Jump to content
Security Installer Community

Windows Logon Security,


PSE

Recommended Posts

Hi Guys...

 

Just expanded into larger premises and setting up new office & computers. I’m looking to add a smart card style logon system to all computers. Don’t want mag stripe as it’s easily copied.  Ideally want the smart card inserted into a reader to logon to pc and if card is removed then the user is logged off. 
 

To comply with GDPR I’ve already got full drive encryption sorted, I’m just looking at an advanced logon solution,, 

 

Anyone got any thoughts on this or can recommend a product.. thanks

Link to comment
Share on other sites

Hi mate, I’ve seen the keyboards, and separate desktop smartcard readers, just not sure on what type of cards or programming them. I’ve seen some that are already programmed with security keys etc... just don’t know enough about them yet.

Link to comment
Share on other sites

47 minutes ago, MrHappy said:

Don't use 'em....

 

However I'd a assume a keyboard with a smartcard reader was the norm ?

 

Dell rings a bell?

NHS standard

Link to comment
Share on other sites

Don't use Windows but Yubikey login must be a thing? Which wouldn't be possible to clone at all with just the key.

 

If webcam they have Windows hello built in, not that I am found of that.

Smartcards systems I have seen where separate USB reader and printable HID cards, not sure if that's same as NHS?

Link to comment
Share on other sites

2 hours ago, PSE said:

Hi Guys...

 

Just expanded into larger premises and setting up new office & computers. I’m looking to add a smart card style logon system to all computers. Don’t want mag stripe as it’s easily copied.  Ideally want the smart card inserted into a reader to logon to pc and if card is removed then the user is logged off. 
 

To comply with GDPR I’ve already got full drive encryption sorted, I’m just looking at an advanced logon solution,, 

 

Anyone got any thoughts on this or can recommend a product.. thanks

I don't know anyone who does it that way 

 

Smart card would allow you to access the pc then you have finger print reader card reader token or whatever you want after that 

 

Would be to insecure otherwise

Link to comment
Share on other sites

7 hours ago, PSE said:

How can it be insecure if access is controlled by smart card, 

When people forget to remove the card, or become complacent and leave it in the reader/keyboard. 

 

Excuse my ignorance I'm not up on this, but why do you need 2 level authority? I use my fingerprint and a pin for my laptop, wouldn't that be enough? 

Nothing is foolproof to a sufficiently talented fool.


Link to comment
Share on other sites

Windows 10 is so easy to create a back door access from boot level, you can get in within 5 minutes regardless of logon password or fingerprint and access pretty much anything you want, I’ve done it many times.  That’s why I’ve gone down the full disk encryption with card access to boot and to logon. Remove the card and you’re logged off.  Full disk encryption with secure boot is working perfectly, just wanted to add the smartcard as opposed to mag stripe, I believe it’s got to be more secure

Link to comment
Share on other sites

Do you have much sensitive data on individual machines?

As al says it's about the layers, smartcard would be to use the machine/terminal as a login password replacement but sensitive data wouldn't be stored on that machine you'd have it on a server protected by something else.

All you need is the machine and the card and you have the FDE broken, whereas your unlikely to have physical access to server, machine and card at the same time.

 

I don't know how much more secure a smartcard would be to magstripe, I suppose they both could be copied. You could argue if you swipe and keep the card on you, your less likely to have someone leave an access card in the dock?

You could make the machine lock with inactivity but would be pointless if you left the card so will always be down to the user to some degree.

Link to comment
Share on other sites

8 hours ago, PSE said:

Windows 10 is so easy to create a back door access from boot level, you can get in within 5 minutes regardless of logon password or fingerprint and access pretty much anything you want, I’ve done it many times.  

Ah, OK, thanks for the explanation. 

Nothing is foolproof to a sufficiently talented fool.


Link to comment
Share on other sites

6 hours ago, sixwheeledbeast said:

Do you have much sensitive data on individual machines?

As al says it's about the layers, smartcard would be to use the machine/terminal as a login password replacement but sensitive data wouldn't be stored on that machine you'd have it on a server protected by something else.

All you need is the machine and the card and you have the FDE broken, whereas your unlikely to have physical access to server, machine and card at the same time.

 

I don't know how much more secure a smartcard would be to magstripe, I suppose they both could be copied. You could argue if you swipe and keep the card on you, your less likely to have someone leave an access card in the dock?

You could make the machine lock with inactivity but would be pointless if you left the card so will always be down to the user to some degree.

Swipe requires you to stay logged in I assume screen saver login if you leave desk 

 

But best way is on ID card you always carry it  , so less likely to be left around , but if you remove it from reader your locked out until you insert and use login ID 

 

 

Finger prints to long winded for large organisations, not very manageable

Link to comment
Share on other sites

Using Eset Deslock totally encrypts the drive, it can’t be bypassed in any way, I’ve learnt this the hard way. Once the system is powered up, it locks the boot up and requires typed credentials to be entered only. Once credentials are entered then windows will boot normal way to the login screen. At this stage, I am attempting to have the smartcard inserted into a reader and this will logon, however once it’s removed it boots you out.

If computers are ever stolen, FDE is already active and impossible to penetrate.

 

ive done more research on it and it seems possible, but not easily achieved. Maybe I’m looking at this a bit too much, what are you lot doing your end to achieve max security

Link to comment
Share on other sites

1 hour ago, PSE said:

Using Eset Deslock totally encrypts the drive, it can’t be bypassed in any way, I’ve learnt this the hard way. Once the system is powered up, it locks the boot up and requires typed credentials to be entered only. Once credentials are entered then windows will boot normal way to the login screen. At this stage, I am attempting to have the smartcard inserted into a reader and this will logon, however once it’s removed it boots you out.

If computers are ever stolen, FDE is already active and impossible to penetrate.

 

ive done more research on it and it seems possible, but not easily achieved. Maybe I’m looking at this a bit too much, what are you lot doing your end to achieve max security

I think these small time guys keep server in boot of car incase house gets broken into

 

💪

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.