Jump to content
Security Installer Community

Windows Logon Security,

PSE

By PSE
in Hardware

 Share

Recommended Posts

norman Experienced

norman

Posted
Posted
7 hours ago, PSE said:

How can it be insecure if access is controlled by smart card, 

When people forget to remove the card, or become complacent and leave it in the reader/keyboard. 

 

Excuse my ignorance I'm not up on this, but why do you need 2 level authority? I use my fingerprint and a pin for my laptop, wouldn't that be enough? 

Nothing is foolproof to a sufficiently talented fool.


PSE Newbie

PSE

Posted
  • Author
Posted

Windows 10 is so easy to create a back door access from boot level, you can get in within 5 minutes regardless of logon password or fingerprint and access pretty much anything you want, I’ve done it many times.  That’s why I’ve gone down the full disk encryption with card access to boot and to logon. Remove the card and you’re logged off.  Full disk encryption with secure boot is working perfectly, just wanted to add the smartcard as opposed to mag stripe, I believe it’s got to be more secure

sixwheeledbeast Mentor

sixwheeledbeast

Posted
Posted

Do you have much sensitive data on individual machines?

As al says it's about the layers, smartcard would be to use the machine/terminal as a login password replacement but sensitive data wouldn't be stored on that machine you'd have it on a server protected by something else.

All you need is the machine and the card and you have the FDE broken, whereas your unlikely to have physical access to server, machine and card at the same time.

 

I don't know how much more secure a smartcard would be to magstripe, I suppose they both could be copied. You could argue if you swipe and keep the card on you, your less likely to have someone leave an access card in the dock?

You could make the machine lock with inactivity but would be pointless if you left the card so will always be down to the user to some degree.

norman Experienced

norman

Posted
Posted
8 hours ago, PSE said:

Windows 10 is so easy to create a back door access from boot level, you can get in within 5 minutes regardless of logon password or fingerprint and access pretty much anything you want, I’ve done it many times.  

Ah, OK, thanks for the explanation. 

Nothing is foolproof to a sufficiently talented fool.


al-yeti Mentor

al-yeti

Posted
Posted
6 hours ago, sixwheeledbeast said:

Do you have much sensitive data on individual machines?

As al says it's about the layers, smartcard would be to use the machine/terminal as a login password replacement but sensitive data wouldn't be stored on that machine you'd have it on a server protected by something else.

All you need is the machine and the card and you have the FDE broken, whereas your unlikely to have physical access to server, machine and card at the same time.

 

I don't know how much more secure a smartcard would be to magstripe, I suppose they both could be copied. You could argue if you swipe and keep the card on you, your less likely to have someone leave an access card in the dock?

You could make the machine lock with inactivity but would be pointless if you left the card so will always be down to the user to some degree.

Swipe requires you to stay logged in I assume screen saver login if you leave desk 

 

But best way is on ID card you always carry it  , so less likely to be left around , but if you remove it from reader your locked out until you insert and use login ID 

 

 

Finger prints to long winded for large organisations, not very manageable

PSE Newbie

PSE

Posted
  • Author
Posted

Using Eset Deslock totally encrypts the drive, it can’t be bypassed in any way, I’ve learnt this the hard way. Once the system is powered up, it locks the boot up and requires typed credentials to be entered only. Once credentials are entered then windows will boot normal way to the login screen. At this stage, I am attempting to have the smartcard inserted into a reader and this will logon, however once it’s removed it boots you out.

If computers are ever stolen, FDE is already active and impossible to penetrate.

 

ive done more research on it and it seems possible, but not easily achieved. Maybe I’m looking at this a bit too much, what are you lot doing your end to achieve max security

al-yeti Mentor

al-yeti

Posted
Posted
1 hour ago, PSE said:

Using Eset Deslock totally encrypts the drive, it can’t be bypassed in any way, I’ve learnt this the hard way. Once the system is powered up, it locks the boot up and requires typed credentials to be entered only. Once credentials are entered then windows will boot normal way to the login screen. At this stage, I am attempting to have the smartcard inserted into a reader and this will logon, however once it’s removed it boots you out.

If computers are ever stolen, FDE is already active and impossible to penetrate.

 

ive done more research on it and it seems possible, but not easily achieved. Maybe I’m looking at this a bit too much, what are you lot doing your end to achieve max security

I think these small time guys keep server in boot of car incase house gets broken into

 

?

sixwheeledbeast Mentor

sixwheeledbeast

Posted
Posted

I see so password only for FDE and you'll leave them on, wasn't aware that was an option for Win was thinking of BitLocker.

I use LUKS for all data storage but not WIndows systems so unlikely helpful.

 

james.wilson Mentor

james.wilson

Posted
Posted

No data on the windows machines everything is on the servers which are Linux based

securitywarehouse Security Supplies from Security Warehouse

Trade Members please contact us for your TSI vetted trade discount.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept