Locking down Windows 10 (a little bit), in 5 easy steps

If you are using Windows 10, there are many, many privacy things to worry about – in terms of how much of your data and metadata that Microsoft and its’ advertising partners vacuum of your computer. However beyond that, there are practical, everyday threats too. For example, you go home or go back to your car and find your laptop has been stolen. Oh no! You immediately have two problems: you lost something of value (the laptop), and now a known-bad person might have access to the DATA that was on that personal laptop computer.

What are some of the dangers?

  • If it was in sleep or hibernation mode, when the thief opens the lid, they will know your name, and could potentially guess your password (but you already have a GREAT password, don’t you!?) This assumes that you have it configured to require a password when you come back from sleep.
  • Before they try to sell your laptop at a pawn shop or on eBay, they can pull the hard drive. Now, they can load that hard drive into a system they own, and see all of the files on your computer. I mean ALL of them. This includes website cookies, financial documents, photos, bank information, etc. This is not “hacker” level stuff, anyone with basic computer knowledge and access to Google can easily do this.

What if there just a few steps you could do which would dramatically change this scenario? Imagine instead:

  • If it was in sleep or hibernation, they are prompted for a username AND a password. That is a much more difficult place to start.
  • Before they see the logon screen, they see a dire legal warning.
  • If the tech-savvy thief pulls your hard drive and puts it in another computer, it will be unreadable.

Great! But how do we do that? Well, with just a few simple steps…

STEP 1: Make sure you have a GREAT password, and unique password for everything:
If you don’t have EXCELLENT passwords everywhere, and especially because you think it’s too difficult to remember them – please read this post:

No more excuses! Create a strong password TODAY! Here’s how…
https://blog.robseder.com/2014/08/22/no-more-excuses-create-a-strong-password-today-heres-how/

Hopefully you are sold on the idea that you can have a password like Hwha!@#P!BL15 as a password and remember that is for “Houston, we have a damn problem! BitLocker 2015” – and also Hwha!@#p!MS15 as a password for getting into Microsoft Windows. You remember that as: “Houston, we have a damn problem! Micro Soft 15”

STEP 2: Turn on screen-timeout/screen lock:
All of this is a complete waste of time if your screen is unlocked. If you have it set so when you open your laptop and you are logged-in – that is a REALLY bad place to be. Let me elaborate:

The thief now has access to your e-mail. She will then go to chase.com, citicards.com, wellsfargo.com, bankofamerica.com, etc and do a “forgot my password”. This will send a “password reset” e-mail to your mailbox. The mailbox that this thief has access to. Oh, the thief will have changed your mailbox password too so that YOU no longer have access.

So, the thief got some hits! Wells Fargo and Capital One responded back with password reset e-mails. So now, the thief resets those bank/credit card account passwords (locking you out) – and can now have her way with your finances!

All of this can be avoided by starting with this screen:

image

you can hit the WindowsKey and type “power & sleep” to find it. You don’t want those to say “Never”. Instead, set them to something reasonable:

image

Next, within Control PanelHardware and SoundPower OptionsSystem Settings:

image

Make sure the “Require a password (recommended)” is checked. And finally, where you set your screensaver, make sure the “On resume, display logon screen” checkbox is checked.

image

These combined will make sure your computer always defaults to sleeping within 3 minutes of idle, and when you come back from sleep – you need a password in all cases. I strongly recommend getting a fingerprint reader to make the constant logging-in, less annoying.

image

STEP 3: Hide information about the current logged-in user:
Hit the WindowsKey and type “secpol.msc”:

image

from this “Security Policy Editor”, navigate to Local Policies/Security Options. Within this section, there are several “Interactive Logon: “ entries. There are a few that we’d want to manipulate:

image

Setting the “Interactive logon: Display user information when the session is locked” to “Do not display user information” which make it so when you are coming back from: hibernate, sleep, or a locked screen – you won’t see any user information. To see similar behavior when you first boot up, choose to set “Interactive logon: Do not display last user name” to “Enabled”:

image

That means that when you first boot up, and when you are coming back from a lock screen, you will never see your name. A would-be thief, if they want to get into YOUR account, would need to know your username AND your password. In all cases, you’d now see this:

WP_20151123_10_21_23_Rich_LI

If you feel it’s inconvenient to have to type your username and password every time, I highly recommend to buy a fingerprint reader. Once swipe and you are logged back in. If you use laptops, consider getting one with a fingerprint reader built-in.

