Jump to content
Security Installer Community

Recommended Posts

Posted
6 hours ago, PSE said:

How can it be insecure if access is controlled by smart card, 

If I have your smart card?

 

And no additional pin ?

Posted
7 hours ago, PSE said:

How can it be insecure if access is controlled by smart card, 

When people forget to remove the card, or become complacent and leave it in the reader/keyboard. 

 

Excuse my ignorance I'm not up on this, but why do you need 2 level authority? I use my fingerprint and a pin for my laptop, wouldn't that be enough? 

Nothing is foolproof to a sufficiently talented fool.


Posted

Windows 10 is so easy to create a back door access from boot level, you can get in within 5 minutes regardless of logon password or fingerprint and access pretty much anything you want, I’ve done it many times.  That’s why I’ve gone down the full disk encryption with card access to boot and to logon. Remove the card and you’re logged off.  Full disk encryption with secure boot is working perfectly, just wanted to add the smartcard as opposed to mag stripe, I believe it’s got to be more secure

Posted

Do you have much sensitive data on individual machines?

As al says it's about the layers, smartcard would be to use the machine/terminal as a login password replacement but sensitive data wouldn't be stored on that machine you'd have it on a server protected by something else.

All you need is the machine and the card and you have the FDE broken, whereas your unlikely to have physical access to server, machine and card at the same time.

 

I don't know how much more secure a smartcard would be to magstripe, I suppose they both could be copied. You could argue if you swipe and keep the card on you, your less likely to have someone leave an access card in the dock?

You could make the machine lock with inactivity but would be pointless if you left the card so will always be down to the user to some degree.

Posted
8 hours ago, PSE said:

Windows 10 is so easy to create a back door access from boot level, you can get in within 5 minutes regardless of logon password or fingerprint and access pretty much anything you want, I’ve done it many times.  

Ah, OK, thanks for the explanation. 

Nothing is foolproof to a sufficiently talented fool.


Posted
6 hours ago, sixwheeledbeast said:

Do you have much sensitive data on individual machines?

As al says it's about the layers, smartcard would be to use the machine/terminal as a login password replacement but sensitive data wouldn't be stored on that machine you'd have it on a server protected by something else.

All you need is the machine and the card and you have the FDE broken, whereas your unlikely to have physical access to server, machine and card at the same time.

 

I don't know how much more secure a smartcard would be to magstripe, I suppose they both could be copied. You could argue if you swipe and keep the card on you, your less likely to have someone leave an access card in the dock?

You could make the machine lock with inactivity but would be pointless if you left the card so will always be down to the user to some degree.

Swipe requires you to stay logged in I assume screen saver login if you leave desk 

 

But best way is on ID card you always carry it  , so less likely to be left around , but if you remove it from reader your locked out until you insert and use login ID 

 

 

Finger prints to long winded for large organisations, not very manageable

Posted

Using Eset Deslock totally encrypts the drive, it can’t be bypassed in any way, I’ve learnt this the hard way. Once the system is powered up, it locks the boot up and requires typed credentials to be entered only. Once credentials are entered then windows will boot normal way to the login screen. At this stage, I am attempting to have the smartcard inserted into a reader and this will logon, however once it’s removed it boots you out.

If computers are ever stolen, FDE is already active and impossible to penetrate.

 

ive done more research on it and it seems possible, but not easily achieved. Maybe I’m looking at this a bit too much, what are you lot doing your end to achieve max security

Posted
1 hour ago, PSE said:

Using Eset Deslock totally encrypts the drive, it can’t be bypassed in any way, I’ve learnt this the hard way. Once the system is powered up, it locks the boot up and requires typed credentials to be entered only. Once credentials are entered then windows will boot normal way to the login screen. At this stage, I am attempting to have the smartcard inserted into a reader and this will logon, however once it’s removed it boots you out.

If computers are ever stolen, FDE is already active and impossible to penetrate.

 

ive done more research on it and it seems possible, but not easily achieved. Maybe I’m looking at this a bit too much, what are you lot doing your end to achieve max security

I think these small time guys keep server in boot of car incase house gets broken into

 

?

Posted

I see so password only for FDE and you'll leave them on, wasn't aware that was an option for Win was thinking of BitLocker.

I use LUKS for all data storage but not WIndows systems so unlikely helpful.

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.