Basic Security in Windows

[WWGD]

Hi All,
There are certain options to protect information on Windows: restricting access to files, encryption, etc. Still, since it is possible to disable or change the admin password, is there any reasonable measure left to protect files (Assuming here that admin logins have unrestricted access. Right?)? Or is it a better option to leave them somewhere on the cloud: Dropbox, etc?

 

[jedishrfu]

Your best bet to protect files is to do backups and keep them around. Also you should consider encrypting ones with personal info so that hackers can't take advantage of the information. While you could place them in the cloud, there is always the chance that a hacker could gain access to them once they compromise your signon password.

You could also consider storing some of your backups at the local bank for further protection and establish a schedule of doing backups and storing them at the bank.

And consider storing them on multiple media like CDs, DVDs, USB sticks, USB external drives realizing that:
- USB external drives are susceptible to magnetic fields, and
- CDs/DVDs are susceptible to heat and scratches.

Some folks have even recommended digital tape over external drives. Keep a working CD/DVD player/recorder around and similarly for the digital tape drive.

 

[WWGD]

Your best bet to protect files is to do backups and keep them around. Also you should consider encrypting ones with personal info so that hackers can't take advantage of the information. While you could place them in the cloud, there is always the chance that a hacker could gain access to them once they compromise your signon password.

You could also consider storing some of your backups at the local bank for further protection and establish a schedule of doing backups and storing them at the bank.

Thanks, but doesn't anyone with an admin login, or, after disabling/changing admin password have the ability to decrypt files? EDIT: This is simple to do, just by logging in safe mode, or , if logged in ( as a non-admin) going into the command prompt.

 

[jedishrfu]

If you encrypt with some utility like a zip tool that is outside the purview of Windows administration.

 

[WWGD]

If you encrypt with some utility like a zip tool that is outside the purview of Windows administration.

Thanks again. Is it the case that ( EDIT: just-about; sorry for the fuzzyness here, I know you cannot be expected to cover every possible scenario; just a sort of ball-park here ) any security measure within Windows can be overcome either with an admin password or by disabling password use ( which is scarily easy to do) ?

 

[Routaran]

Thanks again. Is it the case that ( EDIT: just-about; sorry for the fuzzyness here, I know you cannot be expected to cover every possible scenario; just a sort of ball-park here ) any security measure within Windows can be overcome either with an admin password or by disabling password use ( which is scarily easy to do) ?

Yes. Remember, the admin is supposed to be able to do anything on the system, this is their role. They can reset passwords, view file contents, etc. That's their role. If you want to hide something from the system admin, then you have to use a method that is not part of the operating system because the admin has the maximum level of access possible on the system.

This is why jedishrfu suggested a 3rd party tool (something not part of of your operating system) to encrypt your data. Then you are using a tool that the admin does not have access into.

But yes, any builtin windows features are under the control of the system administrator and they have the rights to do whatever they want on the system. This isn't a bug, its a requirement of how the system works. So don't hire an admin that you don't trust :)

 

[jedishrfu]

Like any modern OS, given the admin password you can a lot of things to compromise the machine like make drives shareable, install spyware, look at other users unencrypted files or even change them. You can alter the time stamps on files to hide the fact that you edited them...

The one thing you can't do is decrypt an encrypted file without knowing the password unless you, as the bad admin, had compromised the encryption tool beforehand.

This means your encrypted files are safe from viewing but not safe from deletion or getting corrupted or in the case of ransomware encrypted again. Also it means the bad admin can't get your password to use to sign on as you unless the OS has poor security practices allowing it to decrypted from its hashed value.

 

[stoomart]

A third-party encryption software like PGP or VeraCrypt are really the best option for keeping data protected from system administrators, but depending on the sensitivity of the data, even these may not be sufficient to protect your enryption keys safe from administrators using a keylogger, in which case you may also need a hardware/two factor key.

 

[rootone]

As others have said, the most essential thing is to ensure that all your important data is regularly backed up in some medium other than your PC local drives.
That way you can't lose anything even if your OS file system is totally trashed.
It's a pain. but you just restore everything to how it was.
Before the arrival of online malware it was necessary to do that anyway, hard drives were not very reliable, and could suffer from a 'head crash'.

 

[WWGD]

Yes, my bad, I wrongly assumed Bitlocker was third-party. Thanks to all.