Answer the question
In order to leave comments, you need to log in
How to protect a computer with constant uptime (upd)?
Hello. If a feeling of deja vu begins to visit you, it’s not for nothing, I already asked this question , however, I didn’t sit still and looked for options, and even found it, but there are still a few but ...
In short, the essence of the past question is as follows, there is computer is always on. There is no access to it (it is far away), theoretically they can come after it and copy commercial information. The goal is to defend against this type of attack. The computer is a regular PC on Windows 10, auto-login is configured, without additional equipment, decryption should occur automatically, even during reboots and other conditions (for example, the light went out, the bios is set to power on, the light appeared, the PC went to start).
In the last topic, the answer was essentially given - BitLocker Network Unlock, however, it is only suitable for a server OS and, judging by what I understand, it works with a domain over a local network. The option is not suitable. my PC is single.
The answer was essentially on the surface, in windows there is standard encryption (EFS) (right-click on the folder-properties-attributes-others-encrypt contents to protect data), while a certificate is created on the PC with which it is possible to decrypt these files on the fly, if the same, for example, connect this hard drive to another PC and copy the files - they will be encrypted (and if you copy them to a USB flash drive even with the OS turned on, they will be copied in encrypted form). However, with all the charms, there are obvious BUT:
1. Nothing prevents the same way that the file is encrypted - decrypt it by simply removing the "tick" in the settings. Are there options for this interaction to require an administrator password? (not UAC, but the password)
2. Is it possible to protect the certificate from import? Again, require an administrator password or certificate.
3. With this type of encryption, is it possible to encrypt file names? At the moment it looks like "file.doc.[EFS extension]" (I've tried looking for similar items in security policies - no luck)
4. Is it even possible to boot Windows but still show the login form? Those. the OS starts, autoloads, the necessary software starts (for example, a web server), but for the observer, all that is visible is the authorization form, after entering the password, you can work with Windows (the implementation of this direction is the most interesting, because it automatically protects against 1 and 2 points). All I found is to add a script to the autoload, or a script to the profile, or add a script to the task scheduler - when you enter, execute "user32.dll, LockWorkStation". But this option is just ridiculous, because you can simply go into safe mode and all this will not be done. Yes, and without this item, in fact, everything is meaningless, because. in fully decrypted Windows, it is not difficult to read all files, even without copying, if this item is implemented and even,
In general, I'm waiting for your thoughts, maybe I missed something?
Answer the question
In order to leave comments, you need to log in
With physical access to the body of the computer, protection must also be physical, for example, a hardware disk encryptor, hardware shutdown (read cutting off) of ports. Everything else is from the evil one. Like trying to hammer a steel (hardware) nail with a cotton (software) bag.
I don't think you started right there. They always start with the question - what is the model of the intruder? Who are you protecting yourself from? From a curious neighbor, from a competitor, from the state? Different offenders have different abilities and different motivations. Where the neighbor has already dumped, the state will only make a note that it is time to uncover the soldering iron.
And the second. Windows, well, is not adapted in any way to what you are trying to stir up. This is a game console, an entertainment center - toys, movies, music. Well, it is also suitable as an office workstation. For things like you need to take linux. And not anyhow, but a specialized one (I won’t tell you which one).
In the general case - you need to try sooooo hard so that having hardware access to your computer, do not let the information leak. And this again brings us back to the question of the intruder model. The stronger the motivation, the more effort the violator will make to gain access to information.
Are you saying that the computer is very far away and there is no way to get there? Then how can you know - what if it has already been virtualized there for a long time? Here's an example .
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question