0

It is a laptop shared by my lab. Today I use it, another day one of my student takes it on a field trip. I have 3 hard drives. I wanna leave 2 hard drives for my students and 1 for myself. On my hard drive, I have all my stuff. Students have admin access since they need to install programs, run scripts, etc. Is there a way to password protect my internal hard drive so that none of my students (i.e. other administrators) can access my files if logged in on their account?

EXTRA INFO: My stuff is backed up on Dropbox so I do not care if they wipe the drive out. It is a Windows PC.

Millemila
  • 103
  • 3

3 Answers3

3

There's a concept in threat modelling called spheres of control. A sphere of control is effectively the things in a system that a particular actor has control over. Actors are usually people with different roles, such as unauthenticated users, logged in users, administrators, etc., and each of these has their own sphere of control. If you think about how these spheres overlap, or might overlap, you can better understand what resources each actor has access to (or at least should have access to) and use that to identify where your risks might be concentrated.

You have one sphere for everyone. You, the trusted user, have persistent admin access on an OS and they, the untrusted users, have exactly the same level of persistent access. No matter what control you put in place, they can circumvent it, because you have the same sphere of control as an untrusted user.

For the purposes of my answer here I'm going to ignore the potential for hardware modification. While they're technically possible, your students probably don't have sufficient motivation and resources to implement such attacks, and if I included them in the threat model my answer would be much more complicated and bleak.

What you need to do is create two separate spheres of control, and enforce the separation with a security boundary. If the students require administrative access on the OS, you cannot enforce separation between you and them on that OS. To demonstrate why this is the case, imagine the scenario in which you use full-disk encryption (FDE) such as BitLocker, LUKS, or VeraCrypt in order to encrypt the data on your drive. You hand the laptop off to a student, with your disk encrypted. They can't unlock the drive because they don't have your password, but they can install a keylogger on the system and steal your password the next time you unlock the disk.

One way around this is to install a second copy of the OS onto your hard disk, then use FDE to encrypt it, resulting in a multi-boot system where students get access to one "dirty" instance of the OS, and you get access to a "clean" instance of the OS. When the system boots, the POST or bootloader gives the user two options to boot from, and they cannot boot from your copy of the OS without knowing the FDE password. The FDE password entry is done outside of the OS, so it is outside of the students' control sphere. This creates two separate spheres of control with a strong security boundary that is (given certain caveats) outside their sphere of control.

You can improve the security of this approach if you use a TPM with your FDE, to prevent brute-force attacks, and enable Secure Boot to prevent manipulation of the bootloader and preboot authentication binaries. This is made more difficult to mess with if you apply a BIOS administrator password.


Regarding setting up FDE, you've got a few options. If you're using Windows 10 Pro you'll have access to BitLocker, which is the most convenient. Unfortunately it isn't available on Windows 10 Home edition.

To enable BitLocker on a data drive (i.e. a drive that the OS isn't installed on) you can just type BitLocker into the start menu search and then click "Turn BitLocker on" on the fixed data drive you want to encrypt. By default, when you start the computer the drive will be locked, and when you try to open it in Explorer it'll ask you for your password to unlock the drive. You can later right click the drive and lock it again. It's a manual process, although obviously it locks the drive automatically when you shut down the computer.

One important caveat is that when you unlock a drive, it is accessible by all users that are logged on. So if you're logged in and have unlocked the drive, then hand the laptop to a student who uses Switch User to also log in at the same time, they'll be able to read the unlocked disk. You should lock the disk manually or shut down before giving them the laptop.

It's worth noting that BitLocker may present you with an option to automatically unlock the drive on startup. This is usually used for situations where you want to have a data drive encrypted as well as your OS drive, but don't want the inconvenience of having to manually unlock the drive on startup. Unfortunately this cannot be done on a per-user basis, so you shouldn't choose this option in your situation.

