Link to home
Start Free TrialLog in
Avatar of Dominic
DominicFlag for Italy

asked on

Securing a laptop that travels frequently

Hi -

I have a client who is fairly well known in the journalism media circles. He said that he is concerned about how best he can protect the data on his pc, minimise hacking and be setup is such a way that if the laptop were to fall into the wrong hands , there are measures to ensure the data is difficult to reach.
This person is not targeted and i am not looking at fort Knox level security, because the user is not tech savvy and just needs to ramp up the security a little more than the plain standard, nor am i prepared to setup anything to complicated or too expensive.
Its a Lenovo Yoga running Windows 10 - MS Account (Not local) - Malwarebytes Premium - Bitdefender AV -
He only uses it to access his GMAIL (2 step authentication) - His data is on OneDrive which syncs across to a desktop he has as well. He is also on Office365 for another mail account and uses Office Pro.

Some advice would be most welcome.

Thanks
Dominic
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Enable BitLocker using USB key or PIN, not TPM. Using TPM does not sufficiently protect it physically

BitLocker is a computer hard drive encryption and security program released by Microsoft Corporation as a native application

Let me know if you have any questions
Avatar of btan
btan

Agree as well the hard disk should be encrypted with minimally bitlocker so in event of loss and theft, the machine in its shutdown state will not be easily be accessible in plain data stored. Have the habit to keep the machine shutdown or hibernate instead of machine sleep too.

Do not login as administrative account but instead use normal user account. This reduce attack surface supposed the machine is being exploited.

Keep The OS and Applications Updated to the latest where possible as any unpatched version is prone to being vulnerable to the malicious codes and Trojans.

If using IE as browser, consider managing the Internet Explorer Security Zones e.g. If user is facing pop-ups, check out if any website links have been maliciously added to your Trusted sites zone. If any such suspicious one’s exist, simply delete them. Also consider adding websites to the Restricted sites zone, which you wish to block. There is a free tool called ZonedOut which lets you Add, Delete, Import, Export websites and build a Black/WhiteList in the IE security zones easily.  It also includes Restricted, Trusted and Intranet Zones.

Make sure the two AV do not conflict one another, in fact just go for one e.g. MalwareBytes Premium as it also covers Anti-Ransom and Anti-Exploit protection layer on top of the AV. Likewise have on Host Firewall, and you only need one e.g. Windows Firewall, and works silently and needs some tech experience to configure it.

Any form of external storage medium, do encrypt them of the file minimally are password protected using native office otherwise can use 7zp or WinZip.

Application whitelisting is good practice which allows only certain trusted application to run. Have to check whether the user machine has that.

There is a list of hardening tip for consideration - http://hardenwindows10forsecurity.com/

Overall, having a strong password or passphrase is important too, it is cyber hygiene that is the weakest link that need constant education and reminder. Can consider a password manager or wallet to store the passphrases. See article for choosing a passphrase as well as an article on protecting own privacy (Windows 10 can be "leaky")
@Dominic
What Shaun said - the first step should be to encrypt the laptop. We'd first need to know what OS edition he is using Win10 home does not offer bitlocker, while Win10 pro and enterprise do.

[@Shaun
Your comment is a little confusing since a PIN can only be used in addition to using the TPM protector. There is no PIN usage possible without.]
Use Windows 10, secure boot in bios, require a password on resume from standby and display resume.

I think what Shaun was trying to get at is that if a user can login then the bitlocker will be opened, simply adding a pin helps.. you also may want to go into the bios and set passwords (user and administrator using different passwords)
For the difference Windows 10 security features, you can check out here

https://www.microsoft.com/en-us/WindowsForBusiness/Compare?tduid=(0130b9f955e2ae7e2b734e4ecb66add4)(256380)(2459594)(TnL5HPStwNw-wKjI1H7TjL6y7pA.HSmkag)()

For Windows Home, minimally it has device encryption. Note that device encryption requires device support of a TPM 2.0 chipset and InstantGo.

Further details can be found via Microsoft's Windows 10 Specifications: http://www.microsoft.com/en-us/windows/windows-10-specifications

An additional limitation is that in Windows 10 Home (which most of the smaller tablets that have InstantGo have) you can't enable drive encryption's PIN security (which requires gpedit), so whilst the drive is encrypted, it doesn't prevent anyone starting the device and just getting in if you either have a missing or weak windows login.

Go for for Enterprise or Pro minimally for official use. Bitlocker will be in Windows Pro and above while Applocker will be Enterprise and above.
Cautiously explain the situation including make sure you have a dr plan just in the event the device is lost or stolen.
First thing is to establish a backup setup that is automatic and secures the data.....(requiring two factor auth
Username/password and passphrase)
Yes, thank you David for elaborating. Read over my comment and it's not clear.
Avatar of Dominic

ASKER

Gents - Thank you so far for all your sensible recommendations - will take these away and get to work - some more questions will arise in the meantime i am sure , so i will keep this alive for the moment.
D
And customer's Windows edition is...? Would be helpful for further helping you. Also name his laptop model.
Avatar of Dominic

ASKER

Hi - I just realised that i cannot enable BitLocker because this person has Windows 10 Home Edition. Is there something equivalent to BitLocker or is it worth considering upgrading to Pro?
Many encryptors are offereing the same security. The usability differs. Mainly, because with bitlocker, you have a free software that utilizes the tpm chip, offering a good protection and ease of use. No free encryptors offer that. To use a payware alternative, you'd probably spend as much as you'd spend on the windows upgrade. probably, since we can still use windows 7 and windows 8 pro keys to install and activate win10 pro, you might be able to upgrade with such a key, but I haven't tested that. Buying such a key used is possible for very little.
Do you merely want to add encryption of some important files. Or encrypt the laptop such that should it be lost or stolen, there is no way for those in possession of the laptop to have any access?

