Solved supporting an office of computers with full drive encryption
-
@stacksofplates said in supporting an office of computers with full drive encryption:
One thing to consider is not doing full disk means that someone can possibly modify or install a modified version of a piece of software or install a key logger on the OS disk. Then the password doesn't matter.
That's potentially true. Could happen on the UEFI too, though.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
One thing to consider is not doing full disk means that someone can possibly modify or install a modified version of a piece of software or install a key logger on the OS disk. Then the password doesn't matter.
which of course defeats the whole secure thing in the first place.
-
@Dashrender said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
One thing to consider is not doing full disk means that someone can possibly modify or install a modified version of a piece of software or install a key logger on the OS disk. Then the password doesn't matter.
which of course defeats the whole secure thing in the first place.
How would someone by expected to install that? 99% of possible installs like that will affect an encrypted drive as much as a non-encrypted one. This is one of those "we mentioned a risk" that isn't a viable real world risk and it sounds reasonable until we apply real world risk to it.
It's not nearly as significant as, say, missing a day of patching.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
One thing to consider is not doing full disk means that someone can possibly modify or install a modified version of a piece of software or install a key logger on the OS disk. Then the password doesn't matter.
which of course defeats the whole secure thing in the first place.
How would someone by expected to install that? 99% of possible installs like that will affect an encrypted drive as much as a non-encrypted one. This is one of those "we mentioned a risk" that isn't a viable real world risk and it sounds reasonable until we apply real world risk to it.
It's not nearly as significant as, say, missing a day of patching.
You don't think so? Let's assume the boot partition is non encrypted, and Secure Boot is disabled. A janitor could crack it open and install a keylogger.
is that more or less likely than being hacked because you didn't patch? OK probably a lot less likely.
-
@Dashrender said in supporting an office of computers with full drive encryption:
It's not nearly as significant as, say, missing a day of patching.
You don't think so? Let's assume the boot partition is non encrypted, and Secure Boot is disabled. A janitor could crack it open and install a keylogger.
I'm not saying that he can't, but if your own staff is your concern, encryption is really not going to do anything. He's got a hundred other ways to do more damage. For example, he's install a physical keylogger that bypasses your full disk encryption because that's even easier than that. He's not bother with this method, because it's not the path of least resistance to this end game.
-
In the janitor scenario... remember that if the laptop (assuming that it is a laptop) is properly secured he'll not have any attack against an unencrypted drive except to remove it physically from the machine, hook it up to another machine and infect it that way. If he could bypass the password and logon stage, you'd be compromised already so we can ignore that.
In the case where he has the physical access to attack the unencrypted system with a key logger to go after the encrypted portion, he's got access to bypass everything and make the attack moot.
-
I saw this marked as solved but can't seem to find the post that mentions the solution/what the OP ended up doing.
-
@wrx7m said in supporting an office of computers with full drive encryption:
I saw this marked as solved but can't seem to find the post that mentions the solution/what the OP ended up doing.
He was only fact finding. It's not his customer. he was trying to determine the cost to support the customer.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
In the janitor scenario... remember that if the laptop (assuming that it is a laptop) is properly secured he'll not have any attack against an unencrypted drive except to remove it physically from the machine, hook it up to another machine and infect it that way. If he could bypass the password and logon stage, you'd be compromised already so we can ignore that.
In the case where he has the physical access to attack the unencrypted system with a key logger to go after the encrypted portion, he's got access to bypass everything and make the attack moot.
That was kind of my point. If the whole drive is encrypted there isn't anything they can do on the disk itself. If the OS isn't encrypted you can essentially do anything.
We have labels that cover the side panels that you can't pull off and reattach. So they can't put anything in the machine without it being obvious. But if the OS isn't encrypted, they could boot to a recovery and chroot into the OS and install whatever they want (assuming BIOS allows media booting, etc).
With the full disk encryption, they can't do anything without the key.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
In the janitor scenario... remember that if the laptop (assuming that it is a laptop) is properly secured he'll not have any attack against an unencrypted drive except to remove it physically from the machine, hook it up to another machine and infect it that way. If he could bypass the password and logon stage, you'd be compromised already so we can ignore that.
In the case where he has the physical access to attack the unencrypted system with a key logger to go after the encrypted portion, he's got access to bypass everything and make the attack moot.
That was kind of my point. If the whole drive is encrypted there isn't anything they can do on the disk itself. If the OS isn't encrypted you can essentially do anything.