If you don't have Windows 10 Pro, and therefore don't have BitLocker, you could use VeraCrypt instead. Launch VeraCrypt, click Create Volume, pick "Encrypt a non-system partition/drive", select "Standard VeraCrypt" volume, click "Select Device...", pick the partition associated with the drive you want to encrypt, then choose "Encrypt partition in place". You can then pick your password and encrypt the volume. When you want to unlock it later, you just launch VeraCrypt, pick the partition to mount, and unlock it with your password. The same precautions apply as with BitLocker in terms of giving students access to the laptop while the drive is unlocked.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 1
    Great answer. The second copy of the OS is a great suggestion for other people but I think its overkill for me. Student wont install a key logger, they risk too much, IT admins check computers on campus and if un-authorized programs are installed students are in troubles. Not worth it. I think FDE is best for me. Could you please add a paragraph to explain how FDE works (the way you expanded on dual OS)? Am I asked the password every time I log in? every N hours? every time I open a file? Or I access the disk? Can I choose? Should I go for Windows Bitlocker, or any advantages of the others? – Millemila Dec 29 '20 at 15:20
  • @Millemila Added some info on that. BitLocker is the most convenient, but VeraCrypt is just as good. – Polynomial Dec 30 '20 at 21:24
  • Amazing great answer! What about hibernation? I guess the drive stays unlocked if I hand a hibernated laptop to the students. I ask cause I do not reboot often, mostly hibernate. I gotta remember to shut down pc or lock manually drive instead of hibernating. – Millemila Dec 30 '20 at 23:18
  • Another cool line to add would be:overhead: how much overhead (how much Bilocker will slowdown the PC?). I have a fancy Samsungs SSD M.2 NVMe, but others could be interested in HDD. – Millemila Dec 30 '20 at 23:24
  • @Millemila On modern processors there's only a very tiny amount of overhead. It's almost transparent except for environments that need extremely high IO performance. For a laptop you shouldn't notice it at all. – Polynomial Dec 30 '20 at 23:26
  • @Millemila Regarding automatically locking the drive, you can [use GPO to add a logoff script for your user that locks the BitLocker drive](https://security.stackexchange.com/questions/159172/bitlocker-lock-removable-drives-at-logoff), then [use a scheduled task to execute the same command on sleep and return from sleep](https://superuser.com/questions/321151/how-to-execute-a-script-on-sleep-hibernate-resume-and-shutdown) (which also covers hibernate). That'll ensure that your drive gets locked automatically if you haven't locked it already, whenever you log off or sleep/hibernate the machine. – Polynomial Dec 30 '20 at 23:29
2

Yes, you can encrypt the files you want protected. This is often implemented as a transparent layer in the OS, so Applications will work normally without having to decrypt the files first. There's various different solutions depending on the operating system. Windows offers an Encryting File System, and I'm sure there's various other options available as well.

Another answers mentions that you can't fully protect the machine from all attacks, since users have admin access. While that's true, I suspect you're not worried about students installing keyloggers or other more sophisticated attacks, but more casual ones. Encrypting the files via an OS layer will likely provide the level of protection you're after.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • Just to add a specific suggestion. **Veracrypt** is a clean and easy way to go. It can be used to encrypt the entire drive or you can create encrypted virtual drive(s). Either way, they would need the password to mount and access the contents. Note that it would NOT stop deletion of the encrypted contents. – user10216038 Dec 28 '20 at 17:24
  • While you might be right that this is what the user is looking for, it will still not be a secure solution one way or the other. Looking back at history with students hacking into their teachers accounts I don't think the solution is advisable. – Kristian Bodeholt Dec 28 '20 at 18:29
  • @Kristian Bodeholt - You're absolutely correct, it's definitely not a secure solution to be sharing the laptop. However given the OP's constraints, *"Don't do that"* doesn't seem to be acceptable, but it is the better security. – user10216038 Dec 28 '20 at 20:48
  • Yeah I am not really worried about hacking. If they are good hackers then they could find a way to remotely hack my desktop computer on campus as well. I am more concerned of them looking at my stuff out of curiosity or in case we have a problem. My stuff is backed up on Dropbox so I do not care if they wipe the drive out. – Millemila Dec 28 '20 at 21:57
  • I now added in the title that I am on Windows. How would EFS work? Do I need to enter a password every time I access the drive the first time? Or for every file I open? or does it just recognize the Windows user? – Millemila Dec 28 '20 at 22:09
  • Also, after googling people say to use Bitlocker instead of EFS. Not sure if it would work in my case with multiple users though. – Millemila Dec 28 '20 at 22:22
  • @KristianBodeholt Security is not binary. There's no such thing as "secure", there's always levels of security against different adversaries. Given the history of houses being broken into and robbed, my house is not secure, so I shouldn't even bother with locking the doors. Determined attackers can always defeat security. That doesn't mean you can't defeat less determined attackers with less security. – Steve Sether Dec 29 '20 at 06:40
  • @Millemila I'm sorry, I have no idea how EFS works. I try to avoid Windows whenever possible. I'm sure you can find more information about EFS via Google. – Steve Sether Dec 29 '20 at 06:41
1

Since the students will have administrative rights on the machine no easy solution would be advisable since it would be possible for the students to install keyloggers, read data from the drive etc. You could use Bitlocker drive encryption on the dedicated drive but even with the derived password stored on the TPM chip you would be at risk since it would possible to get the initial password. I would never propose a solution with this kind of setup since your files will be at risk as soon as the encrypted drive/container is open, even with a 2nd factor like a Yuibkey introduced during authentication.