Hello all!
So I have a question I am sure entire companies and research departments revolve around: "how to I make my Windows 10 PC lowkey hack proof".
So a bit of a background... I have a machine that has a i7-8700T on a specialized Mobo that runs Windows 10. I have password locked the BIOS already since that is easy enough to do, but I'd like to make sure there isn't some "common" backdoor means of getting any of the data off the machines internal SSDs. The problem is that I can't simply encrypt everything since some of these drives need to come out from time to time in order to process or be backed up elsewhere (we're just using security tape to monitor if anyone got to those anyways).
I know there isn't much that can be done against someone REALLY determined, but I'd like to plug any simple holes that could let someone get around the simple admin account password at the slash screen and Post (I have post locked too). I was just asked to look into this since apparently there were some tools for older OS's that allowed someone to basically bypass the standard security (XP, I think) and was intended for if someone forgot the password. In this scenario, we would rather wipe the machine and start over before using a backdoor to recover what is on it. This machine is basically a "clone" of a air-gapped machine "master" so losing the data on it is annoying but not a catastrophe.
So... in this scenario... you have a machine that already has the BIOS and POST locked with a password. Problem is the POST password will be known by a number of people, and a number of people will have access to a "user" account with limited privileges. Occasionally we need to update a number of programs on the machine. What we are looking to prevent is someone using some Linux tool or built-in Windows recovery tool to break into the admin account and mess with settings or otherwise compromise the system. I typically just air gap everything, but this is a scenario where the machine will be more "public" so that route won't work, and I'm woefully inexperienced with regards to dealing with whatever tricks are out there to bypass "normal" measures. It only will have ethernet connection too if that matters.
Any help is appreciated as always. You all have saved me a ton of time, money, and pain already. Thank you for your time and putting up with my inexperience and tall demands haha.
So I have a question I am sure entire companies and research departments revolve around: "how to I make my Windows 10 PC lowkey hack proof".
So a bit of a background... I have a machine that has a i7-8700T on a specialized Mobo that runs Windows 10. I have password locked the BIOS already since that is easy enough to do, but I'd like to make sure there isn't some "common" backdoor means of getting any of the data off the machines internal SSDs. The problem is that I can't simply encrypt everything since some of these drives need to come out from time to time in order to process or be backed up elsewhere (we're just using security tape to monitor if anyone got to those anyways).
I know there isn't much that can be done against someone REALLY determined, but I'd like to plug any simple holes that could let someone get around the simple admin account password at the slash screen and Post (I have post locked too). I was just asked to look into this since apparently there were some tools for older OS's that allowed someone to basically bypass the standard security (XP, I think) and was intended for if someone forgot the password. In this scenario, we would rather wipe the machine and start over before using a backdoor to recover what is on it. This machine is basically a "clone" of a air-gapped machine "master" so losing the data on it is annoying but not a catastrophe.
So... in this scenario... you have a machine that already has the BIOS and POST locked with a password. Problem is the POST password will be known by a number of people, and a number of people will have access to a "user" account with limited privileges. Occasionally we need to update a number of programs on the machine. What we are looking to prevent is someone using some Linux tool or built-in Windows recovery tool to break into the admin account and mess with settings or otherwise compromise the system. I typically just air gap everything, but this is a scenario where the machine will be more "public" so that route won't work, and I'm woefully inexperienced with regards to dealing with whatever tricks are out there to bypass "normal" measures. It only will have ethernet connection too if that matters.
Any help is appreciated as always. You all have saved me a ton of time, money, and pain already. Thank you for your time and putting up with my inexperience and tall demands haha.