Answer the question
In order to leave comments, you need to log in
What are alternative methods for downloading and/or decrypting Windows?
Probably more than one question, I'm not sure how to ask it correctly.
Background: a year ago, competitors sent a mask show to the enterprise, during which the employee was pressured to extract the password for decrypting a computer, after which confidential data (patents applications) were leaked. After this incident, the business was greatly shaken, and now the task is to prevent such situations in the future. That is, you need to make sure that the computer cannot be unlocked, even if you know the decryption password. The most suitable method seems to be the first one when searching on Google (BitLocker network unlock), but some of the computers that need to be protected are not in a domain + some of them periodically move between branches where the domains are different. In general, this method is not suitable, incl. for some more reasons.
Question: how can you organize the protection of such machines?
I will take into account any ideas on this matter, even the most sophisticated ones.
Perhaps there is some other software that can unlock over the network or something like that?
Also, a couple of years ago I read about a method where it was something like this: when turned on, a super stripped-down Linux was loaded, you could connect to it via ssh, enter the decryption password, after which Windows would start loading. I just can’t find this article and the method in general, maybe someone knows how to build something like this?
THE ESSENCE IS SUCH, that if a certain server is unavailable (with decryption keys or an ssh connection script to unlock), the computer will not be able to turn on.
Answer the question
In order to leave comments, you need to log in
This is done elementarily. No technical methods, purely administrative.
Restrict physical access to computers, ensure that computers are turned off when strangers enter. All data is encrypted.
To unlock, the employee calls the dispatcher, introduces himself, is identified, and the dispatcher located in another building, city, remotely enters the password and unlocks the computer.
It is also possible to simply use full-time encryption and two-factor authorization through an external rsa service, which the company management can quickly disable, and then the employee, even with a password, will not be able to log in and decrypt.
This is not your headache if you are not a business owner. Technically it is not solved.
Yes, and it looks like something crazy. What country?
By the way, everything is solved in the complex. Firstly, the enterprise is made white and fluffy. Secondly, an agreement is concluded with a good lawyer to counteract the mask of the show. Further all users on thin clients. Communication with the server through a router with the obligatory entry of a password and a gsm socket.
In general, for sure someday someone will try to solve the same question, so here is my solution in the form of a bicycle with crutches instead of wheels. Since all computers in our organization have at least 8GB of RAM, I installed proxmox on them, inside it spins a virtual machine with Windows, which gets about 7GB (which is also not bad for office tasks). I installed a GUI (Mate + LightDM) on proxmox and connected to the virtual machine on the same computer via RDP (freerdp). At the same time, I raised a NodeRed server, on which I installed a telegram bot and ssh nodes. The scheme is as follows: the user downloads proxmox with the desktop, then sends the "unlock" command to the bot in the telegram, NodeRed determines which user sent it and connects via SSH to the corresponding computer (to proxmox) and enters the qm sendkey command, which drives the decryption password into the virtual machine with Windows, after which Windows boots up and you can connect to it via RDP. Bottom line: the user does not know the password, but can decrypt Windows, while the decryption keys of each station are stored in NodeRed, which in turn also runs on encrypted Linux
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question