We have labels that cover the side panels that you can't pull off and reattach. So they can't put anything in the machine without it being obvious. But if the OS isn't encrypted, they could boot to a recovery and chroot into the OS and install whatever they want (assuming BIOS allows media booting, etc).
With the full disk encryption, they can't do anything without the key.
But that was my point. If your OS was secured, you'd not be able to boot to any recovery. The only way it would be to break into the physical box and both are compromised at that point. It's not OS encryption that protects you in that case.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
In the janitor scenario... remember that if the laptop (assuming that it is a laptop) is properly secured he'll not have any attack against an unencrypted drive except to remove it physically from the machine, hook it up to another machine and infect it that way. If he could bypass the password and logon stage, you'd be compromised already so we can ignore that.
In the case where he has the physical access to attack the unencrypted system with a key logger to go after the encrypted portion, he's got access to bypass everything and make the attack moot.
That was kind of my point. If the whole drive is encrypted there isn't anything they can do on the disk itself. If the OS isn't encrypted you can essentially do anything.
We have labels that cover the side panels that you can't pull off and reattach. So they can't put anything in the machine without it being obvious. But if the OS isn't encrypted, they could boot to a recovery and chroot into the OS and install whatever they want (assuming BIOS allows media booting, etc).
With the full disk encryption, they can't do anything without the key.
But that was my point. If your OS was secured, you'd not be able to boot to any recovery. The only way it would be to break into the physical box and both are compromised at that point. It's not OS encryption that protects you in that case.
There isn't anything that protects against this other than BIOS, which isn't OS security.
For example, if I encrypt the full drive but leave BIOS open (or they steal the disk), they can boot to recovery but will gain nothing. They can't get into the disk without the key. It's still protecting you from breaking into the box because they can't get anything on the disk at all if its fully encrypted.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
There isn't anything that protects against this other than BIOS, which isn't OS security.
For example, if I encrypt the full drive but leave BIOS open (or they steal the disk), they can boot to recovery but will gain nothing. They can't get into the disk without the key. It's still protecting you from breaking into the box because they can't get anything on the disk at all if its fully encrypted.
If you restrict recovery and boot options and make it obvious that the case has been opened... how would partial disk encryption not provide that protection as well?
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
There isn't anything that protects against this other than BIOS, which isn't OS security.
For example, if I encrypt the full drive but leave BIOS open (or they steal the disk), they can boot to recovery but will gain nothing. They can't get into the disk without the key. It's still protecting you from breaking into the box because they can't get anything on the disk at all if its fully encrypted.
If you restrict recovery and boot options and make it obvious that the case has been opened... how would partial disk encryption not provide that protection as well?
It probably would. There are some unknowns like whether system restore points would have any of this data in them and people can accidentally move data to the unencrypted partition/drive.
I'm also coming at this from the angle of where I work. There are some legit concerns with our data so our systems are required for full disk encryption and any information like that isn't on laptops. Boot loader is password protected and BIOS is locked down. Even USB ports are disabled and kernel modules are removed.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
There isn't anything that protects against this other than BIOS, which isn't OS security.
For example, if I encrypt the full drive but leave BIOS open (or they steal the disk), they can boot to recovery but will gain nothing. They can't get into the disk without the key. It's still protecting you from breaking into the box because they can't get anything on the disk at all if its fully encrypted.
If you restrict recovery and boot options and make it obvious that the case has been opened... how would partial disk encryption not provide that protection as well?
It probably would. There are some unknowns like whether system restore points would have any of this data in them and people can accidentally move data to the unencrypted partition/drive.
I'm also coming at this from the angle of where I work. There are some legit concerns with our data so our systems are required for full disk encryption and any information like that isn't on laptops. Boot loader is password protected and BIOS is locked down. Even USB ports are disabled and kernel modules are removed.
Right, well I'm assuming that boot loader and all that is locked down here too, or there is too much risk regardless.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
There isn't anything that protects against this other than BIOS, which isn't OS security.
For example, if I encrypt the full drive but leave BIOS open (or they steal the disk), they can boot to recovery but will gain nothing. They can't get into the disk without the key. It's still protecting you from breaking into the box because they can't get anything on the disk at all if its fully encrypted.
If you restrict recovery and boot options and make it obvious that the case has been opened... how would partial disk encryption not provide that protection as well?
It probably would. There are some unknowns like whether system restore points would have any of this data in them and people can accidentally move data to the unencrypted partition/drive.
