Leaving an encrypted Windows 10 machine on in the office. What are the issues?

Question

We're encrypting some of the machines in the office with Veracrypt. We're just starting out so cost is an issue but we don't want to cut corners. We'd like one of the devs to be able to log in from home (occasionally). In the short term we're happy just to leave the machine on and risk a reboot but over the next few weeks we want something better

Short term

• Leave the machine on
• Use Teamviewer but with MFA, strong password and strong password to log into Windows

Short term concern

• If Windows has a strong password what are the vulnerabilities whilst it is switched on but unattended?

Long Term concern

• Is Teamviewer secured in the way outlined acceptable?
• If anyone has any general suggestions that a developer with limited sys-admin experience could do I would welcome that. We're getting a Draytek Vigor router with plenty of VPN options for instance.

Answer 1

We're encrypting some of the machines in the office with Veracrypt

Are you going to fully encrypt the machines or create an encrypted container? The reason I ask this will be clear below.

Use Teamviewer but with MFA, strong password and strong password to log into Windows

I am unsure but this isn't what MFA stands for. There are 3 factors of authentication - something you know (passwords/passphrases), something you have (tokens), something you are (bio-metrics) - Since this is password authentication on two different apps the security will depend on:

1. Teamviewer: Make sure you're using a version of teamviewer which does not have known vulnerabilities. Using the latest version is usually advised

2. Windows:

   1. The reason I asked you if you're going to do a FDE (Full disk encryption) or a container is because if you're going to fully encrypt the hard-disk is protects the data only if the HDD / computer is physically stolen - provided the computer is shutdown or at least rebooted and on the login screen of veracrypt.

   2. If you create an encrypted container and dismount it - whoever logs in to the PC in whichever manner (locally or over Teamviewer) will have to mount the encrypted container.

Unless there is risk of physical theft, only way Veracrypt or any other encryption program can add value (to certain extent) is if you create an encrypted container. In case you fully encrypt the hard-disk, keep the computer running and the DEV will login from home - I don't see any addition of security. It will help more, if the DEV unmounts the encrypted partition / container and mounts it from home again. However this again is minimal since if the computer if infected / compromised the key can be captured while being entered / data can be extracted while the partition is mounted

What I would advise you to do is to harden the system and network devices.

1. Remove all services you don't need on the system (disable them). You may refer to www.blackviper.com/service-configurations/ to help you in this.

2. Patch - Patch and Patch: OS, software on the system, BIOS, drivers - everything should be at it's latest release (production release).

3. Create a reduced right user and run teamviewer on that account. Let the DEV run his software from there. Set the UAC on windows to FULL.

4. Install Microsoft's EMET and set it to high. In BIOS / UEFI enable DEP (in windows enable DEP for all programs except mentioned below - don't mention any).

5. Install a good AV (Norton / Kaspersky) and configure the firewall to block all network traffic unless explicitly allowed (and required), drop protocols that you don't need to use. If you can enable logging on the machine for network traffic, do that. it may help in case of a compromise. This can be set up without any cost with syslog.

6. Disable: autorun (autplay). System restore. Simple file sharing. Dump file creation on BSOD. Remote assistance (will be reactivated using AD). Fast wake-up. Hybrid sleep.

7. Put basic security policies using local policy such as complex password - require alt+ctrl+del at logon.

8. Following are some suggested settings - please check them for your requirement. I would recommend to disconnect the system from a domain and make it stand alone. It would help if you isolate the traffic to this machine using VLAN. Settings mentioned below are not for a PC connected to a DC.

