear the password, and then change the boot order
or whatever.

Whereas a business class laptop, the two passwords are stored in a
24C02 EEPROM. You can drain the batteries all you want, and the
password will remain present.

https://upload.wikimedia.org/wikiped...R_Enhancer.jpg

And because it's so effective, the owner must immediately assign
their own passwords, to prevent others from "locking them out".

There is a guy in Romania selling an EEPROM clip and communications
cable, who claims to be able to reset the EEPROM, so there may be
ways around it. Even in the case of the coin cell scheme, it isn't
always that easy to get to the coin cell and drain it.
In one case, the entire laptop must be taken apart, as there is no
convenient door on the bottom of the laptop giving access.

If you talk to a public librarian, they will have experience
with SteadyState or one of the commercial alternatives. Our
public library machines are protected that way, and once you
"exit" from your session, all state info is lost. The machine
effectively comes back in "like new" condition. To whatever
state the installer person wanted for it.

Paul
  #4  
Old September 16th 15, 09:33 AM posted to alt.windows7.general
Mike Barnes[_2_]
external usenet poster
 
Posts: 537
Default How to secure a Windows lap top

Eternal Hope wrote:
I'm trying to secure the public access laptops we have at the community
centre. I have all accounts password protected *including* the hidden
Administrator account.

I'm sure you don't need me to point you at a certain iso available on
the intertubes that effectively bypasses any attempt at securing Windows
by booting to a lightweight XP and allowing all passwords to be changed
or removed. (tested with 7, 8, 8.1, 10)

To date the only way I can see of securing these devices is to configure
the hardware to boot from the hard disk (as opposed the CD drive) and
then password protect the interface to the hardware configuration (BIOS,
UEFI whatever)

Is this really the only way to secure Windows given that we do not have
a credentials server?


I'm new to all this but I've just secured (I hope) my new, first, laptop
using BitLocker with TPM. Should I do anything more?

--
Mike Barnes
Cheshire, England
  #5  
Old September 16th 15, 10:40 AM posted to alt.windows7.general
Ammammata
external usenet poster
 
Posts: 209
Default How to secure a Windows lap top

Il giorno Wed 16 Sep 2015 09:23:53a, *T* inviava su alt.windows7.general il
messaggio . Vediamo cosa scrisse:

To date the only way I can see of securing these devices is to configure
the hardware to boot from the hard disk (as opposed the CD drive) and
then password protect the interface to the hardware configuration (BIOS,
UEFI whatever)


You can get around that by discharging the CMOS. You can also
remove the hard drive and read it on a Linux system, no problem.

Is this really the only way to secure Windows given that we do not have
a credentials server?


You can boot off a live CD and read everything off it.



he wrote "configure the hardware to boot from the hard disk (as opposed the
CD drive) and then password protect the interface to the hardware
configuration" so your "tip" is valid only discharging the CMOS

how can he prevent the opening of the case?

--
/-\ /\/\ /\/\ /-\ /\/\ /\/\ /-\ T /-\
-=- -=- -=- -=- -=- -=- -=- -=- - -=-
http://www.bb2002.it

............ [ al lavoro ] ...........
  #6  
Old September 16th 15, 11:07 AM posted to alt.windows7.general
Paul
external usenet poster
 
Posts: 18,275
Default How to secure a Windows lap top

Ammammata wrote:
Il giorno Wed 16 Sep 2015 09:23:53a, *T* inviava su alt.windows7.general il
messaggio . Vediamo cosa scrisse:

To date the only way I can see of securing these devices is to configure
the hardware to boot from the hard disk (as opposed the CD drive) and
then password protect the interface to the hardware configuration (BIOS,
UEFI whatever)

You can get around that by discharging the CMOS. You can also
remove the hard drive and read it on a Linux system, no problem.

Is this really the only way to secure Windows given that we do not have
a credentials server?

You can boot off a live CD and read everything off it.



he wrote "configure the hardware to boot from the hard disk (as opposed the
CD drive) and then password protect the interface to the hardware
configuration" so your "tip" is valid only discharging the CMOS

how can he prevent the opening of the case?


If you purchase the right kind of business laptop,
opening the case won't help you.

And the manufacturer of such laptops will tell you, if
you want the password reset, you have to send the
laptop back to the manufacturer. They do not
provide an at-home solution to resetting the password.

Other ways to secure the laptop against a boot attack
would include removing the optical drive (unplug it),
as well as pouring epoxy into the USB connectors. That
reduces the means of booting the thing.

Paul
  #7  
Old September 16th 15, 01:31 PM posted to alt.windows7.general
Eternal Hope
external usenet poster
 
Posts: 38
Default How to secure a Windows lap top

On 16/09/2015 08:16, Eternal Hope wrote:
I'm trying to secure the public access laptops we have at the community
centre. I have all accounts password protected *including* the hidden
Administrator account.

I'm sure you don't need me to point you at a certain iso available on
the intertubes that effectively bypasses any attempt at securing Windows
by booting to a lightweight XP and allowing all passwords to be changed
or removed. (tested with 7, 8, 8.1, 10)

To date the only way I can see of securing these devices is to configure
the hardware to boot from the hard disk (as opposed the CD drive) and
then password protect the interface to the hardware configuration (BIOS,
UEFI whatever)

Is this really the only way to secure Windows given that we do not have
a credentials server?


Thanks for all the replies. All our machines are donated so we have no
control over what we get.

I think the whole 'opening the case' thing would be more of an issue if
we allowed the laptops offsite. The problem is more along the lines of
what people get up to when the place is manned by volunteers who are not
particularly computer savvy. They would certainly notice if someone
started to take a lap top to bits, less likley to notice if some spotty
oick has rebooted from a CD. Some of them do it 'just because they can'
Banning them is a poor response, every time they try some new nonsense I
learn something else, so bring it on spotty youth :-)

I guess protecting the hardware configuration interface is my best bet

Thanks again

A volunteer

--
Laughing Spam Fritter
 




Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off






All times are GMT +1. The time now is 02:17 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.