I'm also coming at this from the angle of where I work. There are some legit concerns with our data so our systems are required for full disk encryption and any information like that isn't on laptops. Boot loader is password protected and BIOS is locked down. Even USB ports are disabled and kernel modules are removed.
Right, well I'm assuming that boot loader and all that is locked down here too, or there is too much risk regardless.
Ya, I don't believe how many people I've seen use super long passwords and not password protect the boot loader. All I need is "rd.break" and I'm in.
I guess it also helps mitigate mistakes by admins. If you don't have fully automated builds like happens a lot in smaller environments, there are a lot of variables that can make a difference.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
There isn't anything that protects against this other than BIOS, which isn't OS security.
For example, if I encrypt the full drive but leave BIOS open (or they steal the disk), they can boot to recovery but will gain nothing. They can't get into the disk without the key. It's still protecting you from breaking into the box because they can't get anything on the disk at all if its fully encrypted.
If you restrict recovery and boot options and make it obvious that the case has been opened... how would partial disk encryption not provide that protection as well?
It probably would. There are some unknowns like whether system restore points would have any of this data in them and people can accidentally move data to the unencrypted partition/drive.
I'm also coming at this from the angle of where I work. There are some legit concerns with our data so our systems are required for full disk encryption and any information like that isn't on laptops. Boot loader is password protected and BIOS is locked down. Even USB ports are disabled and kernel modules are removed.
Right, well I'm assuming that boot loader and all that is locked down here too, or there is too much risk regardless.
Which is again why Open Source is important. Things like system restore having this data would be understood.
Maybe it already is and I just don't know. Not a Windows admin.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
There isn't anything that protects against this other than BIOS, which isn't OS security.
For example, if I encrypt the full drive but leave BIOS open (or they steal the disk), they can boot to recovery but will gain nothing. They can't get into the disk without the key. It's still protecting you from breaking into the box because they can't get anything on the disk at all if its fully encrypted.
If you restrict recovery and boot options and make it obvious that the case has been opened... how would partial disk encryption not provide that protection as well?
It probably would. There are some unknowns like whether system restore points would have any of this data in them and people can accidentally move data to the unencrypted partition/drive.
I'm also coming at this from the angle of where I work. There are some legit concerns with our data so our systems are required for full disk encryption and any information like that isn't on laptops. Boot loader is password protected and BIOS is locked down. Even USB ports are disabled and kernel modules are removed.
Right, well I'm assuming that boot loader and all that is locked down here too, or there is too much risk regardless.
Ya, I don't believe how many people I've seen use super long passwords and not password protect the boot loader. All I need is "rd.break" and I'm in.
I guess it also helps mitigate mistakes by admins. If you don't have fully automated builds like happens a lot in smaller environments, there are a lot of variables that can make a difference.
It's kind of a toss up in that case, the fear is that the machine will go without being patched and then be vulnerable and get compromised that way.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
There isn't anything that protects against this other than BIOS, which isn't OS security.
For example, if I encrypt the full drive but leave BIOS open (or they steal the disk), they can boot to recovery but will gain nothing. They can't get into the disk without the key. It's still protecting you from breaking into the box because they can't get anything on the disk at all if its fully encrypted.
If you restrict recovery and boot options and make it obvious that the case has been opened... how would partial disk encryption not provide that protection as well?
It probably would. There are some unknowns like whether system restore points would have any of this data in them and people can accidentally move data to the unencrypted partition/drive.
I'm also coming at this from the angle of where I work. There are some legit concerns with our data so our systems are required for full disk encryption and any information like that isn't on laptops. Boot loader is password protected and BIOS is locked down. Even USB ports are disabled and kernel modules are removed.
Right, well I'm assuming that boot loader and all that is locked down here too, or there is too much risk regardless.
Which is again why Open Source is important. Things like system restore having this data would be understood.
Maybe it already is and I just don't know. Not a Windows admin.
Yup, sounds like they are just using the wrong tool(s) for the job at hand.
-
@wrx7m said in supporting an office of computers with full drive encryption:
I saw this marked as solved but can't seem to find the post that mentions the solution/what the OP ended up doing.
I was wondering how much time it would add to my job if I took on a client that was using full disk encryption. After a few posts it was clear that it would be additional overhead.
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
@wrx7m said in supporting an office of computers with full drive encryption:
I saw this marked as solved but can't seem to find the post that mentions the solution/what the OP ended up doing.
I was wondering how much time it would add to my job if I took on a client that was using full disk encryption. After a few posts it was clear that it would be additional overhead.
Yeah, definitely some for sure.