9. 1. Accounts: Block Microsoft accounts: Enabled
   2. Accounts: Guest account status: Disabled
   3. Account: Administrator account: Disabled.
   4. Accounts: Limit local account use of blank passwords to console logon only: enabled
   5. Audit: Audit access of global system objects: enabled
   6. Audit: Audit the use of Backup and Restore privilege: enabled
   7. Audit: Force audit policy subcategory settings (Windows Vista of later) to override audit policy category settings: enabled
   8. Audit: Shutdown system immediately if unable to log security audits: enabled
   9. DCOM: Machine access restrictions: no remote access for all accounts DCOM; Machine launch restrictions: no remote launch and remote activation for all accounts
   10. Devices: Allow undock without having to log on: disabled
   11. Devices: Allowed to format and eject removable media: administrators and interactive users
   12. Interactive logon: Do not display last user name: enabled
   13. Interactive logon: Do not require CTRL+ALT+DEL: disabled
   14. Interactive logon; Machine account lockout threshold: 10 invalid logon attempts
   15. Interactive logon: Machine inactivity limit: 300 seconds
   16. Interactive logon: Prompt user to change password before expiration: 14 days
   17. Network access: Allow anonymous SID/Name translation: disabled
   18. Network access: Do not allow anonymous enumeration of SAM accounts: enabled
   19. Network access: Do not allow anonymous enumberation of SAM accounts and shares: enabled
   20. Network access: Do not allow storage of passwords and credentials for network authentication: enabled
   21. Network access: Let Everyone permissions apply to anonymous users: disabled
   22. Network access: Named Pipes that can be accessed anonymously: blank
   23. Network access: Remotely accessible registry paths: blank
   24. Network access; Remotely accessible registry paths and sub-paths: blank
   25. Network access: Restrict anonymous access to Named Pipes and Shares: enabled
   26. Network access: Shares that can be accessed anonymously: blank
   27. Network access: Sharing and security model for local accounts: Classic - local users authenticate as themselves
   28. Network security: Allow Local System to use computer identity for NTLM: : enabled
   29. Network security: Allow LocalSystem NULL session fallbasck: disabled
   30. Network security: Allow PKU2U authentication requests to this computer to use online identifies: disabled
   31. Network security: Configure encryption types allowed for Kerberos: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types
   32. Network security: Do not store LAN Manager hash value on next password change: enabled
   33. Network security: Force logoff when logon hours expire: disabled Network security; LAN MAnager authentication level: Send NTLMv2 response only, Refuse LM & NTLM
   34. Network security: LDAP client signing requirements: Require signing Network security: Minimum session security for NTLM SSP based (including secure RPC) clients: Require NTLMv2 session security, Require 128 bit encryption
   35. Network security: Minimum session security for NTLM SSP based (including secure RPC) server: Require NTLMv2 session security, Require 128 bit encryption 36.Network security: Restrict NTLM: Incoming NTLM traffic: Deny all accounts
   36. Network security: Restrict NTLM: NTLM authentication in this domain: Deny all
   37. Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers: Deny all
   38. Recovery console: Allow automatic administrative logon: disabled Recovery console: Allow floppy copy and access to all drives and all folders: disabled
   39. Shutdown: Allow system to be shut down without having to logon: enabled
   40. Shutdown: Clear virtual memory pagefile: enabled (check veracrypt for any conflicts with this setting)
   41. System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing: Enabled
   42. System objects: Require case insensitivity for non-Windows subsystems: enabled
   43. System objects: Strengthen default permissions of internal system objects :enabled
   44. System settings: Optional subsystems: blank
   45. System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies: enalbled
   46. UAC: Admin Appoval Mode for Built-in Administrator account: enabled
   47. UAC: Allow UIAccess applications to prompt for elevation without using the secure desktop; disabled 49 UAC: Behavior of elevation prompt for administrators in Admin Approval Mode; 50. Prompt for consent on the secure desktop
   48. UAC: Behavior of the elevation prompt for standard users: Automatically deny elevation requests
   49. UAC: Detect application installations and prompt for elevation: enabled
   50. UAC: Only elevate executables that are signed and validated: disabled UAC; Only elevate UIAccess applications that are installed in secure locations: enabled
   51. UAC: Run all administrators in Admin Approval Mode: enabled
   52. UAC: Switch to the secure desktop when prompting for elevation: enabled
   53. UAC: Virtualize file and registry write failures to per-user locations: nabled

Hope this helps, system can be further secured by controlling what websites are being surfed to, drop the rights of the browser (you don't need to do this if you're allowing the DEV to logon to a limited privilege account) and files being opened. If you can disable Adobe Flash, Reader and Java it will help immensely. You can also block above mentioned apps from internet activity (except flash) if they're absolutely needed.

In the long run please have some sort of remote login service (Microsoft RDP is great and I feel you should explore it if your version of windows 10 is professional) enabled that has ability to take secondary credential from a token device (since the user will not be present in person, bio-metrics cannot be used).

Hope this helps.

Answer 2

A VPN with RDP is probably the better solution, but you would need some Windows policy enforcements to prevent unrestricted access to the filesystem, printers, clipboard etc. from the uncontrolled RDP client machine to the Developer machine. You would need to be sure the VPN only allows access to the one system. You could also benefit from VPN-based policies on antivirus, p2p software, etc. Checkpoint, PaloAlto and Cisco do this stuff, but I'm not sure if Draytek supports this. Much easier would be to give the developer a locked-down, company-owned workstation to use as a VPN client from home.

Note that Teamviewer is not a very cheap solution. If you're using it commercially, you could contact them to get more information about the recommended method to secure the system given your concerns and limits.

If you're using the personal use license of Teamviewer, then you have a license exposure.

Answer 3

Short term, what you are doing seems fine. Long term I would recommend moving away from TeamViewer in favor of either RDP or TightVNC over Win32 OpenSSH. If the site does not have a static IP you could use TINC to setup an always on secure vpn connection to a server that does have a static IP.

The above setup is what I have done for remote access to a network I am in charge of administrating that is physically half a world away. Granted I am using Ubuntu 16.04 instead of Windows 10 ... but OpenSSH / TightVNC / TINC are cross compatible solutions that dont require you to rely on a third party service.