1
I have a cousin who has a sibling who tends to take any laptop or computer they find and format the hard drive to run Linux. They are a bit proficient in circumventing security.
I am by far more savvy than they are when it comes to most things software/hardware related, so I have been tasked with putting Windows 10 back on it, but I am looking for some security experts to help me prevent them from getting hold of a laptop (specifically, a Lenovo T440), formatting the hard drive, and installing Linux on it.
I have just installed Windows 10 Pro on the laptop.
BIOS settings:
- UEFI Only No CSM
- BIOS password
- no UEFI USB support
- disabled USB in boot order
- locked boot order to Windows then hdd0
- enabled internal component detection (i.e., opening the bottom case)
Essentially I tried to keep them out of the BIOS and prevent them from running a live USB of Linux at boot.
I can't disable BitLocker and don't want to be called/texted every time they install a program, so I don't want to downgrade them to a standard user, unless it can be done without me having to type a password every time they do something. I believe that this laptop has separate means of keeping the BIOS password from being reset (i.e., not just popping out the CMOS battery).
I believe these to be strong deterrents until they break past the BIOS. I am looking for any more methods of protecting this device without going full asset protection software.
I am open to all options.
Are these sufficient deterrents, or are there others that I should implement?
4This is a human problem not something that can be prevented by software. – Ramhound – 2019-08-03T17:55:15.553
Yes that is quite obvious. Seeing as how the human can't be removed from the solution I am looking for as many deterrents as possible. – architect401 – 2019-08-03T18:14:55.860
If the user is able to log into your machine they can disable BitLocker. I assume they are an Administrator since, that would require a phone call, whenever they install the software. – Ramhound – 2019-08-03T18:17:58.713
2Have you thought of a) sending them a bill for your time, or b) a good kicking? ;) – Tetsujin – 2019-08-03T18:18:08.630
They primary user is an administrator on the computer. And a swift kick in the you know what would provide me with satisfaction but likely wouldn't prevent them from hacking into the siblings computer. And for a simple reinstall windows, I can't be compelled to charge family for it. Hard ware upgrades and data recovery... whole different realm. I wish the recovery key was needed to disable bitlocker, or at least some alternative unbypassable password. – architect401 – 2019-08-03T18:24:07.413
Not really a serious recommendation for now, as they sure ain't cheap - but getting past Apple's T2 security would be beyond most people - https://support.apple.com/HT208330
– Tetsujin – 2019-08-04T07:52:55.170Not even sure how one would go about installing a T2 chip on anything but a Mac. – architect401 – 2019-08-04T16:11:39.170