al-yeti Posted February 25, 2021 Posted February 25, 2021 6 hours ago, PSE said: How can it be insecure if access is controlled by smart card, If I have your smart card? And no additional pin ? Quote
norman Posted February 25, 2021 Posted February 25, 2021 7 hours ago, PSE said: How can it be insecure if access is controlled by smart card, When people forget to remove the card, or become complacent and leave it in the reader/keyboard. Excuse my ignorance I'm not up on this, but why do you need 2 level authority? I use my fingerprint and a pin for my laptop, wouldn't that be enough? Quote Nothing is foolproof to a sufficiently talented fool.
PSE Posted February 25, 2021 Author Posted February 25, 2021 Windows 10 is so easy to create a back door access from boot level, you can get in within 5 minutes regardless of logon password or fingerprint and access pretty much anything you want, I’ve done it many times. That’s why I’ve gone down the full disk encryption with card access to boot and to logon. Remove the card and you’re logged off. Full disk encryption with secure boot is working perfectly, just wanted to add the smartcard as opposed to mag stripe, I believe it’s got to be more secure Quote
sixwheeledbeast Posted February 25, 2021 Posted February 25, 2021 Do you have much sensitive data on individual machines? As al says it's about the layers, smartcard would be to use the machine/terminal as a login password replacement but sensitive data wouldn't be stored on that machine you'd have it on a server protected by something else. All you need is the machine and the card and you have the FDE broken, whereas your unlikely to have physical access to server, machine and card at the same time. I don't know how much more secure a smartcard would be to magstripe, I suppose they both could be copied. You could argue if you swipe and keep the card on you, your less likely to have someone leave an access card in the dock? You could make the machine lock with inactivity but would be pointless if you left the card so will always be down to the user to some degree. Quote
norman Posted February 25, 2021 Posted February 25, 2021 8 hours ago, PSE said: Windows 10 is so easy to create a back door access from boot level, you can get in within 5 minutes regardless of logon password or fingerprint and access pretty much anything you want, I’ve done it many times. Ah, OK, thanks for the explanation. Quote Nothing is foolproof to a sufficiently talented fool.
al-yeti Posted February 25, 2021 Posted February 25, 2021 6 hours ago, sixwheeledbeast said: Do you have much sensitive data on individual machines? As al says it's about the layers, smartcard would be to use the machine/terminal as a login password replacement but sensitive data wouldn't be stored on that machine you'd have it on a server protected by something else. All you need is the machine and the card and you have the FDE broken, whereas your unlikely to have physical access to server, machine and card at the same time. I don't know how much more secure a smartcard would be to magstripe, I suppose they both could be copied. You could argue if you swipe and keep the card on you, your less likely to have someone leave an access card in the dock? You could make the machine lock with inactivity but would be pointless if you left the card so will always be down to the user to some degree. Swipe requires you to stay logged in I assume screen saver login if you leave desk But best way is on ID card you always carry it , so less likely to be left around , but if you remove it from reader your locked out until you insert and use login ID Finger prints to long winded for large organisations, not very manageable Quote
PSE Posted February 25, 2021 Author Posted February 25, 2021 Using Eset Deslock totally encrypts the drive, it can’t be bypassed in any way, I’ve learnt this the hard way. Once the system is powered up, it locks the boot up and requires typed credentials to be entered only. Once credentials are entered then windows will boot normal way to the login screen. At this stage, I am attempting to have the smartcard inserted into a reader and this will logon, however once it’s removed it boots you out. If computers are ever stolen, FDE is already active and impossible to penetrate. ive done more research on it and it seems possible, but not easily achieved. Maybe I’m looking at this a bit too much, what are you lot doing your end to achieve max security Quote
al-yeti Posted February 25, 2021 Posted February 25, 2021 1 hour ago, PSE said: Using Eset Deslock totally encrypts the drive, it can’t be bypassed in any way, I’ve learnt this the hard way. Once the system is powered up, it locks the boot up and requires typed credentials to be entered only. Once credentials are entered then windows will boot normal way to the login screen. At this stage, I am attempting to have the smartcard inserted into a reader and this will logon, however once it’s removed it boots you out. If computers are ever stolen, FDE is already active and impossible to penetrate. ive done more research on it and it seems possible, but not easily achieved. Maybe I’m looking at this a bit too much, what are you lot doing your end to achieve max security I think these small time guys keep server in boot of car incase house gets broken into Quote
sixwheeledbeast Posted February 25, 2021 Posted February 25, 2021 I see so password only for FDE and you'll leave them on, wasn't aware that was an option for Win was thinking of BitLocker. I use LUKS for all data storage but not WIndows systems so unlikely helpful. Quote
james.wilson Posted February 26, 2021 Posted February 26, 2021 No data on the windows machines everything is on the servers which are Linux based Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount.
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.