Static Talk:How To Survive

From 34C3_Wiki
Jump to: navigation, search

Windows

BACKUP!

First of all make a backup of your work. You know "files exist not until three copies" (original + three backups on different media and locations) Seriously don't ask, just do it now!

Secondly, you should not have any important/sensitive files on your device, anyway.

Updates

Install latest updates! If you use Windows 8 upgrade to at least 8.1 or Windows 10 (until 2017-12-31 free of charge), because it is out of support.

End of Life: Windows 7: January 14, 2020 Windows 8.1: January 10, 2023 Windows 10 (1709): October 14, 2025

Firewall

For the congress you should configure your Windows Firewall to block all ingoing connections. To do this, klick on the Windows Key => Enter "Firewall" into the search => Open "Windows Defender Firewall with advanced security" => Right click on "Windows Defender Firewall..." (the root of the tree on the left) => Click on Settings => Open the "Public Tab" => Set the status to "On (recommended)" and by Ingoing Connections select "All blocked" Note: When you're at the congress and windows asks you what network you're on, select Public, as this determines the firewall zone windows is using.

SecureBoot

If you're reinstalling windows (or you already have it installed in UEFI mode) for the congress, you should do this in UEFI mode, e.g. disable legacy support entirely and enable SecureBoot in your UEFI before installing. Otherwise just, activate SecureBoot in your BIOS/UEFI. Windows in UEFI mode is a bit faster and a bit more secure (chain of trust). SecureBoot is an anti-tamper technology. If someone tempers with your Bootloader (Bootloader virus or malware), the system will refuse to boot. In this case you should reinstall your machine and you should not trust it anymore.

TPM and BitLocker

Enable the TPM in your Bios/UEFI. After that reboot your system and enable bitlocker. Bitlocker is an transparent full disk encryption. It does (nearly) not impact performance. Got to Windows => Enter "control" into the search => select "Control Panel" => now select "BitLocker-Drive encryption" => "C: BitLocker disabled" => "Activate BitLocker" If you boot your PC and it is asking for a recovery password, DON'T ENTER IT. This means, that the TPM did not release the necessary key (CPU register check or some other integrity check failed). Just reinstall your pc.

Use Pin instead of password

If you use Windows 10, you should use the Pin to login instead of the password. This at first sounds counter intuitive to security minded people, but there are some valid reasons: 1. A pin is shorter and easier to remember 2. A pin does not allow access to a connected Microsoft Account so if someone captures your keystrokes or observed you entering your password. 3. The pin is bound to that one device. 4. You cannot Brut Force the pin, it will not allow entering a unlimited amount of pins. If this happens, you have to enter the password, so make sure no one plugged anything into your computer and go to some unobserved spot to enter your password. From there on you now can reuse your pin, as you have successfully authenticated once.

Secure Hardware =

Once again, we're telling you to secure your hardware. If the hardware is compromised, there is nothing software can fix. Install the latest BIOS/UEFI Update and set a BIOS/UEFI Password, strictly not really part of windows it has high implications on your Windows Security. If you don't do this, your system may still be compromise able even you followed the above guidelines! As an attacker could just turn off SecureBoot (BitLocker most likely will still detect this, as the TPM will check the CPU Register state before providing the secret).

Also it may be worth googling the following: - Reset Bios Password $vendor $model - Bypass Bios password $vendor $model