STEP 4: Show a pre-login “warning” prompt:
Honestly, this is more for show/intimidation – but it does also add something in case they ever catch your thief. You are giving them fair-warning that you are going to prosecute to the fullest extent of the law.

To add this prompt, in that same “secpol.msc” application, and in the same section, set these two values – the “Interactive logon: Message title”:

image

and the “Interactive logon: Message text”:

image

I use this for text, but you can put whatever you’d like – including an “If found, please call: (000) 000-0000”:

“Unauthorized access or use of this computer system is prohibited. Violators will be prosecuted to the fullest extent of the law. By accessing this system, you agree that your actions will be monitored.”

and this is what that prompt looks like, right before ANY time you attempt to log in:

WP_20151123_10_20_39_Rich_LI

STEP 5: Encrypt your hard drive with BitLocker
At this point, we’ve slowed-down out tech-savvy thief, and we added an intimidating warning message. We’ve made it very difficult to get to our data from this login screen. However, they can still get to it – by loading our hard drive into another computer and just getting to it that way. Once our operating system isn’t in control anymore, the other operating system can override our security and access everything on the drive.

What if we could make it so you had to enter a VERY difficult password, in order to access the drive? Let’s use BitLocker!

Now, normally, BitLocker is meant to be used on a enterprise-class laptops where there is a TPM chip on the motherboard. Because, apparently only corporations need encryption? Well, no matter because you can configure BitLocker to work without a TPM module and be used with a password. First, you need to open the local Group Policy Editor: hit the WindowsKey and type “gpedit.msc” and <Enter>, you should see:

image

Within the tree on the left, navigate into:

Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/BitLock Drive Encryption/Operating System Drives

Within that node, double-click “Require additional authentication at startup”:

image

Set this to “Enabled” and “Allow” TPM for all of the options, like shown above. Now, you can right-click on your C: drive in explorer and choose “Turn on BitLocker”:

image

then, just follow the wizard. The idea here is that you want to set a password which you’ll have to type in, every time your computer boots. It can take while to encrypt your drive, but you can still use your computer while it does, so it doesn’t really affect anything.

Once encryption is finished, whenever you reboot, you’ll have to type in your BitLocker password, then Windows 10 will boot, then you will type in your username, and then your password, and THEN you will be at your desktop.

STEP 5a: (optional) Change the look of the logon screen
This is just a minor annoyance. If you are sick of the laser-light Windows logo (which also tells the thief this is definitely Windows 10), you can disable that. Open the registry editor (regedit.exe) and navigate to:

HKLM/Software/Policies/Microsoft/Windows/System

Within that key, create a new 32-bit entry:

image

Name it “DisableLogonBackgroundImage” and set it to a value of 1.

image

Now, the logon screen color will be whatever your “accent” color is, in Windows 10.

Bottom line:
OK, so we went from a worst-case scenario of a thief who stole your laptop , and had a few ways in which they could get at your data and/or e-mail. But now, after just a couple of simple steps, if that same laptop is stolen, your worst-case is that you have to replace the hardware – and you can rest-easy that it’s highly unlikely that any of the data on that computer was compromised.

Posted in Best-practices, Computers and Internet, General, Infrastructure, Organization will set you free, Professional Development, Security, Uncategorized, Windows

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Archives
Categories

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 5 other followers

%d bloggers like this: