I've been involved with handling desktop security for a number of corporations, and by far my biggest problem is educating users that most of the products and habits they use are worthless.
By far and away the most effective way to secure a Windows box is to avoid using an admin level account whenever possible. This rule supercedes any idiot belief in software firewalls and spyware/virus scanners, which accomplish little other than make software companies lots of money. Yet, I've aleady several posts in this thread equating Malware/Spyware with firewalls when neither have anything to do with each other. As long as this is the case, and we have 'tards who refuse to update Windows with security updates for fear it might break their stupid 3rd party software firewall, or think a software firewall is also a content filter, then malware writers will always have a job.
Contrary to urban myth, a fully patched Windows box sitting on the internet without a firewall is not in danger of being hacked. Hackers go after open port 25 relays, unpatched SQL services, things they can make money with, etc. If you aren't running these type of backend services on your machine, then the need for software firewalls becomes greatly diminished. Anybody who declares the value of software firewalls as being usefull because they can sometimes detect problems via outbound activity needs to be slapped, and denied a job from ever working in the IT industry. If you are that mentally incompetent as being unable to prevent this garbage from getting on your machine in the first place then you shouldn't be allowed the admin password on any computer.
If 75% of Windows desktop users were to use a non admin account 75% of the time, McAfee, Symantec, and pretty much every malicious code writer on the internet would go out of business in a month.
As for note, running Internet Explorer inside of a non-admin account pretty much renders it's security problems inert.
By far and away the most effective way to secure a Windows box is to avoid using an admin level account whenever possible. This rule supercedes any idiot belief in software firewalls and spyware/virus scanners, which accomplish little other than make software companies lots of money. Yet, I've aleady several posts in this thread equating Malware/Spyware with firewalls when neither have anything to do with each other. As long as this is the case, and we have 'tards who refuse to update Windows with security updates for fear it might break their stupid 3rd party software firewall, or think a software firewall is also a content filter, then malware writers will always have a job.
Contrary to urban myth, a fully patched Windows box sitting on the internet without a firewall is not in danger of being hacked. Hackers go after open port 25 relays, unpatched SQL services, things they can make money with, etc. If you aren't running these type of backend services on your machine, then the need for software firewalls becomes greatly diminished. Anybody who declares the value of software firewalls as being usefull because they can sometimes detect problems via outbound activity needs to be slapped, and denied a job from ever working in the IT industry. If you are that mentally incompetent as being unable to prevent this garbage from getting on your machine in the first place then you shouldn't be allowed the admin password on any computer.
If 75% of Windows desktop users were to use a non admin account 75% of the time, McAfee, Symantec, and pretty much every malicious code writer on the internet would go out of business in a month.
As for note, running Internet Explorer inside of a non-admin account pretty much renders it's security problems inert.
That's correct. You can use Bitlocker on non-TPM 1.2 machines using a USB key. You can also use a USB key to store the recovery information in a TPM scenario.
Also, you can opt to use a startup PIN with the TPM, which is what I use.
Nothinman
Elite Member
- Sep 14, 2001
- 30,672
- 0
- 0
For now, there's no telling what will be discovered to be vulnerable in a day or a week so you still need to limit your exposure as much as possible.
So you're predicting their demise in ~5 years when Vista replaces the majority of XP machines? =)
From a "take over the box and install a rootkit" standpoint, yes, but not from a "delete all of my files" standpoint. Something like the old ILoveYou would still be just as effective (minus the propogation since it's more difficult to get to the addressbook now) today if it had a delivery system.
So there's no way to just use a plain passphrase and no TPM?
The only startup methods are TPM, TPM+PIN, TPM+USB key, or USB key only. Passphrase would imply that the key information is stored on the local drive, which is less than ideal. You can actually do this with Bitlocker. You can turn off Bitlocker, but keep the drive encrypted. So none of the startup methods above would be required, because the key is stored (in the clear) on the drive.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 24K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter