[SOLVED] Securing Windows 10 from evil naughty meanie heads

Atterus

Honorable
Jul 15, 2015
85
1
10,665
8
Hello all!

So I have a question I am sure entire companies and research departments revolve around: "how to I make my Windows 10 PC lowkey hack proof".

So a bit of a background... I have a machine that has a i7-8700T on a specialized Mobo that runs Windows 10. I have password locked the BIOS already since that is easy enough to do, but I'd like to make sure there isn't some "common" backdoor means of getting any of the data off the machines internal SSDs. The problem is that I can't simply encrypt everything since some of these drives need to come out from time to time in order to process or be backed up elsewhere (we're just using security tape to monitor if anyone got to those anyways).

I know there isn't much that can be done against someone REALLY determined, but I'd like to plug any simple holes that could let someone get around the simple admin account password at the slash screen and Post (I have post locked too). I was just asked to look into this since apparently there were some tools for older OS's that allowed someone to basically bypass the standard security (XP, I think) and was intended for if someone forgot the password. In this scenario, we would rather wipe the machine and start over before using a backdoor to recover what is on it. This machine is basically a "clone" of a air-gapped machine "master" so losing the data on it is annoying but not a catastrophe.

So... in this scenario... you have a machine that already has the BIOS and POST locked with a password. Problem is the POST password will be known by a number of people, and a number of people will have access to a "user" account with limited privileges. Occasionally we need to update a number of programs on the machine. What we are looking to prevent is someone using some Linux tool or built-in Windows recovery tool to break into the admin account and mess with settings or otherwise compromise the system. I typically just air gap everything, but this is a scenario where the machine will be more "public" so that route won't work, and I'm woefully inexperienced with regards to dealing with whatever tricks are out there to bypass "normal" measures. It only will have ethernet connection too if that matters.

Any help is appreciated as always. You all have saved me a ton of time, money, and pain already. Thank you for your time and putting up with my inexperience and tall demands haha.
 

Math Geek

Champion
Ambassador
you can disable the usb ports to keep thumb drives out and other usb devices.

windows pro does allow for many things to be disabled. perhaps expanding your knowledge of the group policy editor and what it can do is worth your time. i've used many college or other public lab pc''s that are so locked down, they are almost useless.

you can remove any external device from the boot priority as well to keep anyone from booting to a thumb drive or disk to use any of the fun linux tools out there. this wil be protected by the locked BIOS. these basic couple things can keep most people honest. add in some group policy and you should be able to keep most attacks away.
 
Last edited:

Atterus

Honorable
Jul 15, 2015
85
1
10,665
8
You need to analyze your attack surface.

Who might be trying to do nefarious things on these systems?
Thanks for the quick reply.

It would be someone at the machine physically with what I can guess is "intermediate" knowledge and likely a second machine of their own. Probably would not do anything that would leave a obvious trace (ie, blank passwords or damaged hardware). It would not be remote over a network, it would have to be a line into the target machine or on the machine itself. Fortunately not someone removing hardware though since it's a sort of "cat and mouse" game we're playing here and those security strips should work there. I hope that answers the question. Like I said, I'm not particularly skilled beyond "don't leave important data on the machine".

Also, wanted to mention your signature inspired me to backup recently haha.
 

USAFRet

Titan
Moderator
Mar 16, 2013
129,334
5,209
165,040
20,020
"Problem is the POST password will be known by a number of people, and a number of people will have access to a "user" account with limited privileges. "

Here, if something happens, you won't know what warm body did it.
 

Atterus

Honorable
Jul 15, 2015
85
1
10,665
8
What is on this system that needs to be protected?
Custom code, mostly. Programs that we don't want falling out of approved hands. Preventing stuff like keyloggers getting installed.

Fortunately the situation is one where we don't need to know exactly who, just that a warm body did do something.

Will be back later, dinner! Thanks again!
 

USAFRet

Titan
Moderator
Mar 16, 2013
129,334
5,209
165,040
20,020
Custom code, mostly. Programs that we don't want falling out of approved hands. Preventing stuff like keyloggers getting installed.

Fortunately the situation is one where we don't need to know exactly who, just that a warm body did do something.

Will be back later, dinner! Thanks again!
A keylogger does not mean software only.
Hardware device between the system and the keyboard.
 

Math Geek

Champion
Ambassador
you can disable the usb ports to keep thumb drives out and other usb devices.

windows pro does allow for many things to be disabled. perhaps expanding your knowledge of the group policy editor and what it can do is worth your time. i've used many college or other public lab pc''s that are so locked down, they are almost useless.

you can remove any external device from the boot priority as well to keep anyone from booting to a thumb drive or disk to use any of the fun linux tools out there. this wil be protected by the locked BIOS. these basic couple things can keep most people honest. add in some group policy and you should be able to keep most attacks away.
 
Last edited:

Atterus

Honorable
Jul 15, 2015
85
1
10,665
8
you can disable the usb ports to keep thumb drives out and other usb devices.

windows pro does allow for many things to be disabled. perhaps expanding your knowledge of the group policy editor and what it can do is worth your time. i've used many college or toehr public lab pc''s that are so locked down, they are almost useless.

you can remove any external device from the boot priority as well to keep anyone from booting to a thumb drive or disk to use any of the fun linux tools out there. this wil be protected by the locked BIOS. these basic couple things can keep most people honest. add in some group policy and you should be able to keep most attacks away.
Perfect. That combined with the other pointers and think-through is exactly what I'm looking for. I'm not expecting a super-hacker or anything, but that linux boot cheat is exactly the kind of thing I was worried about in particular. So if I check to make sure the hardware isn't easy to mess with and lock up the boot + BIOS lock that should frankly keep out the kind of trouble I think we're worried about. Will certainly look into the group policy editor too, never really did since I usually just give myself full rights all the time haha. Thanks!
 

neojack

Prominent
Apr 4, 2019
267
44
740
7
if you have windows 10 pro, you can put all the sensitive data into a separate partition, and encrypt it with bitlocker. this way only your window account can access the data,
it's super easy, just open the search bar and type bitlocker and follow the steps.

I do it for my job's laptop. the C drive is encrypted. Im using a cruxial MX300 SSD wich has a special chip called a "SED" wich take care of the encryption so there is no drop of performance.


oh, about backups, you may want to use a cloud backup service that has encryption capabilities like spideroak.
note that without a backup your data is more at risk since recovering data from a bitlocker-encrypted drive is much more difficult or impossible.
 

ASK THE COMMUNITY

TRENDING THREADS