Hack and a thought
Recently I came across a cute hack to reset windows 7 password, someone shared that to me , saying its cake walk
https://www.oxhow.com/reset-windows-7-password-without-password-reset-disk/
I looked at it and tested it in lab and was able to change the password as explained in it. Then I also came across the ways to mitigate this for example.
If we execute below command in elevated command prompt(admin command prompt), this will disable launch of repair that is done in the article given
bcdedit /set {default} bootstatuspolicy ignoreallfailures
There are other ways as well. But that’s not that important, what’s important is(as per me and few others as well) ,that’s what I’m going to discuss here.
If you already are not aware of “Ten immutable laws of security” refer https://blogs.technet.com/b/rhalbheer/archive/2011/06/16/ten-immutable-laws-of-security-version-2-0.aspx
List is here, so if we look at it, this is hitting law#3
Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.
i.e. Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore. So if you indeed are hitting this law and still think operating system should have a mitigation for it by default, then a rethink on it is required.
I was thinking about a scenario, when this can happen to non-corporate machine e.g. regular user and when can this happen to a corporate user’s machines, which are either desktops or laptops.
For non-corporate regular user, this can happen if she loses her laptop. Same is true for a corporate user i.e. if she loses her laptop, so what’s the best defense or mitigation regarding this if you are hitting law # 3 .
I would feel safe as both type of user, if my data is not accessible to bad guy. That’s only possible with encryption i.e. if user’s laptop’s drive is encrypted. Microsoft’s latest operating systems have a feature called Bitlocker which is a strong, in fact best defense in such scenario. If bad guy does not have the bitlocker key, he can’t even get to the starting point that’s mention in the blog link of hack. He cannot access data in the drive, its ENCRYPTED J. So although user would still lose the data ,if she hits the law #3 and her machine as well but data will not be compromised or disclosed, nobody can see it.
For desktops in enterprise, its little difficult to imagine hitting law # 3 but here again Bitlocker is a super defense, bad guy can’t go any farther then the bitlocker key screen J.
In information security, confidentiality of data is maintained by ensuring its encrypted at rest and also when it is at move using protocols like SSL , Ipsec. So Encryption is the way forward(its already there, some are using it some are not).
Following are few links about how bitlocker can be enabled, these are few, will add more as and when I ll find more
https://windows.microsoft.com/en-in/windows-8/bitlocker-drive-encryption, windows 8
https://technet.microsoft.com/en-us/library/dd835565(v=ws.10).aspx windows 7
https://technet.microsoft.com/en-us/library/dd875547(v=ws.10).aspx
https://windows.microsoft.com/en-IN/windows7/what-group-policy-settings-are-used-with-bitlocker
https://windowsitpro.com/security/deploy-bitlocker-your-organization-right-way