Prevent sibling from destroying computer

1

I have a cousin who has a sibling who tends to take any laptop or computer they find and format the hard drive to run Linux. They are a bit proficient in circumventing security.

I am by far more savvy than they are when it comes to most things software/hardware related, so I have been tasked with putting Windows 10 back on it, but I am looking for some security experts to help me prevent them from getting hold of a laptop (specifically, a Lenovo T440), formatting the hard drive, and installing Linux on it.

I have just installed Windows 10 Pro on the laptop.

BIOS settings:

  • UEFI Only No CSM
  • BIOS password
  • no UEFI USB support
  • disabled USB in boot order
  • locked boot order to Windows then hdd0
  • enabled internal component detection (i.e., opening the bottom case)

Essentially I tried to keep them out of the BIOS and prevent them from running a live USB of Linux at boot.

I can't disable BitLocker and don't want to be called/texted every time they install a program, so I don't want to downgrade them to a standard user, unless it can be done without me having to type a password every time they do something. I believe that this laptop has separate means of keeping the BIOS password from being reset (i.e., not just popping out the CMOS battery).

I believe these to be strong deterrents until they break past the BIOS. I am looking for any more methods of protecting this device without going full asset protection software.

I am open to all options.

Are these sufficient deterrents, or are there others that I should implement?

architect401

Posted 2019-08-03T17:53:00.447

Reputation: 23

4This is a human problem not something that can be prevented by software. – Ramhound – 2019-08-03T17:55:15.553

Yes that is quite obvious. Seeing as how the human can't be removed from the solution I am looking for as many deterrents as possible. – architect401 – 2019-08-03T18:14:55.860

If the user is able to log into your machine they can disable BitLocker. I assume they are an Administrator since, that would require a phone call, whenever they install the software. – Ramhound – 2019-08-03T18:17:58.713

2Have you thought of a) sending them a bill for your time, or b) a good kicking? ;) – Tetsujin – 2019-08-03T18:18:08.630

They primary user is an administrator on the computer. And a swift kick in the you know what would provide me with satisfaction but likely wouldn't prevent them from hacking into the siblings computer. And for a simple reinstall windows, I can't be compelled to charge family for it. Hard ware upgrades and data recovery... whole different realm. I wish the recovery key was needed to disable bitlocker, or at least some alternative unbypassable password. – architect401 – 2019-08-03T18:24:07.413

Not really a serious recommendation for now, as they sure ain't cheap - but getting past Apple's T2 security would be beyond most people - https://support.apple.com/HT208330

– Tetsujin – 2019-08-04T07:52:55.170

Not even sure how one would go about installing a T2 chip on anything but a Mac. – architect401 – 2019-08-04T16:11:39.170

Answers

3

You may keep them out of the BIOS by setting the Supervisor Password, as distinct from the normal BIOS Password. This password may also be called System password or Administrator password.

This password is required only whenever anyone tries to enter the BIOS itself. For most BIOS implementations it does not affect a normal boot.

It is vulnerable to all methods of clearing the CMOS. The computer might be of the type that clearing is possible by removing the CMOS battery or changing the CMOS jumper.

Physical protection against opening the case is also available for some computer models. If you need it, search for a "computer lock" (or similar) for the model.

enter image description here

harrymc

Posted 2019-08-03T17:53:00.447

Reputation: 306 093

thanks. that seems to be my best option – architect401 – 2019-08-03T19:41:39.247

Asked: 2019-08-03T17:53:00.447

Viewed: 74 times

Active: 2019-08-03T20:30:30.207