You have to define what you want and the lengths you are willing to go first and foremost in setting it up, and inform the individual/client on what is involved including implementing a DR plan should the laptop be lost/stolen on getting the data ....


There as others pointed out HD encryption techs. Password bios/boot .......
Pgp desktop I think should still be available in a form that will incrementally encrypt some files accessible only by the use of passphrase to the private key.
Often users will likely get frustrated with having to enter passphrase S .... Such they will clear the passphrase requirement.
There are several great suggestions, but it presumes the person whose laptop will undergo this process.......
Will be worth considering upgrading to win10 pro as it has other security feature too.

Also BitLocker requires either Trusted Platform Module (TPM) 1.2, TPM 2.0 or a USB flash drive (Windows 10 Pro and Windows 10 Enterprise only).

There will be BitLocker To Go that requires a USB flash drive (Windows 10 Pro only).
Suggestion: keep as little as possible on the actual machine, especially if you are doing international travel. US Customs does have the right to access your machine and can seize the machine (at their discretion).  Going through customs is only one headache of travel to the US, then there is the TSA examiners
Avatar of Dominic

ASKER

The most important data he holds is currently stored on OneDrive. This is useful for him because he has multiple pcs and likes to find the same files regardless of which one he is on. I don't really want to take that feature away from him. Three questions :

1) I do like the idea of a BIOS password but that doesn't protect against removing the HDD from the laptop and accessing the contents i presume?
2) If the laptop is upgraded to Windows 10 PRO and i enable BITLocker, do i need to do the same to the desktop he has , which also accesses the same data stored on OneDrive? The data on Onedrive will be encrypted will it not? and therefore only accessible by a client running Bitlocker and the correct authentication? (Excuse my limited knowledge on this subject!)
3) Would it be wise for the user to be logged in as a standard account as opposed to an administrator one? The issue right now is that he logs in with his Microsoft account on both pcs and i see no way at this stage , to downgrade it to a standard account.

Thanks.
1 no, it does not. Though we have to look at what technology is used. Normal BIOS passwords don't lock hard drives using encryption. If however the bios supports a technology that is within the drive, called "SED" (self-encrypting drive), then encryption is used and it is safe against removal attacks. So look at what your bios and drive model offer.
2 No, no need for action.
3 of course it would be safer. Please look at my article in order to see a safe and comfortable way to work as non-admin: https://www.experts-exchange.com/articles/24599/Free-yourself-of-your-administrative-account.html
1) No, it is just another layer of software deterrence kinda of soft lock. The physical removal is still possible. There can be some hardware tamperproof enclosure of HDD that even go to extend to wipe the HDD if attempt to remove it. More for server and not in a user machine. Also for instance of backend hardenised security module appliance storing crypto keys.

Having said that assume if disk is encrypted, the stolen will be protected as long as they do not have the USB key or know the password. better still the Bitlocker can be implemented with binding to the machine TPM such that it can only boot with that same machine TPM.

2) Bitlocker does not encrypt the actual data stored in  OneDrive. Bitlocker encrypt the disk and once it is boot up, all files/folder are decrypted on the fly so sync file with OneDrive is not encrypting them at all. The OneDrive authentication is a separate matters from OS authentication, unless you are using the Microsoft CLoud suit though there may be single-sign on software to sign on once to all online service .. that is a separate topic..

3) Login as user with no admin right because the malware infecting the machine will have the same right as it is make easier for them during their exploitation on the machine (save those malware extra effort to search and exploit machines/software vulnerability if any). Stay with simple user and provides permission to folder if required. I do encourage running applocker but it is only in Enterprise version and not Pro version.
Avatar of Dominic

ASKER

Thanks Btan and McKnife, following on from the above:

1) If in install Pro and then enable Bitlocker , what exactly does the process involve ? will the user need to login/authenticate differently? I will need to read up on what TPM is because i don't know what it represents in the whole equation. I need to understand what changes for the users habits after his files are encrypted.

2) The current login is a Microsoft account not a local one. I don't know if i am able to "downgrade" an admin MS Account to a standard one. I know it can be done with a local account but so far haven't found the way with an MS one. Am i going to have to create a local account as a standard and then get him to use that as default? I hope not, because the migration is a bit of a pain and i will lose the syncing features of the MS account.

Thanks
D
SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Dominic

ASKER

Thank you both for your contributions, i have much to work with and will open a new question if i have a query.