Basic Security in Windows

  • Thread starter WWGD
  • Start date
  • #1
WWGD
Science Advisor
Gold Member
5,528
4,229
Hi All,
There are certain options to protect information on Windows: restricting access to files, encryption, etc. Still, since it is possible to disable or change the admin password, is there any reasonable measure left to protect files (Assuming here that admin logins have unrestricted access. Right?)? Or is it a better option to leave them somewhere on the cloud: Dropbox, etc?
 

Answers and Replies

  • #2
12,832
6,713
Your best bet to protect files is to do backups and keep them around. Also you should consider encrypting ones with personal info so that hackers can't take advantage of the information. While you could place them in the cloud, there is always the chance that a hacker could gain access to them once they compromise your signon password.

You could also consider storing some of your backups at the local bank for further protection and establish a schedule of doing backups and storing them at the bank.

And consider storing them on multiple media like CDs, DVDs, USB sticks, USB external drives realizing that:
- USB external drives are susceptible to magnetic fields, and
- CDs/DVDs are susceptible to heat and scratches.

Some folks have even recommended digital tape over external drives. Keep a working CD/DVD player/recorder around and similarly for the digital tape drive.
 
  • #3
WWGD
Science Advisor
Gold Member
5,528
4,229
Your best bet to protect files is to do backups and keep them around. Also you should consider encrypting ones with personal info so that hackers can't take advantage of the information. While you could place them in the cloud, there is always the chance that a hacker could gain access to them once they compromise your signon password.

You could also consider storing some of your backups at the local bank for further protection and establish a schedule of doing backups and storing them at the bank.
Thanks, but doesn't anyone with an admin login, or, after disabling/changing admin password have the ability to decrypt files? EDIT: This is simple to do, just by logging in safe mode, or , if logged in ( as a non-admin) going into the command prompt.
 
  • #4
12,832
6,713
If you encrypt with some utility like a zip tool that is outside the purview of Windows administration.
 
  • #5
WWGD
Science Advisor
Gold Member
5,528
4,229
If you encrypt with some utility like a zip tool that is outside the purview of Windows administration.
Thanks again. Is it the case that ( EDIT: just-about; sorry for the fuzzyness here, I know you cannot be expected to cover every possible scenario; just a sort of ball-park here ) any security measure within Windows can be overcome either with an admin password or by disabling password use ( which is scarily easy to do) ?
 
Last edited:
  • #6
447
94
Thanks again. Is it the case that ( EDIT: just-about; sorry for the fuzzyness here, I know you cannot be expected to cover every possible scenario; just a sort of ball-park here ) any security measure within Windows can be overcome either with an admin password or by disabling password use ( which is scarily easy to do) ?
Yes. Remember, the admin is supposed to be able to do anything on the system, this is their role. They can reset passwords, view file contents, etc. That's their role. If you want to hide something from the system admin, then you have to use a method that is not part of the operating system because the admin has the maximum level of access possible on the system.

This is why jedishrfu suggested a 3rd party tool (something not part of of your operating system) to encrypt your data. Then you are using a tool that the admin does not have access into.

But yes, any builtin windows features are under the control of the system administrator and they have the rights to do whatever they want on the system. This isn't a bug, its a requirement of how the system works. So don't hire an admin that you don't trust :)
 
  • #7
12,832
6,713
Like any modern OS, given the admin password you can a lot of things to compromise the machine like make drives shareable, install spyware, look at other users unencrypted files or even change them. You can alter the time stamps on files to hide the fact that you edited them...

The one thing you can't do is decrypt an encrypted file without knowing the password unless you, as the bad admin, had compromised the encryption tool beforehand.

This means your encrypted files are safe from viewing but not safe from deletion or getting corrupted or in the case of ransomware encrypted again. Also it means the bad admin can't get your password to use to sign on as you unless the OS has poor security practices allowing it to decrypted from its hashed value.
 
  • #8
391
131
A third-party encryption software like PGP or VeraCrypt are really the best option for keeping data protected from system administrators, but depending on the sensitivity of the data, even these may not be sufficient to protect your enryption keys safe from administrators using a keylogger, in which case you may also need a hardware/two factor key.
 
  • #9
3,379
944
As others have said, the most essential thing is to ensure that all your important data is regularly backed up in some medium other than your PC local drives.
That way you can't lose anything even if your OS file system is totally trashed.
It's a pain. but you just restore everything to how it was.
Before the arrival of online malware it was necessary to do that anyway, hard drives were not very reliable, and could suffer from a 'head crash'.
 
  • #10
WWGD
Science Advisor
Gold Member
5,528
4,229
Yes, my bad, I wrongly assumed Bitlocker was third-party. Thanks to all.
 

Related Threads on Basic Security in Windows

Replies
3
Views
869
Replies
1
Views
2K
Replies
2
Views
2K
Replies
5
Views
2K
  • Last Post
Replies
2
Views
5K
  • Last Post
Replies
16
Views
4K
Replies
7
Views
1K
  • Last Post
Replies
1
Views
2K
  • Last Post
Replies
1
Views
2K
  • Last Post
Replies
5
Views
3K
Top